Container images

DollarBox runs any public Linux container image. Point us at a registry reference and we pull it.

Common shapes that work:

• nginx:1.25-alpine — Docker Hub official image, tag pinned
• docker.io/library/nginx:latest — fully qualified Docker Hub
• ghcr.io/your-user/your-app:v1.2.3 — GitHub Container Registry
• quay.io/your-org/your-app:stable — Red Hat Quay
• nginx@sha256:abcd... — pin to a content-addressed digest for reproducibility

Pin a tag. :latest works but you give up control over when your container picks up a new image. A digest pin (@sha256:...) is the strictest.

Pods run under Kubernetes PodSecurity restricted: no root user inside the container, no privileged mode, no host namespaces. Images that hard-code USER 0 or expect to write to / will fail to start — choose images that drop to a non-root user, or build your own that does.

Private registries are not supported yet. If you need a private image, mirror it to a public registry under your own account first. Private-registry credentials are on the Phase 2 roadmap.