distroless - "Language focused docker images, minus the operating system" aka "scratch for everyone else."
Read my overview of the distroless project on iximiuz.com.
Chainguard Images - "A collection of container (OCI) images designed for minimalism and security."
Many of them are distroless and contain only an application and its runtime dependencies. Typically, there is no shell or package manager. Image building procedure is designed to be reproducible and declarative (see apko and melange below).
BuildKit - "concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit."
A daemon that, in particular, powers the Docker image building. Uses its own intermediate language (LLB) to describe build tasks (but comes with a default frontend that compiles Dockerfiles to LLB). Can produce different forms of artifacts (Docker images, OCI images, tar archives, local files). Uses isolated builder backends (containers, remote servers, in-kubernetes builders, etc). Supports out-of-the-box cross-platform builds, different cache sources & destinations (inline, registry, local, etc). Check out this good practical overview for more.
buildx - "Docker CLI plugin for extended build capabilities with BuildKit."
At first sight, the plugin is just another docker build-like command but on top of a better build engine (BuildKit). Often I'd just replace docker build with docker buildx build and call it a day. In actuality, though, docker buildx is the de facto standard CLI tool to access the full power of BuildKit. There is much more than just docker buildx build (see the list of BuildKit's capabilities above).
bake - container-aware make.
This buildx subcommand is worth mentioning separately:
BuildKit efficiently handles multiple concurrent build requests and de-duplicates work. The build commands can be combined with general-purpose command runners (for example,
make). However, these tools generally invoke builds in sequence and therefore cannot leverage the full potential of BuildKit parallelization, or combine BuildKit's output for the user. For this use case, we have added a command calleddocker buildx bake.
The bake command supports building images (and not only) from HCL or JSON files by describing make-like targets. And it also understands docker-compose YAML files.
Buildah - "A tool that facilitates building OCI images."
kaniko - "Build Container Images In Kubernetes."
makisu - [discontinued] "Fast and flexible Docker image building tool, works in unprivileged containerized environments like Mesos and Kubernetes."
img - "Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder." The project looks abandoned.
ko - "Build and deploy Go applications." ko is a simple (no Dockerfiles required) container image builder for Go application without any/many dependencies on the OS base image (e.g., no cgo, no OS package dependencies).
no - "Easy NodeJS containers." Like ko but for NodeJS.
Jib - "Build container images for your Java applications." Like ko but for Java - build optimized Docker (or OCI) images for Java applications without a Docker daemon. Available as plugins for Maven and Gradle and as a Java library.
kim - "The Kubernetes Image Manager."
The tool consists of a builder backend (BuildKit daemon bound to the kubelet's underlying containerd socket) and a server-side agent (both deployed as one DaemonSet), and the kim CLI (that talks to the agent) with a classic Docker-like UX for image management (push, pull, etc).
Packer - "A tool for creating identical machine images for multiple platforms from a single source configuration."
Packer is primarily focused on producing virtual machine images but it also allows building Docker, LXC, and LXD images using a similar to VM-provisioning procedure (read, by putting shell commands into a HCL file).
Cloud Native Buildpacks - "Transform your application source code into images that can run on any cloud."
apko - "Build OCI images using APK directly without Dockerfile." A tool to produce minimalistic container images that include only the needed packages.
melange - "Build APKs from source code". A complimentary tool for apko.
Chisel - an early-day project by Canonical. Similar idea to apko and melange but on top of the Ubuntu base. Read this Microsoft devblog article about large(r) scale application of Chisel for producing .NET on Ubuntu images.
Nixery - "Docker images on the fly with Nix". A Docker-compatible container registry that transparently builds images using the Nix package manager.
Devbox - "Instant, easy, predictable shells and containers."
Devbox is a command-line tool that lets you create isolated shells and containers. You start by defining the list of packages required by your development environment, and Devbox uses that definition to create an isolated environment just for your application. You can use it right away, or turn it into a OCI container image. No Dockerfiles are involved. Powered by Nix.
buildg - "Interactive debugger for Dockerfile, with support for IDEs (VS Code, Emacs, Neovim, etc)."
Binfmt - "Cross-platform emulator (QEMU) collection distributed with Docker images." A handy tool for cross-platform builds of all kinds.
xx - "Dockerfile cross-compilation helpers."
A collection of tools to support cross-compilation from Dockerfiles that understand the --platform flag passed in from docker build or docker buildx build. These helpers allow you to build multi-platform images from any architecture into any architecture supported by your compiler with native performance. Adding xx to your Dockerfile should only need minimal updates and should not require custom conditions for specific architectures. Example: apk add becomes xx-apk add, apt-get install becomes xx-apt-get install, go build becomes xx-go build, etc.
dockle - "Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start."
The tool promises to help with following the image building best practices and produce (more) secure Docker images.
Build Containers the Hard Way - "GitBook on the low-level details of building Docker containers."
Like Kubernetes the Hard Way, but for building containers.
container2wasm - "Container to WASM converter."
An image converter that enables running unmodified containers on WASM (various runtimes: wasmtime, wamr, wazero, and even in the browser).
The tool creates a WASM image that runs the container (using the standard runc runtime) and the Linux kernel on the emulated (via Bochs or TinyEMU) CPU.
bootc - "Boot and upgrade [virtual or physical machines] via container images."
The project aims to use standard OCI/Docker images for bootable host systems - as a build, transport, and delivery format for base OS images.
Created with bootc container images include a Linux kernel (in e.g. /usr/lib/modules), which is used to boot a full-fledged physical or virtual machine.
After booting on a server, such an image runs not in a container but as the host OS.
docker-to-linux - "Make bootable Linux disk image (ab)using Docker."
A similar idea to bootc, but tailored for edu purposes. Launch a base Linux container (Debian, Alpine, etc.), pull in Linux kernel & init system (systemd, OpenRC, etc.), dump container's filesystem to a disk image, install bootloader (syslinux) to this image, and convert it into a QEMU (or the like) VM image.
dive - "A tool for exploring each layer in a docker image."
diffoci - "diff for Docker and OCI container images."
The purpose is to improve the software supply chain security by, for instance, comparing images that were built locally with images pulled from a remote source like Docker Hub.
container-diff - "Diff your Docker containers."
car - "Like tar, but for containers!"
Car lets you list or extract files from an OCI (possibly Docker) image, regardless of the platform it was built for. For example, you can extract files from a windows/amd64 image even if you are running linux/arm64.
ima.ge.cx - "a site that allows you to inspect the contents of Docker images."
By just specifying the image name in the path like https://ima.ge.cx/nginx:alpine, you can browse the image filesystem and even view textual files right in your browser.
explore - "A tool for exploring the layers and filesystem of an image from the browser."
umoci - "umoci modifies Open Container images."
DockerSlim - "Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more)."
Distribution - "The toolkit to pack, ship, store, and deliver container content."
An open-source registry implementation for storing and distributing container images using the OCI Distribution Specification with the goal to provide a simple, secure, and scalable base for building a large scale registry solution or running a simple private registry. Used by Docker Hub, GitHub Container Registry, GitLab Container Registry, DigitalOcean Container Registry, CNCF Harbor Project, VMware Harbor Registry, and more.
skopeo - "Work with remote images registries - retrieving information, images, signing content."
crane - "A tool for interacting with remote images and registries. You can try out a web version of crane here"
krane - "A drop-in replacement for crane that supports common Kubernetes-based workload identity mechanisms."
regclient - "Docker and OCI Registry Client in Go and tooling using those libraries."
A client interface to interact with registries: inspect images w/o pulling, list repository's tags, list registry's repositories (if supported), efficiently copy images between repositories, import/export OCI and Docker images, etc. Seems to be written from scratch with just a few dependencies.
reg - "Docker registry v2 command line client and repo listing generator with security checks." The project looks abandoned.
ORAS - "Push and pull OCI Artifacts to and from OCI Registries."
Since the invention of OCI registries, people have been (ab)using them to store non-container things (Helm charts, OPA policies, even video files can be stored this way). The modern registries are evolving as generic artifact stores, and the ORAS project provides a way to push and pull OCI Artifacts (read arbitrary files) to and from OCI Registries. The project consists of a CLI (oras) and libraries (Go, Python).
Docker Hub Tool - "Docker Hub experimental CLI tool."
A CLI tool for interacting with the Docker Hub. Get information about your images from the terminal. Docker's experiment to build a Docker Hub CLI tool. The intention of this project is to get user feedback and then to add this functionality to the Docker CLI itself.
go-containerregistry - "Go library for working with container registries."
image - "A set of Go libraries aimed at working in various way with containers' images and container image registries (pull, push, inspect w/o pulling, translate from one image format to another)."
skopeo is backed by this library.
storage - "A Go library which aims to provide methods for storing filesystem layers, container images, and containers" (with a CLI included).