btbytes.com

Containers

3 min read

The What, Why and How of Containers – Annwan; HN

Lima. Lima launches Linux virtual machines with automatic file sharing and port forwarding (similar to WSL2), and containerd. Lima can be considered as a some sort of unofficial “containerd for Mac”. Lima is expected to be used on macOS hosts, but can be used on Linux hosts as well. colima is a container environment on macOS with minimal setup that uses lima-vm.

Create an LXD container in Macpine - Macpine

GoogleContainerTools/distroless: 🥑 Language focused docker images, minus the operating system.

Wolfi “is a community Linux OS designed for the container and cloud-native era. Chainguard started the Wolfi project to enable building Chainguard Images, our collection of curated distroless images that meet the requirements of a secure software supply chain. This required a Linux distribution with components at the appropriate granularity and with support for both glibc and musl, something that was not yet available in the cloud-native Linux ecosystem. Wolfi is a stripped-down distro designed for the cloud-native era. It doesn’t have a kernel of its own, instead relying on the environment (such as the container runtime) to provide one. This separation of concerns in Wolfi means it is adaptable to a range of environments.”

Chainguard Images contain only what is required to build or run your application. This results in fewer CVEs over time compared to other base images and on average an 80% reduction in overall size.

  • Signed with Sigstore
  • SBOMs included

lucavallin/barco: Linux containers from scratch in C.

abiosoft/colima: Container runtimes on macOS (and Linux) with minimal setup is an alternative for podman

Bottlerocket is a Linux-based operating system optimized for hosting containers.  

  • Bottlerocket is installed as the base operating system on the machine or instance where your containers themselves are running.
  • It is designed to work with container orchestrator like kubernetes to automate the lifecycle of the containers running in the cluster.
  • Bottlerocket runs in the cloud or in your datacenter.
  • Bottlerocket is designed to be updatable but it doesn’t have a package manager. It doesn’t need one. Updates are delivered via an image that is downloaded to a specific partition. When you’re ready to update, let your orchestrator drain the node and then tell Bottlerocket to apply the update and reboot when ready. Bottlerocket will swap the partitions and boot with the new version atomically.
  • Bottlerocket’s unique functionality is written in Rust and a little bit of Golang.
  • The root filesystem of Bottlerocket is immutable.
  • Bottlerocket has an always-enabled, enforced, restrictive SELinux policy
  • It does not have a shell
  • You can still interact with the system through privileged “host” containers (that do have shells)

Graph View