Project Hummingbird, hands on.
A follow-along guide to Red Hat's rebuild-don't-patch container base — sixteen sections, five worked example projects, ten Excalidraw diagrams. Cut, paste, run.
Tutorial
Work through the sections in order the first time. Each section ends with a prev/next pager so you don't lose your place.
Outline
How the tutorial is structured and how to read it.
Prerequisites
Install and configure the tooling you'll need before any of the examples will work.
What is Project Hummingbird
The conceptual grounding before we start running commands.
Podman basics with Hummingbird
Pull, inspect, and run your first Hummingbird image; learn the ephemeral debug-sidecar pattern.
Multi-stage builds
Use Hummingbird builder images for the build stage and Hummingbird runtime images for the final stage. Examples in Java (Quarkus), Python, Go, with a Node.js appendix.
SBOMs and signing
Generate SBOMs with Syft, sign images with Cosign, and verify the artifacts that ship with stock Hummingbird images.
CVE scanning
Use Grype to scan Hummingbird images and your own derived images. See "near zero CVE" with your own eyes.
Multi-container apps with Podman Compose
Stand up a small multi-service stack with Hummingbird base images and Podman Compose; cover the Fedora-specific SELinux gotchas and healthcheck timing.
Debugging Hummingbird containers
A four-layer debugging strategy for images that have no shell, no curl, and no diagnostic tools.
Layer optimisation with zstd:chunked
Build images that pull faster on subsequent updates by using the zstd:chunked compression format.
Splitting layers with chunkah
A deeper layer-management tool that complements zstd:chunked. Walk through splitting a base image, isolating application code via xattrs, and combining chunkah with zstd:chunked.
Real-world examples
Five end-to-end scenarios that pull together everything from the previous ten sections.
Creating custom SBOMs
Generate richer, application-specific SBOMs that capture build context, multi-source dependency graphs, and cosign-attached attestations beyond what stock images ship with.
Hummingbird with Red Hat Trusted Libraries
Extend the trust chain from base image to application dependencies. Use the Red Hat Trusted Libraries pip index as a drop-in replacement for pypi.org alongside Hummingbird's hardened base images.
Installing RPMs into the runtime image
Three patterns for adding OS packages to a Hummingbird runtime image that has no dnf — staged install with --installroot, rpm2cpio extraction, and selective file copy.
Automated updates with Renovate
Configure Renovate to watch Hummingbird base image tags on quay.io and open PRs when new versions land. Covers regex managers for FROM lines, tag pinning strategies, and digest pinning.
Pruning Podman images and build cache
Reclaim disk on a laptop where Hummingbird base updates accumulate. Covers podman image prune, podman system prune, --filter expressions, buildah unshare, and scheduled cleanup.
Distroless gotchas — lessons from the field
A debugging-and-prevention reference for the rough edges that surface when running real workloads on Hummingbird's distroless runtime images. Documents symptoms, root causes, and fixes for the issues that came up during tutorial development and testing.
Reference
Out-of-band documents that support the tutorial. Read the plan if something doesn't work as written — chances are it's tracked there.