Alt Distro in dom0

I’m trying to summarize and redirect Github discussions about alternative dom0 distros to the forum. These discussions surfaced the following developer concerns:

  1. Long Term Support (reduce update churn).
  2. Up-to-date userland (updated packaging, large support community).
    • This will be less important as more functionality is moved out of dom0.
  3. Up-to-date kernel (good driver/hardware support).
  4. Small TCB.
  5. “Secure” packaging (reproducible builds, package and meta-data signing).
    • Note that Gitian can make most builds reproducible.
  6. “Safe” updates (rollback).
  7. Efficiency sharing distro between dom0 and VM templates.

Keep it chill! Linux distros largely repackage the same code and distro flamewars border on cheering for a brand. If you want to advocate/discuss a certain distro: spawn a new thread and limit your response here to a link and a short summary of how the distro scores on the above list of concerns. I’ll try to keep this list up-to-date:

IMHO, I think that distros advertising tiny install sizes are not competitive with similar offerings derived from RHEL and Debian. Alpine, Yocto, and friends generally trade size for compatibility/functionality by doing things like removing all drivers and substituting GNU CoreUtils with BusyBox. Once you install everything needed to run mainstream software, the image swells back up again:

smallest VM/container IoT/NAS/“cloud”
Alpine 2.5 120 (Xen) 469 (router)
ubi8/Fedora 30-52 70-250 300-460
Deb/Ubuntu 26-30 280 300-500

I’m also very wary of community distros without any commercial offerings to draft off of. From Yocto’s security page:

Yocto Project does not have a Security team … there is some research and proof of concept work occurring with some tools but its struggling due to lack of people/resources.

RPM/RHEL-Adjacent Distro Summary

CentOS Stream is more stable than Fedora, signs both package and repository meta-data, has a 5-year (hardware) support cycle, and would be easier to transition to thanks to sharing a base with Fedora. See the forum thread for in-depth discussions about stability, age of the kernel, and software availability.

Red Hat’s CoreOS spinoffs (Fedora Silverblue or Fedora CoreOS) offer a very compelling combination of security, TCB size, and rollback functionality. However, their short life-cycle makes them unsuitable for use in dom0 (at least until more functionality is moved out of dom0).

Rocky Linux confirmed via chat that they are planning a RHCOS rebuild.