Getting Started with Fedora Hummingbird: A Step-by-Step Guide to Deploying Distroless Containers
Overview
Fedora Hummingbird is a new rolling container-based distribution that brings the principles of Project Hummingbird—minimal, hardened, distroless container images—to the full operating system level. Announced at Red Hat Summit 2026, it provides access to the latest software as soon as it's available upstream, ensuring up-to-date packages and continuous security. Unlike traditional distributions, Hummingbird uses an image-based workflow similar to containers but runs on virtual machines or bare metal. This guide will walk you through pulling, running, and verifying Hummingbird images, as well as common pitfalls to avoid.
Prerequisites
Before you begin, ensure you have the following:
- A Linux host with Podman or Docker installed (preferably Podman for better compatibility with rootless containers).
- curl or wget for downloading configuration files.
- Basic familiarity with terminal commands and container concepts.
- At least 1 GB of free disk space for image downloads.
Step-by-Step Instructions
Pulling a Hummingbird Image
Hummingbird images are available from the project's container registry. To pull a distroless Python image, use the following command:
podman pull quay.io/hummingbird/python:latestThis retrieves a minimal image containing only Python and its runtime dependencies—no package manager, shell, or extraneous tools. The latest tag tracks the most recent build, rebuilt automatically when upstream CVEs are patched.
Running the Image
Run the pulled image as a container. The distroless nature means you cannot exec into a shell; instead, pass your entrypoint directly:
podman run --rm quay.io/hummingbird/python:latest python3 -c "print('Hello from Hummingbird!')"This executes a simple Python command and exits. For a web application, map ports as usual:
podman run -d -p 8080:8080 quay.io/hummingbird/python:latest my_app.pyTo boot the image as a full OS on a virtual machine (using qemu), first convert the image to a bootable format:
podman run --rm --privileged quay.io/hummingbird/builder:latest /usr/bin/hummingbird-convert quay.io/hummingbird/python:latest /output/hummingbird.rawThen launch the VM:
qemu-system-x86_64 -hda hummingbird.raw -m 2048 -netdev user,id=net0 -device e1000,netdev=net0For bare metal installation, flash the raw image to a USB drive using dd. See the Common Mistakes section for caveats about package management.
Verifying CVE Status
Hummingbird's pipeline continuously scans images with Syft and Grype. You can check the current CVE count live at the Hummingbird catalog. To verify the image you pulled, run:
podman run --entrypoint='' quay.io/hummingbird/python:latest grype /This will output any known vulnerabilities. If you see zero CVEs, your image is up to date—the pipeline already patched everything before the build.
Building on Hummingbird Images
Because Hummingbird images are distroless, building a custom image requires special handling. Use a multi-stage build where the final stage copies only the application. Here's an example Containerfile:
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN GOOS=linux go build -o myapp .
FROM quay.io/hummingbird/vanilla:latest
COPY --from=builder /app/myapp /myapp
CMD ["/myapp"]Push the result to your own registry:
podman build -t myapp:hummingbird .
podman push myapp:hummingbird quay.io/myuser/myapp:latestRemember that the vanilla image is a minimal base with no package manager—you must statically link or include all dependencies.
Common Mistakes
Attempting to install packages at runtime
When you try podman exec -it <container> /bin/bash, you'll fail because no shell exists. This is by design—to reduce attack surface. If you need debugging, rebuild the image with debugging tools using a layered build.
Forgetting to pin to a specific tag
The latest tag updates continuously. For production, pin to a specific version tag (e.g., 1.21.3) or use the digest. Example:
podman pull quay.io/hummingbird/python@sha256:abc123...Assuming FIPS support is automatic
Hummingbird offers FIPS-validated variants (e.g., python:fips). Regular images do not include FIPS modules. Select the appropriate variant in the catalog.
Ignoring the pipeline rebuild lag
While the Konflux pipeline rebuilds images within hours of an upstream patch, there is a brief window. Monitor the catalog for CVE status before deploying critical workloads.
Summary
Fedora Hummingbird delivers a unique approach to container and OS security by providing continuously patched, distroless images built from Fedora Rawhide packages. This guide covered pulling images, running them as containers or VMs, verifying their CVE status, and building custom images using multi-stage Dockerfiles. By avoiding common pitfalls like expecting a shell or forgetting to pin tags, you can take full advantage of Hummingbird's minimal attack surface and automated vulnerability management. Start exploring the catalog today to reduce your CVE burden.