Tyr3h ago

I was thinking about how to minimise the size of a container image and realised: you can allow read only access to the host libraries 🤯

This extends the idea of distroless images even further as now the distro doesn't need to be bundled in even for dynamically linked binaries.

This of course has some downsides: less isolation and possibly greater security risk, as the container now has access to more code (although you could mount only the needed libs).
It also means this breaks the idea that you can just pull and run an image: now you need to figure out what to mount and where for it to work.

But I think it is insanely cool that you can do this and there are times where even the size of a small distro can make a difference (especially if you multiply that size many times over).

I also wonder if it means you can go back to patching your OS security libraries (libssl and the like) and restart your container to fix security risks, instead of having to rebuild and redeploy every container.

#containers #rustlang (because I was playing with a rust project when I thought of this)

Laurent Cheylus9h ago
Daemonless: a collection of FreeBSD-native OCI images that run directly on the FreeBSD kernel, compatible with Podman, AppJail, or any OCI-compliant runtime #Containers #FreeBSD https://daemonless.io/
daemonless

Run Docker-like containers natively on FreeBSD using Podman and ocijail. 30+ pre-built images for Radarr, Sonarr, Plex, Immich and more. No Linux VM required.

knoppix1d ago

Ubuntu 26.10 may trim GRUB in Secure Boot, dropping ZFS, Btrfs, LUKS and RAID, requiring unencrypted ext4 /boot or unsigned builds 🔐
Ubuntu 26.04 LTS beta ships Linux 7.0, GNOME 50 and Mesa 26, updating desktop, graphics and container stacks ⚙️
App Center now shows and manages Deb packages again, improving transparency but keeping Snap-first defaults 📦

🔗 https://itsfoss.com/news/ubuntu-26-10-grub-overhaul/

#TechNews #Ubuntu #Linux #OpenSource #FOSS #Debian #Snap #GNOME #Kernel #Security #Containers #Software #Freedom #Tech

Why Ubuntu 26.10 Might Drop ZFS, RAID & Encryption Support

The proposal calls for stripping out filesystem drivers and other features.

It's FOSS
Linuxiac1d ago

Incus 6.23 arrives as the final 6.x release before 7.0 LTS, bringing security fixes, new features, and improved VM and storage capabilities.
https://linuxiac.com/incus-6-23-container-and-virtual-machine-manager-released/

#virtualization #containers #opensource

Steve Zabka3d ago

Talk almost ready – Chemnitz Linux Days, here we go! 💻🐧

Putting the final touches on my talk – tomorrow it’s time. ⏰

Chemnitz Linux Days 2026, I’m all set and excited to be there. 🙉

30+ slides on Podman in rootless mode in combination with Quadlets are ready – even though this topic really only scratches the surface. 📚

#chemnitzerlinuxtage #podman #rootless #linux #containers #quadlets

Offensive Sequence3d ago
🚨 CVE-2026-33897 (CRITICAL, CVSS 10): Incus <6.23.0 flaw in pongo2 template isolation lets attackers with local access escape containers & gain root on host. Upgrade ASAP! https://radar.offseq.com/threat/cve-2026-33897-cwe-1336-improper-neutralization-of-fafd9faa #OffSeq #LinuxSecurity #CVE202633897 #Containers
RedPacket Security3d ago

CVE Alert: CVE-2026-30892 - containers - crun - https://www.redpacketsecurity.com/cve-alert-cve-2026-30892-containers-crun/

#OSINT #ThreatIntel #CyberSecurity #cve-2026-30892 #containers #crun

CVE Alert: CVE-2026-30892 - containers - crun - RedPacket Security

crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed.

RedPacket Security
Hypha4d ago

⚡️ Part 1 clearly struck a nerve. Part 2 is out! https://hypha.pub/back-to-freebsd-part-2

#FreeBSD #jails #containers #lxc

Paranoid~RV4d ago
Hardened 28 Docker containers in one day. cap_drop ALL across 22 services, selective cap_add based on actual startup behavior, mem_limit and pids_limit on everything, digest-pinned images.
The pattern: containers that start as root and drop to a service user need CHOWN/SETUID/SETGID added back. Containers that start as their own user work with bare cap_drop ALL. Chroot containers need SYS_CHROOT. File-reading containers need DAC_READ_SEARCH.
Methodology: audit first, harden second. Full recon before touching a single compose file. Caught a UFW exposure and a tunnel misconfiguration that had been misdiagnosed for days.
Writeup at mpdc.dev with the full cap_add reference pattern.
#docker #selfhosted #infosec #homelab #containers #ParanoidRV
mbu6d ago

Zenithal - a native macOS app for Docker and Kubernetes management.

Real-time container monitoring, Docker Compose orchestration with visual service graphs, Compose Builder, Kubernetes integration, Trivy security scanning, and built-in terminal.

Works alongside any Docker runtime -Docker Desktop, Colima, OrbStack, etc. It doesn't replace your runtime, just gives you a better interface.

empiricapps.com/zenithal/download

#docker #kubernetes #macos #devtools #containers #swiftui #devops