Bootable containers (bootc), a CNCF Sandbox project, allow teams to define and ship entire operating systems as container images. This model is compelling for security appliances and edge devices that benefit from atomic updates, extending ostree with the familiar Containerfile build construct.

However, making appliance operating systems easy to build is only half the problem. For security sensitive systems, how do you ensure they cannot jump off their defined release train? This requires hardening the build, release, and update cycle.

This talk demonstrates a hardening strategy for bootc-based Fedora appliances: CI that builds, hardens via CIS benchmarks, and signs with Sigstore cosign. On deployed systems, policy enforcement SELinux lockdown, and enforced kernel arguments close attack surfaces — even against root. Attendees will learn to build and enforce a complete OS image trust chain using container tooling.