Universal Blue#
Universal Blue is an upstream project and platform providing a modular, container-based immutable Linux ecosystem built on OCI standards. It serves as the foundation for multiple desktop Linux distributions including Bluefin, Aurora, Bazzite, and uCore.
Built on Fedora Silverblue with an image-based architecture, Universal Blue delivers operating systems as OCI container images using bootc (bootable containers) for atomic updates and rollbacks. The project represents a fundamental shift from traditional package-based Linux distributions to image-based delivery, where updates are complete new images checked automatically every 6 hours and applied on reboot.
The project philosophy: "Why spend decades documenting workarounds when you can just remove the problem entirely!" Universal Blue rigorously moves away from legacy technologies while embracing cloud-native culture and tools to make Linux more reliable and maintainable.
Relationship to Fedora#
Universal Blue builds upon Fedora's atomic desktop technology as its upstream foundation.
Fedora Foundation#
Universal Blue distributions are built on Fedora's atomic desktop variants as the upstream base, with base images derived from Fedora Silverblue images. The ublue-os/main repository provides a common main image for all Universal Blue variants with minimal but important adjustments to Fedora.
As of September 2025, Universal Blue builds only base, kinoite, and silverblue images, with intermediate images trimmed for efficiency. Bluefin LTS uses CentOS Stream 10 as an alternative foundation for long-term support.
Core Technologies#
Universal Blue integrates several upstream technologies:
| Technology | Role | Details |
|---|---|---|
| rpm-ostree/OSTree | Storage layer | Immutable base system with OSTree commits that prevent mutation |
| bootc | Update mechanism | Primary upgrade mechanism for atomic updates and rollbacks |
| Fedora Silverblue | Base system | Foundation providing GNOME desktop and base packages |
| CentOS Stream | LTS foundation | Alternative foundation for long-term support variants |
bootc Architecture#
bootc is a system for transactional, in-place OS updates using OCI/Docker container images. It uses standard OCI image format with container images including the kernel used to boot the system, and depends on ostree as storage backend but replaces ostree's HTTP transport with OCI container fetching.
The OS is immutable by default using composefs with /usr read-only, /etc for config, and /var for data. Universal Blue worked closely with bootc developers, with bootc submitted to CNCF as the technology matured. In 2025, Universal Blue underwent drastic refactoring to fully embrace bootc.
See the bootc documentation for detailed technical information.
Architecture#
Universal Blue implements a modern container-native architecture for operating system delivery.
OCI Container-Based Delivery#
Operating systems are delivered as OCI container images, with system updates delivered as complete new images, not individual packages. This approach embodies the philosophy that "value is in the other OCI layers, not the base image - 'distributions don't matter'".
Images are checked automatically every 6 hours and applied on reboot, with updates applied on reboot, keeping the running system stable.
Multi-Stage Build Process#
The build process uses a multi-stage container build defined in Containerfile with four stages:
- ctx stage: Copies system files, build files, and packages.json configuration
- akmods stage: Pulls pre-built kernel modules from ghcr.io/ublue-os/akmods
- akmods_nvidia stage: Pulls NVIDIA-specific kernel modules
- Final stage: Built from upstream Fedora base images at quay.io
Every commit triggers builds creating bootable OS images via GitHub Actions, typically taking 30 minutes to 2 hours for changes to go live.
Modular Component Design#
In 2025, Universal Blue underwent major architectural refactoring from monolithic distributions to modular OCI containers. The system is composed of modular OCI container components that are shared across variants while maintaining variant-specific customizations.
Core shared modules:
Version Management#
Universal Blue implements strict version control:
- Digest-based version tracking in image-versions.yaml tracks SHA256 digests for all base images and dependencies
- Ensures reproducible builds and enables CI to detect upstream dependency changes
- JSON-based package declaration system in packages.json defines common, image-specific, and version-specific packages
Immutability Model#
Universal Blue enforces strict immutability:
- Local package layering locked by default via LockLayering=true in /etc/rpm-ostreed.conf
- Prevents mutation of base OSTree commit including package overlays, overrides, and initramfs changes
- System image remains pristine with no package-based degradation over time
- Running rpm-ostree reset and rebooting always restores system to pure image mode
Security#
Security is built into the architecture:
| Feature | Implementation |
|---|---|
| Secure Boot | Supported by default using custom Universal Blue keys with enrollment password "universalblue" |
| Signed Kernels | Removes upstream Fedora kernel, replaces with signed kernels from akmods layer |
| Image Signing | All container images signed with Cosign and verified during builds |
| Application Sandboxing | Flatpak applications run sandboxed |
Desktop Variants#
Universal Blue serves as a framework for multiple desktop-focused distributions, each targeting different user archetypes. All variants use either silverblue-main or kinoite-main as base images and are managed under the Universal Blue umbrella but function as distinct projects with separate communities.
Bluefin#
Bluefin is designed as "a Linux desktop for serious developers", built on silverblue-main (GNOME-based). It emphasizes lightweight maintenance and automation with a clean, atomic layer on default Fedora, delivering a system reliable as a Chromebook with near-zero maintenance.
Bluefin DX is a Developer Experience variant with ~67 additional packages including Docker, Podman, Incus, LXC, QEMU, libvirt, and development tools.
See the Bluefin documentation for details.
Aurora#
Aurora is built on kinoite-main, providing a KDE Plasma desktop environment as an alternative to Bluefin's GNOME. Users are described as "more tinkerers" who explore multiple Universal Blue projects. Aurora shares artwork and infrastructure with other Universal Blue projects and split into its own repository at the end of 2024.
See getaurora.dev for details.
Bazzite#
Bazzite is the flagship and most popular Universal Blue image with hundreds of thousands of users. This gaming-focused variant with specialized hardware support targets gaming and entertainment users with a mainstream, less technical audience.
Built on silverblue-main (GNOME-based), Bazzite was featured in The Verge for surpassing Steam Deck experience on Asus ROG Ally X and celebrated its 2nd birthday in 2024 with explosive growth after a Hacker News feature. It dominates the Universal Blue user base according to Fedora countme stats.
See bazzite.gg for details.
uCore#
uCore is a server-focused variant for homelab and infrastructure use cases. CentOS-based builds are described as "boring as intended" - stable and reliable, with builds continuing to happen automatically.
See the uCore repository for details.
Switching Between Variants#
Universal Blue provides flexibility to change between variants. Users have the ability to rebase between variants using bootc switch while preserving the home directory, Flatpak apps, and configurations.
Package Management#
Universal Blue implements a three-layer package management strategy: immutable system, Flatpak for GUI apps, and Homebrew for CLI tools.
| Layer | Purpose | Update Mechanism |
|---|---|---|
| System | Immutable base OS | Complete image updates every 6 hours, applied on reboot |
| Flatpak | GUI applications | Automatic daily updates at 4:00 AM via systemd timers, no reboots required |
| Homebrew | CLI tools | Managed via projectbluefin/common image with containerd support |
This approach ensures separation of concerns: the system remains stable and immutable, applications update independently, and developers have flexibility for CLI tooling.
Shared Infrastructure#
Universal Blue provides common infrastructure and tooling across all variants.
Base Images (ublue-os/main)#
The ublue-os/main repository provides a common main image for all Universal Blue variants with minimal but important adjustments to Fedora. As of September 2025, it builds only base, kinoite, and silverblue images, providing the foundation layer that variants build upon with their customizations.
Development Toolboxes#
The ublue-os/toolboxes repository provides a centralized collection of containers designed for Toolbox/Distrobox. Ptyxis terminal is the recommended and default experience in Bazzite and Bluefin.
Available toolboxes: ubuntu, debian, fedora, arch, bazzite-arch, wolfi, docker-distrobox, incus-distrobox
Quadlets provide automated management via podman systemd units that auto-start on login, check for updates, and clean up when stopped, with podman-auto-update.timer enabling automatic updates at midnight.
ujust Command System#
ujust is a command runner providing system administration utilities, with the Justfile in ublue-os/main providing the foundation.
Common commands:
ujust update- Update the systemujust toggle-updates- Enable/disable automatic updatesujust powerwash- Reset system to factory stateujust rebase-helper- Switch between variants
The system also provides container build infrastructure including build-container, run-container, gen-tags, and verify-container, plus Secure Boot verification checking kernel signatures.
Curated Application Bundles#
Universal Blue provides a growing set of curated Brewfile bundles via ujust bbrew including:
- CLI tools and utilities
- GNOME Circle applications
- IDEs: VS Code, JetBrains, Neovim, Helix
- Kubernetes and cloud-native tools
- AI/ML tools
- Swift development environment
- Developer fonts
Kernel Module Infrastructure#
The akmods infrastructure provides pre-compiled, signed kernel modules for immutable distributions. Modules are built daily and version-locked alongside kernel packages to prevent ABI mismatches, enabling out-of-tree drivers and hardware enablement without compromising immutability.
See the akmods repository for details.
Custom Homebrew Tap#
The ublue-os/homebrew-tap provides packages not available in official Homebrew, with sophisticated automation for version management and cross-platform bottle building. It includes development tools like Docker, devcontainer CLI, JetBrains Toolbox, cloud-native tools, and system utilities.
Build Infrastructure#
Universal Blue uses a comprehensive CI/CD pipeline:
| Component | Implementation |
|---|---|
| Build System | Multi-stage container build with buildah/podman |
| SBOM Generation | Syft via gen-sbom recipe for supply chain transparency |
| Rechunking | Using ghcr.io/ublue-os/legacy-rechunk for efficient updates |
| Image Signing | Cosign via cosign-sign recipe |
| Version Tracking | Via image-versions.yaml |
| Distribution | Published to ghcr.io with retry logic |
| Build Matrix | GitHub Actions matrix builds handle variants and streams |
The build system features intelligent build triggers that rebuild only when base/akmod digests change or source files are modified. bootc container lint runs to validate bootable container standards, with OSTree container committed as final validation.
Governance and Community#
Universal Blue operates with governance modeled after CNCF projects like Kubernetes using lazy consensus: "Just Do It" unless problematic. This Lazy Consensus model encourages opinionated builds while operating as a loose confederation of repositories. All Universal Blue images share governance structures modeled after cloud native projects.
The project is licensed under Apache License 2.0.
Community Growth#
Universal Blue has experienced significant growth:
- Over 16,000 Discord members for Bluefin with 123 contributors in six months
- Over 11,186 Universal Blue Discord members as of end of 2024
The project is in maintenance mode, accepting PRs with components complete and focused on sustainability.
Project Philosophy#
Universal Blue embodies several key principles:
- Problem Elimination: "Why spend decades documenting workarounds when you can just remove the problem entirely!"
- Modernization: Rigorously moving away from legacy technologies
- Layer Over Base: "value is in the other OCI layers, not the base image - 'distributions don't matter'"
- Upstream Focus: Distroless approach shipping upstream tools rather than custom applications
- OS Agnostic: Workflows remain not only distribution agnostic, but OS agnostic using podman, docker, flatpak
- Cloud Native Alignment: Proven model allows millions of existing developers to onboard
Target Audience#
Universal Blue targets diverse users:
- Both experienced Linux users and newcomers
- Developers seeking cloud-native workflows
- Users who do not want to care about their computer
- Infrastructure experts ("cloud native" professionals) making fundamental improvements to Linux desktop
Project Timeline#
Key milestones in Universal Blue's development:
Key Repositories#
Universal Blue maintains several critical repositories:
| Repository | Purpose |
|---|---|
| ublue-os/main | Base images (silverblue, kinoite, base) |
| ublue-os/toolboxes | Development container environments |
| ublue-os/akmods | Pre-built kernel modules |
| ublue-os/homebrew-tap | Custom Homebrew packages |
| ublue-os/artwork | Shared artwork assets |
| ublue-os/bluefin | Bluefin variant |
| projectbluefin/common | Bluefin common components |
Resources#
Official Links#
- Website: https://universal-blue.org/
- Documentation: https://universal-blue.org/documentation.html
- Mission: https://universal-blue.org/mission.html
- GitHub: https://github.com/ublue-os/
- Container Registry: ghcr.io/ublue-os/
- COPR: https://copr.fedorainfracloud.org/coprs/ublue-os/
Variant Documentation#
- Bluefin: https://docs.projectbluefin.io/
- Aurora: https://getaurora.dev
- Bazzite: https://bazzite.gg
- uCore: https://github.com/ublue-os/ucore
Related Technologies#
- bootc: https://bootc-dev.github.io/bootc/
- Fedora Silverblue: https://fedoraproject.org/silverblue/
- Fedora Kinoite: https://fedoraproject.org/kinoite/
Related Topics#
- Bluefin - Developer-focused desktop variant built on Universal Blue
- Fedora Silverblue - Upstream immutable Fedora GNOME desktop
- bootc - Bootable container technology for OS updates
- OSTree - Content-addressed filesystem and update system
- OCI Containers - Open Container Initiative standards for container images
- Immutable Infrastructure - Architectural pattern for unchanging system images
