In a future world swarming with AI agents, what would the ideal agentic operating system (OS) look like?
For a group of Red Hat developers, the ideal OS would be an image-based Linux distribution that is hardened, bootable and configured at build time. To demonstrate, they have created a bootable Linux appliance, codenamed Tank-OS, dedicated to running OpenClaw, and other agents.
At first glance, the Tank-OS image resembles a largely read-only Fedora system, but one that is tamped down solely for agent use. Users can SSH into an OpenClaw CLI wrapper, where they can write into ~/.openclaw/.openclaw. API keys are stashed in the openclaw user’s Podman secret store, and SSH access is configured separately for each role. Red Hat’s Podman container runtime manages the container’s lifecycle.
“By providing a hardened, image-based environment, it establishes a robust community template for what an agentic OS can look like in practice,” wrote project lead Sally O’Malley, Red Hat principal software engineer for emerging technologies, at the Office of the CTO, in a blog post.
Tank-OS is Defined at Build Time
Typically, to run an agent, one should set up a virtual machine and then manually install the needed packages. As one builds more of these agent-focused VMs, however, their basic configuration will tend to drift over time, making management and updates a chore.
“The agent’s runtime, OS packages, config files, and secrets are all tangled together in a single mutable filesystem. When something goes wrong in a mutable system, figuring out what changed is difficult,” O’Malley wrote.
Tank-OS is built with the open source bootc, which can turn a container image into a bootable Linux OS (Fedora) that can be run as a rootless Podman workload.
This image-based architecture is defined at build time, using declarations to specify the OpenClaw service, helper scripts, user accounts, and systemd configuration files.
When a system update is needed, the new image is pushed to the registry. All running machines will then reboot into the new version, not touching OpenClaw’s state data.
“Separation of concerns is built into the architecture,” O’Malley wrote, noting that this approach would be advantageous for environments that run entire fleets of agents.
Tank-OS is Rootless and Hardened
Being rootless, the Tank-OS offers no path to full admin access (even with sudo). This severely limits the amount of damage a malicious hacker’s script can do within this environment.
This is an important selling point for OpenClaw and other agents, which are increasingly grappling with security concerns.
In February, researchers revealed that OpenClaw (CVE-2026-25253) could be tricked into making a websocket connection without user consent, which then could be used for purloin credentials, execute commands and steal data.
Tank OS could thwart such an attack. By being rootless, the image wouldn’t permit an attacker to take control of a system. They’d be limited in what data they could write to the image itself. And credentials are safeguarded in the Podman secret store.
Not surprisingly, there are several other efforts to secure agents in a cloud environment.
Nvidia created OpenShell to secure agent operations at runtime. Docker created Docker Sandboxes for running agents in safe, isolated environments, using gVisor and Kata VMs. The Rust-based ZeroClaw binary that runs on a stripped-down unikernel.
Tank-OS in Operation
On the GitHub page, The Red Hat team provides a lengthy agent prompt that starts at the Tank-OS repo, and walks the AI through how to build an agent image. They also supply a demo and tutorial on how to embed OpenClaw on a Podman container that then can be run both locally and then on a Kubernetes cluster with zero modification.
Red Hat engineers will be discussing Tank-OS at the company’s annual Red Hat Summit, taking place in Atlanta this month.
