Container images
DollarBox runs public Linux container images. Point us at a registry reference and we pull it.
Image references that work
Common shapes:
nginx:1.25-alpine- Docker Hub official image with a pinned tag.docker.io/library/nginx:1.25-alpine- fully qualified Docker Hub reference.ghcr.io/your-user/your-app:v1.2.3- GitHub Container Registry.quay.io/your-org/your-app:stable- Red Hat Quay.nginx@sha256:abcd...- content-addressed digest pin.
Image references may contain letters, digits, and these characters: . _ / : @ -.
Pin versions
Pin a tag. latest works, but you give up control over when your container picks up a new image. A digest pin with @sha256:... is the strictest option.
Use this for experiments:
nginx:latest
Use this for something you expect to keep running:
nginx:1.25-alpine
Use this when rebuild reproducibility matters:
nginx@sha256:...
Runtime restrictions
Simple-mode containers run with Kubernetes PodSecurity restricted defaults:
- Non-root user enforced with UID 1000.
- Privilege escalation disabled.
- Linux capabilities dropped.
- Seccomp
RuntimeDefault. - Read-only root filesystem.
- Memory limit of 1Gi.
- CPU limit of 1000m.
- TCP port 80 published by the LoadBalancer service.
Images that hard-code USER 0, need to write under /, require extra Linux capabilities, or listen only on another port will usually fail in simple mode.
Make an image DollarBox-friendly
Prefer images that:
- Set a non-root
USER. - Listen on port 80, or can be configured to listen on port 80.
- Write temporary files under
/tmpor another writable mount you provide in kubectl mode. - Read configuration from environment variables.
- Log to stdout and stderr.
Private registries
Private registries are not supported in simple mode yet. If you need a private image, mirror it to a public registry under your own account first.
Private image pull secrets are a Phase 2 feature.