A base image factory. Here's what's in the image.
kldload re-packs any Linux distro with kernel modules baked in at build time. The result is a stock vendor installation with ZFS on root, encrypted networking, and full observability — available from second zero. Here's what that means in practice.
This is not a feature list. It's a list of problems that stop existing when the kernel has the right modules from birth. Every item below is something you'd otherwise need a separate tool, a separate service, or a separate vendor to provide. kldload doesn't replace those tools — it makes the kernel capable enough that you might not need them.
What changes when the kernel has the right modules
30-second OS rollback
Boot environments let you undo an entire OS upgrade at the bootloader. Pick the pre-upgrade snapshot, reboot, done. No rescue USB. No reinstall. 30 seconds.
Self-healing storage
Every block is checksummed. If a bit flips — silent data corruption that ext4 will never detect — ZFS catches it and auto-repairs from the mirror or parity. Your data is intact, always.
Compression makes you faster
lz4 compression writes less data to disk. Less I/O = faster performance. You get more usable space and better throughput. It’s not a trade-off — it’s free.
Clone 500GB in 0.1 seconds
kclone /srv/database /srv/database-test — instant copy-on-write clone. Zero additional space until data diverges. Production database cloned for testing in milliseconds.
cp.Per-directory encryption
Not full-disk LUKS. Per-dataset AES-256-GCM with independent keys. Home dir, database, logs — each locked separately. Compromise one key, the rest stay sealed.
Atomic package management
kpkg install nginx snapshots the filesystem first. If the install breaks something, ksnap rollback undoes everything — the package, its config files, the state changes. All of it.
Block-level replication
zfs send | ssh remote zfs recv — not file copying. Block-level replication. Build one system, replicate it to 100 nodes. Only changed blocks travel. It’s Git for your entire OS.
GPU sharing without passthrough
NVIDIA drivers on the host, containers on top. Every container shares the GPU simultaneously via CUDA time-slicing. Jellyfin transcoding + AI inference + monitoring — one GPU, no PCIe passthrough. Works on any NVIDIA GPU including consumer cards.
Air-gapped deployment
Thousands of packages across five package managers (dnf, apt, pacman, apk, pip), baked into one USB. Install a full Linux desktop with ZFS on root in a facility with zero internet. Military, classified, remote — it just works.
USB to production fleet
Boot USB → install → export VMDK → upload to cloud → Terraform deploys 100 instances. One pipeline from bare metal to production. 9 distros 8 distros × 3 profiles × 6 export formats = 144 unique configurationstimes; 4 profiles 8 distros × 3 profiles × 6 export formats = 144 unique configurationstimes; 6 export formats = 216 unique configurations from one ISO.
Multi-Distro Installer
CentOS Stream 9
RHEL upstream. Enterprise-grade. dnf --installroot from the baked-in RPM darksite. Offline. Desktop, server, or core profile.
Debian 13 (Trixie)
Stable. Proven. debootstrap from the embedded APT darksite on localhost:3142. Offline. Desktop, server, or core profile.
RHEL 9
Red Hat Enterprise Linux. Enter your activation key and org ID in the web UI. Pulls from Red Hat CDN. The only path that needs internet.
Rocky Linux 9
RHEL binary-compatible. Community-driven. Uses the same RPM darksite and dnf --installroot path as CentOS. Offline. Desktop, server, or core profile.
Ubuntu 24.04 LTS
Popular. Huge community. debootstrap from the embedded APT darksite on localhost:3143. Offline. Desktop, server, or core profile.
Fedora 41
Latest packages, fast updates. dnf --installroot from the Fedora RPM darksite. Offline. Desktop, server, or core profile.
Arch Linux
Rolling release. pacman from the embedded pacman darksite. Frozen at build time, upgrade after install. Server or core profile.
FreeBSD 15.0
Native ZFS. No DKMS needed — ZFS is in the kernel. Downloads base.txz + kernel.txz on demand. loader.efi boots directly into ZFS. Internet required.
Eight operating systems from one USB. Each one is installed using its native tools — dnf --installroot for RPM distros, debootstrap for Debian/Ubuntu, pacman --root for Arch, base set extraction for FreeBSD. kldload doesn't patch, fork, or modify anything. Every package comes from the vendor's own repos. The result is a stock distro with kernel modules baked in — not a custom distro pretending to be something else.
ZFS on Root
128-bit Copy-on-Write
Never overwrites data in place. Every change goes to a new location. Old versions stay intact for snapshots. Checksums on every block. Self-healing on mirrors.
Boot Environments
ZFSBootMenu presents every OS state as a boot option. Upgrade broke something? Pick the pre-upgrade snapshot at boot. 15-second rollback. No rescue USB.
Automatic Snapshots
Before every package change. Every 15 minutes for /srv. Configurable retention. Factory reset snapshot on install. Managed by sanoid.
Native Encryption
Per-dataset AES-256-GCM. Each directory can have its own key. Lock and unlock datasets independently. Send encrypted snapshots to untrusted storage.
Kernel Modules
ZFS
Compiled and signed at image build time — not on the target machine. The kernel and module ship as a matched pair. No compiler on the target. No DKMS in the boot path. If the machine boots, ZFS is loaded.
WireGuard
Kernel-level encrypted networking. The module is loaded before any process exists. Create tunnels whenever you need them. No daemon. No certificate authority. No port to scan.
NVIDIA (optional)
GPU drivers baked into the image. CUDA-ready on first boot. Auto-detected — only installed when NVIDIA hardware is present. No nouveau conflicts.
eBPF (optional)
Kernel-level observability. Attach probes to running processes, trace syscalls, network flows, disk I/O. No agents. No SaaS. The kernel already knows what's happening — eBPF lets you ask it.
These are not userland services. They're kernel modules compiled into the image at build time, signed with a per-build MOK key, and loaded by the bootloader before any process exists. The distinction matters: a userland VPN daemon can crash, be killed, or fail to start. A kernel module is part of the kernel — it can't be killed from userspace and it's available from the moment the kernel is. Read more about the three models →
Secure Boot is not optional. On any network that matters, disabling Secure Boot is not an acceptable standard. If your boot chain is unverified, everything above it — firewalls, SELinux, encryption — is theatre. kldload signs every module at build time so Secure Boot stays on. No excuses. Read more →
Web UI Installer
Browser-based
GNOME desktop boots, Firefox opens to the installer on port 8080. Pick distro, profile, disk, hostname, password. Real-time install log streaming via WebSocket.
Unattended mode
Pass an answers file: kldload-install-target --config answers.env. Same installer, no UI. Automate fleet deployments with identical configs.
Pool Designer
Visual ZFS pool topology calculator. Select disks, pick a layout (mirror, RAIDZ1/2/3, stripe), see usable space and the exact zpool create command.
Profile summary
Live status line during install: CentOS Stream 9 · Desktop +WireGuard +eBPF → QCOW2. Know exactly what's being built.
Image Factory
kexport
Standalone tool. Export any installed disk to any format, any time, as many times as you want. Install once, produce every image you need.
kexport /dev/sda qcow2 · kexport /dev/sda allqcow2
Compressed, copy-on-write. KVM, Proxmox, OpenStack.
raw
Sparse dd-ready image. Cloud import, dd to another disk.
VHD / VMDK / OVA
Azure, Hyper-V, VMware ESXi, vSphere, VirtualBox. One install produces every format.
The image factory is the second thing kldload does. The first is installing ZFS on root. The image factory is what falls out of that process: you now have a machine with ZFS, WireGuard, boot environments, and snapshots. kexport turns that machine into a deployable image for any hypervisor. One install, every format. The image is your deployment artifact. Feed it to Packer as a base. Deploy it with Terraform. Stamp out 100 copies with cloud-init. The image is yours.
Air-Gap & Offline
Dual darksite mirrors
RPM mirrors for CentOS/Rocky/RHEL. APT mirrors for Debian/Ubuntu. All baked into the ISO. Full transitive dependency closure. Nothing downloaded at deploy time. Arch and FreeBSD require internet.
ZFSBootMenu EFI
Pre-built UEFI binary included in the ISO. No network fetch for the bootloader. Works on any UEFI system.
Note: kldload uses ZFSBootMenu — not GRUB — for ZFS boot. This means you're unaffected by Canonical's Secure Boot + GRUB changes. Read more →
30+ CLI Tools
Optional shortcuts that abstract package managers across distros. Use them or don't — your native apt/dnf/pacman still works. These just automate the boring stuff (snapshot before upgrade, boot environment, etc.).
Fully Auditable
Fully auditable. One Python file. Zero compiled binaries.
The installer, the firstboot scripts, the snapshot system, the boot environment manager, the darksite builder, the image exporter — all plain bash. The web UI is one Python file. No Go. No Rust. No node_modules. No vendor SDKs.
cat any file and read what it does. Fork the repo and modify it. That's the point.
This is the uncomfortable question for every infrastructure tool: what does it actually do? With compiled binaries, the answer is "whatever the vendor says." With kldload, the answer is cat $(which kldload-install-target). Every decision the installer makes is in readable bash. Every default is a line you can find with grep. Every module is signed with a key you can inspect. The entire build process is one Dockerfile and one shell script. If you don't trust it, read it. That's the only trust model that matters.