tini vs dumb-init vs --init
PID 1 zombie reaping in containers — tini, dumb-init, and docker --init compared; when each one fixes your signal handling and stops your 10s shutdown tax.
Tag: containers
All the articles with the tag "containers".
Container Escape: How to Stop It
Containers are not VMs. Here are the real escape vectors — privileged mode, mounted sockets, kernel CVEs — and the runtime hardening that actually helps.
Cosign Keyless: Sign Without Keys
Cosign keyless signing uses GitHub OIDC + Fulcio + Rekor to sign container images without managing private keys. Here's how it actually works and why you want it.
WASM Containers in 2026
Spin, WasmEdge, and wasmCloud are dragging WebAssembly into the container world. Here's what actually works, and what's still half-baked in 2026.
cri-o vs containerd
The CRI runtime under your Kubernetes cluster — cri-o vs containerd compared on footprint, distros, performance, and day-2 operability.
Nerdctl vs Docker CLI
nerdctl is the containerd-native docker CLI replacement — when it's a drop-in, when it's not, and why you'd bother switching at all.
Sysbox vs gVisor vs Kata
Containers aren't security boundaries — Sysbox, gVisor, and Kata fix that. Here's which isolation runtime fits your actual threat model.
Trivy vs Grype vs Docker Scout
Trivy, Grype, and Docker Scout go head-to-head on speed, CVE coverage, CI integration, and cost. Pick the right scanner for your home lab or pipeline.
Colima vs OrbStack vs Docker Desktop on Mac
Docker Desktop got expensive and RAM-hungry. Colima is the lean alternative. OrbStack is the one everyone's actually using now. Here's the honest breakdown for Mac developers.
SBOMs and Supply Chain Security
A Software Bill of Materials tells you exactly what's in your software. Syft generates one, Grype scans it for CVEs. Together they're your supply chain paper trail.
Container Security: Scan and Sign Your Images Like You Mean It
Pulling unscanned images onto your server is a gamble. Trivy finds the CVEs. Cosign proves the image hasn't been swapped out. Here's how to add both to your workflow.
Falco: Catch Container Attacks at Runtime
Falco watches every syscall your containers make and screams when something sketchy happens. Like someone exec'ing a shell inside your nginx container at 3am.