Rootless Docker sounds like the perfect answer to container security – no more root daemon, no more worry. If you look at how it actually works under the hood, the story is more nuanced than most teams realize. In this post, I walk through user namespaces and UID mapping, dig into why kernel developers have concerns about the attack surface, and explain what you’re actually giving up when you enable rootless and set seccomp=unconfined and apparmor=unconfined.

Ever wondered what’s really happening when Docker runs your containers? It turns out the daemon needs some serious privileges to do its job. I wrote this post to trace the path from the Docker daemon through the Unix socket, image builds, and BuildKit – showing you exactly where root access comes into play and why every step depends on it.

Ever wondered why Docker commands need sudo or docker group membership? The answer is baked into the Linux kernel itself. I wrote this post to peel back the curtain on what a container actually is. You’ll recreate container-style process isolation from scratch using standard command-line tools – building your own namespaces and cgroups by hand to see exactly what’s happening under the hood.

In my earlier posts about creating custom Buildroot packages, we created a GitHub CLI package. Unfortunately, this package didn’t include the bundled man pages. In this post, you’ll learn how to add a configurable package for those man pages, including the necessary dependencies, configuration options, and installation steps to provide offline documentation.

Ready to finish crafting your CodeQL Actions runner image? Following up on my previous post, it’s time to add Python 2 support to the Docker image. You’ll add to the multistage build, learn how to preserve symbolic links, and learn a trick for unpacking archives without needing to copy the archive into the image first.

Have you struggled with running CodeQL analysis on your own runners? You’re not alone. I figured that it was probably time to tackle this challenge to show you how to build the image, a few advanced Docker tricks, and a way to incorporate the scripts that the Actions team uses to build the official hosted runner VM images.

Buildroot comes with a lot of great features, but what good is a custom image if you can’t add your own binaries? In this post, I’ll show you how to create a custom Buildroot package that uses a pre-compiled binary. I’ll walk you through the steps to create a package for the GitHub CLI, including how to configure it, define its dependencies, and how to install the package into your custom image.

None of us like to wait. Time is precious, so we want to make the most of it. Unfortunately, if you’re just getting started with Buildroot it may seem like you’re spending a lot of time waiting for a toolchain to compile. In this post, we’ll look at ways to avoid that problem. Discover three easy ways to speed up your builds and spend more time creating, not waiting.

Ever wondered how to create a minimal Linux image using nothing but some menu selections? This guide walks you through using Buildroot’s menu system to craft your own custom OCI image, step by step using the graphical interface.

Now that you’ve built an image by hand, you may be wondering if there are tools that might make this process easier. This week we’ll explore one of those – Buildroot – and look at how it can be used to automate building custom images.