An immutable OCI container runtime operating system.

Visit our website: Zebrafish

Zebrafish is a modern, security-focused, and containerized operating system designed for reliability and performance. It leverages cutting-edge technologies to provide a robust platform for running containerized applications.

Zebrafish is designed to be lightweight, shipping only the necessary libraries and tools to run containerized workloads. This reduces the attack surface and improves security.

• containerd: Zebrafish uses containerd as its container runtime, providing a stable and efficient environment for running OCI-compliant containers.
• ocitool: The OS includes ocitool, a tool for managing OCI container images, making it easy to work with images.

• Remote Disk Support: Zebrafish can connect to remote disks hosted on other servers using the Linux Network Block Device (NBD) protocol. This makes it possible to integrate with remote storage solutions.

• ZFS File System: Zebrafish is built on top of the ZFS file system, which provides strong data integrity and protection against data corruption.
• Disaster Recovery: The OS includes a built-in mechanism to automatically sync all data with a remote server. This ensures that your data is always backed up and can be easily recovered in case of a disaster.

• Immutable: The core operating system is immutable, meaning that it cannot be modified at runtime. This ensures that the system is always in a known good state.
• Encrypted Root File System: The root file system is always encrypted using ZFS, providing an additional layer of security for your data.
• Public Key Authentication: Zebrafish uses public key authentication for SSH access.
• Port Knocking: Zebrafish supports port knocking, a technique used to hide network ports from unauthorized users. This adds an extra layer of security to your applications.
• DNS over HTTPS (DoH): All DNS queries are encrypted and sent over HTTPS, preventing eavesdropping and man-in-the-middle attacks.
• HTTP/3: Zebrafish uses HTTP/3 by default, providing a faster and more secure web experience.

• TOML-based configuration: Zebrafish reads its configuration from two TOML files (<EFI>/zebrafish.toml and /etc/zebrafish.toml). The on-target CLI tool zebrafish-config provides get, set, list, add, remove, edit, path, and validate subcommands; shell scripts use the thin helpers zf_get, zf_has, and zfs_get_machine_id from /lib/zebrafish/functions.
• Centralized Updates: All updates can be tested centrally before being deployed to production, ensuring that your systems are always up-to-date and secure.
• Overlay File System: Configuration changes can be made through an overlay file system, which stores only the modified files. This makes it easy to manage and track changes to the system.

To get started with Zebrafish, you can either build the OS from source or download the latest version.

The following steps will guide you through the build process:

1. Clone the repository:

   git clone https://github.com/darktohka/zebrafish.git

2. Clone the Buildroot repository:

   git clone https://github.com/buildroot/buildroot.git

3. Patch Buildroot:

   ./zebrafish/scripts/patch.sh buildroot zebrafish

4. Configure the build:

   ./zebrafish/scripts/config.sh buildroot zebrafish aarch64

5. Build the OS:

   ./zebrafish/scripts/build.sh buildroot zebrafish

If you prefer to download a pre-built version of Zebrafish, you can find the latest releases on the CDN:

1. Download the latest release:

   wget https://cdn.zebrafish.tohka.us/zebrafish-aarch64.tar
   # or
   wget https://cdn.zebrafish.tohka.us/zebrafish-x64.tar

2. Extract the tarball:

   tar -xf zebrafish-aarch64.tar
   # or
   tar -xf zebrafish-x64.tar

1. Create test directory:

   mkdir -p test

2. Copy the initrd and kernel

   cp zebrafish-initrd test/zebrafish-initrd
   cp zebrafish-kernel test/zebrafish-kernel

3. Install ovmf_aarch64.fd or ovmf_x64.fd:

• ovmf_aarch64.fd can be found at: Debian Package List

4. Run the OS using QEMU:

   if [[ $(uname -s) == "Linux" ]]; then
     accel="-accel kvm"
   else
     accel="-accel whpx,kernel-irqchip=off"
   fi
   
   if file zebrafish-kernel | grep ARM64; then
     target=qemu-system-aarch64
     accel="-cpu neoverse-n1 -machine virt"
     bios="ovmf_aarch64.fd"
   else
     target=qemu-system-x86_64
     bios="ovmf_x64.fd"
   fi
   
    "$target" $accel \
      -drive file=disk.img -m 2G \
      -device virtio-rng-pci \
      -net nic,model=virtio \
      -net user,hostfwd=tcp::10022-:22,hostfwd=tcp::10080-:80 \
      -kernel zebrafish-kernel -initrd zebrafish-initrd \
      -display gtk \
      -device virtio-gpu-pci \
      -append "console=tty0" \
      -device virtio-keyboard-pci \
      -bios "$bios"

   Network and other system configuration is read from <EFI>/zebrafish.toml and /etc/zebrafish.toml on the disk image. For local testing, populate those files with a zebrafish.toml next to the kernel on a separate EFI partition, or via /etc/zebrafish.toml once the persistence layer is up.

Zebrafish supports installation on the following configurations:

• UEFI x86_64: A computer with UEFI firmware and x86_64 architecture. Boots directly using the EFI stub in the kernel. Requires at least Haswell microarchitecture (4th generation Intel Core processors).
• UEFI ARM64: Requires at least ARMv8-A architecture (tuned for Neoverse-N1 processors).
• BIOS x86_64: Booting is implemented through syslinux. Requires at least Haswell microarchitecture (4th generation Intel Core processors).

Please refer to the Installation Guide for detailed instructions on how to install Zebrafish on your machine.

Contributions are welcome! If you would like to contribute to Zebrafish, please fork the repository and submit a pull request.

Zebrafish is licensed under the MIT License. See the LICENSE file for more information.