Website: conary.io | Packages: packages.conary.io | Discussions: GitHub Discussions
A cross-distribution Linux system manager with immutable generations, atomic transactions, content-addressable storage, and a declarative system model. 100K+ lines of Rust, 1,800+ tests, one tool for every distro.
Inspired by the original Conary from rPath, which pioneered concepts like troves, changesets, flavors, and components that were ahead of their time. This project carries those ideas forward with a modern implementation.
Immutable system generations. Build read-only EROFS images of your entire system and mount them via composefs. Switch between complete system states live, without rebooting. Every generation is a self-contained snapshot -- rollback means switching a mount, not undoing thousands of file operations.
conary system generation build --summary "After nginx setup"
conary system generation list
conary system generation switch 2
conary system generation rollbackAtomic operations. Every install, remove, and update is a changeset -- an all-or-nothing transaction. If something fails, your system stays exactly as it was. Rollback is not an afterthought; it is core to how the system works. Generations extend this further: the entire system state is atomic.
conary install nginx postgresql redis
conary system state list
conary system state rollback 5Format-agnostic. RPM, DEB, Arch packages, and Conary's native CCS format are all first-class. One tool handles them all.
conary install ./package.rpm
conary install ./package.deb
conary install ./package.pkg.tar.zstDeclarative state. Define your system in TOML and let Conary compute the diff. Drift detection, state snapshots, and full rollback come built in.
conary model diff # What needs to change?
conary model apply # Make it so
conary model check # Drift detection (CI/CD friendly, uses exit codes)68,000+ packages on day one. Remi, the on-demand conversion proxy at packages.conary.io, transparently converts upstream RPM/DEB/Arch packages into CCS format. No upstream changes required -- every package from Fedora, Arch, and Ubuntu is available immediately.
conary repo add remi https://packages.conary.io
conary repo sync
conary install nginx100K+ lines of Rust, 1,800+ tests, database schema v44. This is not a prototype.
| Capability | apt/dnf | pacman | Nix | Conary |
|---|---|---|---|---|
| Immutable generations | No | No | Yes (generations) | Yes (EROFS + composefs) |
| Atomic transactions | No | No | Yes | Yes |
| Rollback to any state | No | No | Yes (generations) | Yes (snapshots + generations) |
| System takeover | No | No | No | Yes |
| Bootstrap from scratch | No | No | Yes | Yes |
| Multi-format (RPM + DEB + Arch) | No | No | No | Yes |
| Derived packages | No | No | Yes (overlays) | Yes |
| Component model (install :devel only) | No | Split packages | No | Automatic |
| Declarative system state | No | No | Yes (flake.nix) | Yes (system.toml) |
| Content-addressable storage | No | No | Yes | Yes |
| Hermetic builds | No | No | Yes | Yes |
| Dev shells | No | No | Yes | Yes |
| OCI container export | No | No | Yes | Yes |
| Capability enforcement (landlock/seccomp) | No | No | No | Yes |
| Scriptlet sandboxing | No | No | N/A | Yes |
| Single binary, no daemon required | Yes | Yes | No | Yes |
| Mature ecosystem | Yes | Yes | Yes | No (early) |
| Package count | 60K+ | 15K+ | 100K+ | Via conversion |
Conary is strongest where traditional package managers are weakest: atomic operations, cross-format support, immutable system images, and fine-grained component control. Nix shares several of Conary's design principles but uses a custom language (Nix expressions) where Conary uses TOML, and Nix does not handle RPM/DEB/Arch formats natively.
The honest gap: ecosystem maturity. apt and dnf have decades of packages and integration. Conary bridges this through format conversion (install .rpm/.deb/.pkg.tar.zst directly) and the Remi server (which converts upstream repos to CCS on the fly), but native CCS packages are still early. Immutable generations are a recent addition and are under active development.
# Build from source (requires Rust 1.93+, Linux only)
git clone https://github.com/ConaryLabs/Conary.git
cd Conary
cargo build
# Initialize the database
conary system init
# Add the Remi package server (Fedora, Arch, Ubuntu, Debian)
conary repo add remi https://packages.conary.io
conary repo sync
# Install a package
conary install nginx --dry-run # Preview changes
conary install nginx # Apply atomically
# Query your system
conary list # All installed packages
conary query depends nginx # Show dependencies
conary query whatprovides libc.so.6
# Adopt packages already on the system
conary system adopt --system # Track everything installed by RPM/APT
# Build a generation from current system state
conary system generation build --summary "Initial setup"
conary system generation list
conary system generation switch 1Build immutable EROFS images of your entire system and mount them via composefs. Each generation is a complete, read-only system snapshot. Switch between generations live without rebooting -- the active generation is swapped atomically. Old generations can be garbage collected to reclaim space.
Requires Linux 6.2+ with composefs support.
conary system generation build --summary "Post-update"
conary system generation list # Show all generations
conary system generation switch 3 # Switch to generation 3
conary system generation rollback # Revert to previous generation
conary system generation gc --keep 3 # Keep only the 3 most recent
conary system generation info 2 # Detailed info about generation 2Convert an existing Linux installation into a Conary-managed system. Takeover scans installed packages (RPM, DEB, or Arch), adopts them into Conary's database, optionally converts them to CCS via Remi, and builds an initial generation. This is how you adopt Conary on a running system without reinstalling.
conary system takeover --dry-run # Preview what would happen
conary system takeover # Full system adoption
conary system takeover --skip-conversion # Adopt without CCS conversionEvery operation produces a changeset. It applies completely or not at all. The full history is retained for rollback.
conary install nginx postgresql redis
conary system state list # See all system snapshots
conary system state diff 5 8 # Compare two snapshots
conary system state rollback 5 # Revert to snapshot 5Install packages from any major Linux format. Conary parses metadata, dependencies, and scriptlets from all of them.
conary install ./package.rpm
conary install ./package.deb
conary install ./package.pkg.tar.zstDefine desired system state in TOML. Conary computes what needs to change and applies it atomically.
# /etc/conary/system.toml
[packages]
include = ["nginx", "postgresql", "redis"]
exclude = ["sendmail"]
[packages.pinned]
openssl = "3.0.*"
[[collections]]
name = "base-server"
url = "https://packages.conary.io/collections/base-server.toml"conary model diff # What needs to change?
conary model apply # Make it so
conary model check # Drift detection (CI/CD friendly, uses exit codes)Files are stored by SHA-256 hash with automatic deduplication. Content-defined chunking (FastCDC) enables cross-package deduplication and implicit delta updates -- if the client has 48 of 50 chunks, it downloads only 2.
conary system verify nginx # Integrity check against CAS
conary system restore nginx # Restore files from CAS
conary system gc # Garbage collect unreferenced objectsSAT-based resolver (via resolvo) with typed dependency kinds: package, soname, python, perl, ruby, java, pkgconfig, cmake, binary, and more.
conary query depends nginx # Forward dependencies
conary query rdepends openssl # Reverse dependencies
conary query whatprovides libc.so.6 # Capability lookup
conary deptree nginx # Full dependency treePackages are automatically split into components: :runtime, :lib, :devel, :doc, :config, :debuginfo. Install only what you need.
conary install nginx:runtime # Binaries only
conary install openssl:devel # Headers and libs for buildingBuild a complete Conary-managed Linux system from scratch. The pipeline runs Stage 0 (cross-compilation toolchain), Stage 1 (self-hosted toolchain), optional Stage 2 (extended toolchain), BaseSystem (core packages with per-package checkpointing), optional Conary stage (self-hosting), and Image (bootable disk via systemd-repart). RecipeGraph handles dependency ordering across all stages. Targets x86_64, aarch64, and riscv64. Aligned with LFS 12.4 (binutils 2.45, gcc 15.2.0, glibc 2.42, kernel 6.16.1).
conary bootstrap init --target x86_64
conary bootstrap check # Verify prerequisites
conary bootstrap dry-run # Validate pipeline without building
conary bootstrap stage0 # Cross-compilation toolchain
conary bootstrap stage1 # Self-hosted toolchain
conary bootstrap stage2 # Extended toolchain (optional)
conary bootstrap base # Core system packages
conary bootstrap conary # Build Conary itself (optional)
conary bootstrap image --format raw # Bootable disk image (systemd-repart)
conary bootstrap status # Progress report
conary bootstrap resume # Resume from last checkpoint
conary bootstrap base --skip-verify # Skip checksum enforcement
conary bootstrap image --skip-stage2 --skip-conary # Minimal imageCreate custom variants of existing packages with patches and file overrides, without rebuilding from source. Derived packages track their parent and can be flagged as stale when the parent is updated.
conary derive create my-nginx --from nginx
conary derive patch my-nginx fix-config.patch
conary derive override my-nginx /etc/nginx/nginx.conf --source ./custom.conf
conary derive build my-nginx
conary derive stale # List derived packages needing rebuildCCS Native Package Format
Conary's native format uses content-addressable chunked storage, CBOR manifests with Merkle tree verification, and Ed25519 signatures. Packages can be exported to OCI container images.
conary ccs build . # Build from ccs.toml
conary ccs sign package.ccs # Ed25519 signatures
conary ccs verify package.ccs # Verify integrity
conary ccs export package --format oci # Export to container imageRecipe System and Hermetic Builds
Build packages from source using TOML recipe files in isolated, network-blocked build environments. Hermetic builds use PID, UTS, IPC, and network namespaces with dependency-hash cache invalidation.
conary cook nginx.recipe.toml # Build from recipe
conary cook --hermetic nginx.recipe.toml # Maximum isolation
conary cook --fetch-only nginx.recipe.toml # Pre-fetch for offline buildDev Shells
Temporary environments without permanent installation -- similar to nix shell.
conary ccs shell python,nodejs # Spawn a shell with packages available
conary ccs run gcc -- make # One-shot command executionCollections
Group packages into named sets for bulk operations.
conary collection create web-stack --members nginx,postgresql,redis
conary install @web-stack
conary update-group web-stack # Update all members atomicallyLabels and Federation
Route packages through label chains with delegation. Inspired by the original Conary's label system for tracking package provenance.
conary query label add local@devel:main
conary query label add fedora@f43:stable
conary query label delegate local@devel:main fedora@f43:stableSandboxed Scriptlets
Package install scripts run in namespace isolation with resource limits. Dangerous scripts are detected automatically.
conary install pkg --sandbox=always # Force sandboxing
conary install pkg --sandbox=never # Trust the scriptsCapability Enforcement
Packages declare their runtime capabilities. Landlock restricts filesystem access; seccomp-bpf restricts syscalls.
conary capability audit nginx # Show declared capabilities
conary capability enforce nginx # Apply restrictionsConfiguration Management
Track, diff, backup, and restore configuration files across package updates. Conary records which config files belong to which packages and detects local modifications. Backup and restore operations are tied to the database so you can see the full history of changes.
conary config list # Show modified config files
conary config list nginx --all # All config files for a package
conary config diff /etc/nginx/nginx.conf # Diff against package version
conary config backup /etc/nginx/nginx.conf
conary config restore /etc/nginx/nginx.conf
conary config check # Check all config file statusPackage Provenance and SBOM
Full supply chain metadata for every package. Provenance tracks where a package came from, how it was built, and what it contains. SBOM generation produces standard formats for auditing. Includes SLSA attestation support for verifying build integrity.
conary provenance show nginx # Origin, build info, signatures
conary provenance verify nginx # Verify signatures and attestations
conary provenance diff nginx openssl # Compare provenance between packages
conary system sbom nginx --format spdx # Generate SBOMTrigger System
Automatic post-transaction actions with DAG-based ordering. 10+ built-in triggers handle common system maintenance: ldconfig (shared library cache), depmod (kernel modules), fc-cache (fonts), update-mime-database, update-desktop-database, gtk-update-icon-cache, glib-compile-schemas, systemd-related reloads, and more. Triggers fire based on file path patterns and can be enabled, disabled, or extended with custom triggers.
conary system trigger list # Show all triggers
conary system trigger show ldconfig # Trigger details
conary system trigger enable NAME # Enable a trigger
conary system trigger disable NAME # Disable a triggerConary is a system manager structured around a few core concepts:
| Concept | Description |
|---|---|
| Trove | The universal unit -- packages, components, and collections are all troves |
| Changeset | An atomic transition from one system state to another |
| Generation | An immutable EROFS image of a complete system state |
| Flavor | Build variations (architecture, feature flags): [ssl, !debug, is: x86_64] |
| Label | Package provenance: repository@namespace:tag |
| CAS | Content-addressable storage for all file data |
Database-first design. All state lives in SQLite. No config files for runtime state. Every operation is queryable, every state transition is recorded.
For a detailed architecture overview, see docs/ARCHITECTURE.md.
Conary includes an on-demand CCS conversion proxy called Remi. It converts legacy packages (RPM, DEB, Arch) to CCS format on the fly, serves chunks via content-addressable storage, and provides a sparse index for efficient client sync. This is how Conary delivers 68,000+ packages on day one without requiring any upstream changes.
A public instance runs at packages.conary.io.
Features: Bloom filter acceleration, batch endpoints, pull-through caching, full-text search (Tantivy), TUF supply chain trust, and Prometheus metrics.
# Build with server support
cargo build --features server
# Run the server
conary server --bind 0.0.0.0:8080 --data-dir /var/lib/remiA local daemon that provides a REST API for package operations over a Unix socket, with SSE event streaming for real-time progress. Integrates with systemd for socket activation and watchdog support.
# Build with server + daemon support
cargo build --features server
# Run the daemon
conary daemonSee the Conaryopedia for the full REST endpoint list.
Distributed chunk sharing across Conary nodes for bandwidth savings. Nodes discover peers via mDNS on the LAN and form a hierarchy (leaf -> cell hub -> region hub) for efficient chunk distribution.
conary federation status # Overview
conary federation peers # List peers
conary federation add-peer URL --tier cell_hub
conary federation scan # mDNS LAN discovery
conary federation stats --days 7 # Bandwidth savings reportRequires Rust 1.93+ (edition 2024). The project is a Cargo workspace with 4 crates: conary (CLI), conary-core (library), conary-erofs (EROFS image builder), and conary-server (Remi + conaryd).
cargo build # Client only (default)
cargo build --features server # With Remi server + conaryd daemon
cargo test # Run all tests (~1,800 tests)
cargo clippy -- -D warnings # Lint checkRelease builds use LTO and single codegen unit for maximum optimization:
cargo build --release # Optimized build
cargo build --profile fast-release # Faster compile, still optimizedVersion 0.1.0 -- Core architecture is complete and tested. The codebase has 100,000+ lines of Rust with 1,800+ tests passing (schema v44). System generations (EROFS + composefs), system takeover, and the bootstrap pipeline are implemented. A production Remi server is running at packages.conary.io.
See ROADMAP.md for the full feature status and planned work.
- Shell integration (direnv-style)
- P2P chunk distribution plugins
- Multi-version package support
- VFS component merging
- Full repository server with version control
| Document | Description |
|---|---|
| ROADMAP.md | Feature status and planned work |
| CHANGELOG.md | Release history |
| CONTRIBUTING.md | Development setup and contribution guidelines |
| SECURITY.md | Vulnerability reporting policy |
| docs/ARCHITECTURE.md | System design overview |
| docs/conaryopedia-v2.md | Comprehensive technical guide |
| docs/specs/ccs-format-v1.md | CCS package format specification |
| docs/SCRIPTLET_SECURITY.md | Scriptlet sandboxing and isolation |
For CLI reference: conary --help or man conary (man pages are auto-generated during build).
- GitHub Discussions -- Questions, ideas, and general conversation
- Good First Issues -- Starter tasks for new contributors
- CONTRIBUTING.md -- Development setup and guidelines
MIT