Containers

Containers From Scratch is nice intro talk to containers. Podman is great.

Notes

• Running code in containers means I don't ever have to think about what version of Python/PostgreSQL/Redis/etc is supported by the stable release of the host operating system.

Links

• Awesome containers
• Virtual Machines and Containers (2019)
• Harbor - Open source trusted cloud native registry project that stores, signs, and scans content.
• Toast - Containerize your development environment.
• Predictive CPU isolation of containers at Netflix (2019)
• amicontained - Container introspection tool. Find out what container runtime is being used as well as features available.
• Libpod - Library used to create container pods. Home of Podman.
• CRFS: Container Registry Filesystem - Read-only FUSE filesystem that lets you mount a container image, served directly from a container registry (such as gcr.io), without pulling it all locally first.
• rkt - Pod-native container engine for Linux. It is composable, secure, and built on standards.
• Quay - Build, Store, and Distribute your Applications and Containers.
• Vagga - Fully-userspace container engine inspired by Vagrant and Docker, specialized for development environments.
• Falco - Container Native Runtime Security. (Website)
• Complete Intro to Containers course (2020)
• Container networking zine
• trivy - Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI.
• Open Container Initiative Runtime Specification
• Container Network Interface - networking for Linux containers
• Containers vs. Zones vs. Jails vs. VMs (2017) (HN)
• Lightweight containers using Linux user namespaces
• Build and run containers leveraging NVIDIA GPUs
• fanal - Static Analysis Library for Containers.
• Complete intro to containers (Code)
• go-init - Minimal init system for containers with pre/post hooks.
• [Borg: The Next Generation (2020)(https://www.eurosys2020.org/wp-content/uploads/2020/04/slides/49_muhammad_tirmazi_slides.pdf) (HN)
• ingraind - Security monitoring agent built around RedBPF for complex containerized environments and endpoints.
• Linux containers in a few lines of code (2020) (HN)
• You don't need an image to run a container (2020)
• libnetwork - Provides a native Go implementation for connecting containers.
• Programming inside a container (2020)
• Containers from first principles (2020) (HN)
• Container technologies at Coinbase: Why Kubernetes is not part of our stack (2020) (HN)
• Kata Containers - Open source container runtime, building lightweight virtual machines that seamlessly plug into the containers ecosystem.
• dumb-init - Simple process supervisor and init system designed to run as PID 1 inside minimal container environments (such as Docker).
• containerd - Industry-standard container runtime with an emphasis on simplicity, robustness and portability. (Web) (Why and How to Use containerd from the Command Line) (Web Code)
• Rust extensions for containerd
• Clair - Vulnerability Static Analysis for Containers.
• GCR Cleaner - Delete untagged image refs in Google Container Registry, as a service.
• Rootless Containers
• Linux Containers Forum
• LXD – next generation system container manager release 4.3 (2020) (HN)
• AWS Containers Roadmap (Web)
• Nestybox - Run Docker and Kubernetes in Containers. (HN)
• sysdig - Linux system exploration and troubleshooting tool with first class support for containers.
• GitHub Container Registry (2020) (HN)
• Introduction to runc (2020) (HN)
• Cloud Native Buildpacks - Transform your application source code into images that can run on any cloud. (GitHub) (RFCs)
• Bravetools - End-to-end System Container management platform. (Docs)
• Packer - Build Automated Machine Images. (Code)
• floki - Launch containers to help build your software. (Easy, reproducible, and shareable development environments)
• Implementing fast lightweight containers in Go with bst and btrfs (2020)
• gVisor - Application kernel for containers that provides efficient defense-in-depth anywhere. (Web)
• Bubblewrap - Unprivileged sandboxing tool for Linux. (HN)
• Singularity - Open source container platform designed to be simple, fast, and secure. (Web)
• ContainerSSH - SSH server that launches containers on demand. (Code)
• crun - Fast and low-memory footprint OCI Container Runtime fully written in C.
• AF_GRAFT - Grafting sockets from containers onto host network stacks.
• Tracee - Container and system tracing using eBPF.
• cAdvisor (Container Advisor) - Analyzes resource usage and performance characteristics of running containers.
• Building containers without Docker (2020) (HN)
• ContainerLabs - Learn about containers. (Code)
• Practical Introduction to Container Security (2020)
• DigitalOcean Container Registry (HN)
• AWS pre-announces public container image registry (2020) (HN)
• Performance evaluation of containers and virtual machines (2020)
• Buildah - Tool that facilitates building Open Container Initiative (OCI) container images.
• Container networking is simple (2020)
• Koyeb Serverless Engine: Docker Containers, Continuous Deployment of Functions (2020) (HN)
• Linux Containers: What, Why, How
• Source-To-Image - Toolkit and workflow for building reproducible container images from source code.
• Facts About Real-World Container Use – Datadog (2020)
• Containers the hard way: Gocker: A mini Docker written in Go
• nerdctl - Docker-compatible CLI for containerd.
• Trident - Storage orchestrator for containers.
• PRoot - chroot, mount --bind, and binfmt_misc without privilege/setup for Linux. (Web)
• Automation to run VMs based on vanilla Cloud Images on Firecracker (2020)
• Toolbox - Tool for Linux operating systems, which allows the use of containerized command line environments.
• Supercronic - Crontab-compatible job runner, designed specifically to run in containers.
• secrets-init - Minimalistic init system for containers with AWS/GCP secrets support.
• Understanding containers
• Open Container Initiative - Open governance structure for the express purpose of creating open industry standards around container formats and runtimes.
• OCI Image Format Specification
• vas-quod - Tiny minimal Linux container runtime written in Rust. (HN)
• Testing Containers with Container Structure Test (2020)
• Container Registry - Dedicated Container Registry as a Service.
• NVIDIA container runtime
• Minict - Minimal container runtime written in Go. Written for learning purposes.
• minicon - Minimization of the filesystem for containers.
• grype - Vulnerability scanner for container images and filesystems.
• syft - CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
• kbld - Seamlessly incorporates image building and image pushing into your development and deployment workflows. (Web)
• MayaStor - Cloud native declarative data plane in containers for containers.
• SkiffOS - Lightweight & robust cross-compiled Linux distribution optimized for hosting containers.
• contained.af - Game for learning about containers, capabilities, and syscalls. (Code)
• krunvm - Manage lightweight VMs created from OCI images.
• Killing Containers at Scale (2021) (HN)
• Buildpacks vs Dockerfiles - Exploring the tradeoffs of building container images at scale. (HN)
• ContainerSSH - Launch containers on demand. (Web)
• Podman - Tool for managing OCI containers and pods. (Code) (HN) (HN) (4.0 release) (HN) (HN)
• SecretScanner - Find secrets and passwords in container images and file systems.
• cosign - Container Signing, Verification and Storage in an OCI registry. (How to use)
• Compiling Containers - Dockerfiles, LLVM and BuildKit (2021)
• Youki - Experimental implementation of the oci-runtime in Rust. (Reddit) (Reddit)
• Stargz Snapshotter - Fast docker image distribution plugin for containerd, based on CRFS/stargz.
• Quark Container - Secure container runtime with OCI interface.
• Inclavare Containers - Novel container runtime, aka confidential container, for cloud-native confidential computing and enclave runtime ecosystem. (Web)
• ContainerLab - Enables container-based networking labs. (Docs)
• Making the Internet more secure one signed container at a time (2021)
• OCI Registry As Storage
• crane - Tool for interacting with remote images and registries.
• Ask HN: I need to learn to love containers – HN please show me the good side? (2021)
• The 17 Ways to Run Containers on AWS (2021)
• FastFreeze - Enables checkpoint/restore for applications running in Linux containers.
• Containerlab - your network-centric labs with a Docker UX (2021)
• The Need for Slimmer Containers (2021) (HN)
• Demystifying container networking (2017)
• RootlessKit - Linux-native "fake root" for implementing rootless containers.
• car - Like tar, but for containers.
• Life of a Container (2020)
• Issues with containers on AWS (2021)
• What Is a Container, After All? (2021)
• HN: Podman, the open source Docker alternative ported to M1 (Apple Silicon) machines (2021)
• Containers Don't Solve Everything (2021) (HN)
• umoci - Modifies Open Container images. (Docs)
• Occlum - Library OS empowering everyone to run every application in secure enclaves. (Code)
• containrs - General purpose container library.
• Netavark - Rust based network stack for containers.
• Red Hat CodeReady Containers - Quickest way to get started building OpenShift clusters. (Code)
• oci-runtime-tool - OCI Runtime Tools.
• Quadlet - Opinionated tool for easily running podman system containers under systemd in an optimal way. (Article)
• s6 overlay - Series of init scripts and utilities to ease creating Docker images using s6 as a process supervisor.
• Container security best practices: Ultimate guide (2021) (HN)
• OCI Distribution Specification - Defines an API protocol to facilitate and standardize the distribution of content.
• GoCSI - Container Storage Interface (CSI) library, client, and other helpful utilities created with Go.
• OCI Runtime, Image and Distribution Spec in Rust
• Bitnami Containers
• Security Checklist for Build Container Images (Code)
• Anchore - Container Security Solutions For DevSecOps. (GitHub)
• Direktiv - Event-driven container orchestration engine, running on Kubernetes and Knative. (Web)
• Navio - Simple tool for creating and managing linux containers.
• Containers vs. Pods - Taking a Deeper Look (2021) (HN)
• Multiple Containers On the Same Port without Reverse Proxy (2021)
• Journey From Containerization to Orchestration and Beyond (2021)
• Porto - Linux container management system, developed by Yandex.
• Horust - Supervisor / init system written in rust and designed to be run inside containers.
• lockc - Making containers more secure with eBPF and Linux Security Modules (LSM).
• squish - Experimental, rootless, Alpine-based container runtime.
• Scaling containers in AWS (2021)
• Reasons to choose VMs over containers? (2021)
• OCI Distribution in Rust - Goal of this crate is to provide a way to pull WASM modules from a Docker registry.
• Learning Containers From The Bottom Up (2021) (HN)
• P2P Container Image Distribution on IPFS With Containerd (2021) (Tweet)
• Nomad podman Driver - Nomad taskdriver for podman containers.
• Anti-Patterns When Building Container Images (2021) (HN)
• Apptainer - Open source container platform designed to be simple, fast, and secure.
• Rust Unshare - Low-level Linux containers creation library for rust.
• OpenRegistry - Decentralized container registry fully compliant with OCI Distribution Specification.
• poCo - Create statically linked, portable binaries from container images.
• Luet - Container-based Package manager.
• Notation - Project to add signatures as standard items in the registry ecosystem.
• Community Attestation Service (CAS) - Give any digital asset a meaningful, globally-unique, immutable identity that is authentic, verifiable, traceable from anywhere.
• The container throttling problem (HN) (HN)
• OCI Distribution Utility - Simple CLI for working with OCI distribution images.
• Container Storage Interface (CSI) Specification
• Container-to-Container Communication (2021) (HN)
• Containers 101: attach vs. exec - what's the difference? (2021)
• Containers From Scratch • Liz Rice (2018) (Sequel)
• Sinker - Tool to sync images from one container registry to another.
• Undock - Extract contents of a container image in a local folder.
• Speeding up LXC container pull by up to 3x (2022) (HN)
• Writing a container in a few lines of Go code (In Rust)
• The Road to OCIv2 Images: What's Wrong with Tar? (2019) (HN)
• Signing and verifying container images using a tool called cosign
• Flintlock - Create and manage the lifecycle of MicroVMs, backed by containerd.
• Nydus - Dragonfly image service, providing fast, secure and easy access to container images.
• Senpai - Automated memory sizing tool for container applications.
• guvnor - Handy tool for deploying containerised applications onto Linux hosts.
• Serverless Container Registry Proxy - Serverless reverse proxy for exposing container registries (GCR, Docker Hub, Artifact Registry etc) on custom domains.
• Run0 - Basic Rust OCI container runtime.
• cinf - Command line tool to view namespaces and cgroups, useful for low-level container prodding.
• LXC vs Docker: Which Container Platform Is Right for You? (2022)
• Escaping privileged containers for fun (2022) (HN)
• Linux containers in 500 lines of code (2016) (HN)
• Podman can transfer container images without a registry (2022) (HN)
• Build Containers the Hard Way
• Container Canary - Tool for recording container requirements in a YAML manifest and then validating containers against that manifest.
• imgcrypt - OCI Image Encryption Package.
• Explore Container Images Without A Shell (2021)
• Ask HN: Who operates at scale without containers? (2022)
• Podman TUI - Podman Terminal UI.
• Container Desktop - Manage different engine containers from a single UI and tray application.
• containers/common
• qemu-user-static - Enable an execution of different multi-architecture containers by QEMU and binfmt_misc.
• Symphony - Podman desktop application.
• x11docker - Run GUI applications in Docker or podman containers.
• SPINUP - Open source alternative to AWS RDS, Cloud SQL. Creates multiple containers through docker-compose.
• Firecracker microVM Init - Build a Firecracker microVM from a container image, starting a custom Go init process.
• LXC - Well-known and heavily tested low-level Linux container runtime.
• Running a Container off the Host /usr/
• Reference implementation of the Cloud Native Buildpacks lifecycle
• Podman Desktop Companion (Code) (HN)
• Container Layer Analyzer - Visualizer of container layer sizes.
• Stacker - Build OCI images from a declarative format.
• TD-shim - Confidential Containers Shim Firmware.
• Confidential Containers - Open source community working to enable cloud native confidential computing by leveraging Trusted Execution Environments to protect containers and data.
• image-rs - Container Images Rust Crate.
• agent - Tiny web-server (reverse proxy) to run functions for every incoming HTTP request.
• Fetchit - Used to manage the life cycle and configuration of Podman containers.
• Containers from the Couch - YouTube
• Northstar - Opinionated embedded container runtime prototype for Linux.
• Container Structure Tests - Validate the structure of your container images.
• Shifter - Linux Containers for HPC.
• OCI Artifacts
• atsi - Instant rootless Alpine shells.
• pflask - Lightweight process containers for Linux.
• podman-static - Static podman binaries and container images.
• Notes on running containers with bubblewrap (2022)