Red Hat builds prototype for agentic operating system

AI agents that can automatically perform tasks for their operators are popular – for example, OpenClaw can do many things for users. Since agentic AI can also do things like install further software, security questions inevitably arise. Scalability is another point. Red Hat wants to address this with an agentic operating system.

The basic idea is simple: a stable and secure operating system foundation is needed for AI agents like OpenClaw. Classic operating systems change over time through software installations and general use, leading to configuration drift. In normal virtual machines, reproducibility becomes difficult, for example, to ensure that the system functions as desired and remains secure.

In a blog post, Red Hat employee Sally O’Malley explains how she created a prototype of an agentic operating system in the form of a container file. This is based on fedora-bootc, a community project that packages a bootable Linux operating system directly into a container file like a Docker container. The images can also be converted into complete disk images, such as QCOW2 (QEMU Copy On Write version 2), AMI (Amazon Machine Image), ISO-9660 image for burning to DVD or CD, Google Cloud Image, and others.

Agentic Operating System: Security Objective

The operating system is thus defined at build time, and runtime is limited to changes that have been explicitly allowed beforehand. After startup, the container image represents the operating system, with kernel, init process, and root file system. The majority of the file system is read-only. This results in hardened environments that follow a defined standard – an immutable system, which serves reproducibility. This also prevents “system drift,” whereby individual installations diverge from each other due to different installed additional software. Through the agentic operating system, in the case of OpenClaw, the service, helper scripts, user accounts, and systemd units are defined at build time and strictly separated from the changeable data.

Updates to the environments are standardized and controllable, as the new image is simply placed in the registry for updating. All running machines pull the update and boot it. Updates thus become transactional; O’Malley compares them to a Git commit, making rollbacks trivial. Secrets, OpenClaw status, and SSH keys remain untouched and intact while the operating system evolves.

The approach also makes agentic AI scalable. Numerous images can be started, for example, on server clusters, and they do not all have to be configured individually. All machines start OpenClaw, and the AI agent then runs exactly as expected. Versions and configurations remain synchronized.

O’Malley initially wants to demonstrate and present the concept of an agentic operating system. However, this is also on Red Hat’s roadmap. Specifically, Red Hat plans a project called Kagenti as part of Red Hat AI – with a preview in 2026. Those who want to try it out can find the files and documentation in Red Hat’s repository.

(dmk)