How to Deploy and Use Fedora Hummingbird for Secure, Rolling Container Images

Introduction

Fedora Hummingbird, announced at Red Hat Summit 2026, is a container-based rolling Fedora Linux distribution that delivers the latest software from upstream as soon as it’s available. It focuses on achieving near-zero CVE reports by using a distroless, image-based workflow that runs in containers, virtual machines, or even on bare metal. This guide walks you through the process of obtaining, booting, and verifying Fedora Hummingbird images, leveraging the same model used by Project Hummingbird and Project Bluefin.

How to Deploy and Use Fedora Hummingbird for Secure, Rolling Container Images — Source: fedoramagazine.org

What You Need

A Linux system (or any OS with Podman/Docker installed)
Basic command-line familiarity
At least 2 GB of free disk space for pulling images
Internet access to the Hummingbird containers repository
Optional: a virtual machine manager (e.g., QEMU/KVM) if you plan to run on a VM

Step-by-Step Instructions

Step 1: Understand the Hummingbird Image Model

The central goal of Fedora Hummingbird is to stay as close to zero CVE reports as possible in every container image it ships. All architectural decisions—distroless images, minimal package footprints, hermetic builds, and pipeline automation—serve that goal. A distroless image contains only the application and its strict runtime dependencies: no package manager, no shell. This minimizes attack surface and reduces your vulnerability management burden.

Hummingbird uses a Konflux-based pipeline for fully isolated, reproducible builds from pinned package lists. The tool chunkah ensures efficient incremental updates by redownloading only changed parts of an image. Continuous vulnerability scanning via Syft and Grype detects and patches issues upstream — the pipeline then rebuilds, tests, and ships the updated image automatically.

Step 2: Pull a Hummingbird Image

The foundation for Fedora Hummingbird already ships from the Hummingbird containers repository. Use Podman or Docker to pull an image. For example, to get the latest Python distroless image:

podman pull quay.io/hummingbird/python:latest

Replace python with any of the 49 unique images (covering Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and more). There are 157 variants including FIPS and multi-arch builds. You can also pull a specific variant:

podman pull quay.io/hummingbird/postgresql:16-fips

All images are built from 95%+ Fedora Rawhide packages, unmodified. The remaining packages come directly from upstream if Rawhide doesn’t carry them or isn’t new enough. The Hummingbird team contributes changes back to Fedora, ensuring alignment.

Step 3: Boot the Image

Fedora Hummingbird images can boot in various environments. Choose the method that fits your workflow:

Container: Run the image as you would any container. For instance:
podman run -it quay.io/hummingbird/python:latest
Virtual Machine: Use the image to create a VM. The team provides OCI-compatible artifacts; extract the root filesystem and boot with QEMU. Example:
qemu-system-x86_64 -kernel vmlinuz -initrd initrd.img -drive file=rootfs.qcow2 -m 2G
Bare Metal: Write the image directly to a disk (e.g., with dd or ostree tools). This is ideal for production appliances.

If you’ve been following Project Hummingbird or Project Bluefin, you already know this model. Fedora Hummingbird applies it all the way down to the host OS.

Step 4: Verify Security Status

One of the biggest advantages of Fedora Hummingbird is that you skip the “CVE hell.” The team’s pipeline has already performed CVE triage, patching, and rebuilding before you even pull the image. To see the current CVE status across all images and variants, visit the live Hummingbird catalog. You can also scan the image locally with Syft/Grype to confirm:

syft quay.io/hummingbird/python:latest | grep CVE

Because the images are distroless, you’ll typically find zero CVEs for the application layer. Any remaining issues would be in the base layer, which the pipeline continuously monitors.

Step 5: Customize or Extend (Optional)

If you need to add your own application or modification, create a Dockerfile that starts from a Hummingbird image. Because the image has no package manager, you must include all dependencies at build time. For example:

FROM quay.io/hummingbird/python:latest
COPY myapp.py /app/
CMD ["python", "/app/myapp.py"]

When you push your own image, consider using the same Konflux pipeline patterns—or at least scanning it with Syft before deployment. The Hummingbird team welcomes contributions back to Fedora; if you need a package not yet in the catalog, you can request it or build your own variant following the contribution guidelines.

Tips for Success

Stay on the rolling release: Fedora Hummingbird is a rolling distribution, so you always get the latest security patches. Re-pull your images regularly to stay current.
Use FIPS variants for compliance: If you work in regulated environments, choose images tagged with fips for cryptographic module validation.
Leverage the live catalog: Bookmark the Hummingbird catalog to monitor CVE status in real time. This transparency eliminates guesswork.
Understand the differences from Fedora CoreOS: While CoreOS is a minimal host for orchestrated workloads, Fedora Hummingbird focuses on container images that are hardened and distroless. Choose the one that fits your use case.
Contribute back: If you find a missing package or a vulnerability, the team actively accepts contributions. The project’s pipeline is open source, and your improvements can benefit the entire ecosystem.

By following these steps, you can deploy Fedora Hummingbird images with confidence, knowing they are built for security and freshness. The image-based workflow puts you in control while automating the tedious parts of vulnerability management.

Tags: