Docker news and developer summaries

This article explores how containers achieve filesystem isolation using Linux primitives such as unshare, mount, and pivot_root. It demonstrates how to manually assemble a Docker-like container by configuring mount, PID, cgroup, UTS, and network namespaces. The tutorial provides a deep dive into rootfs preparation, mount propagation, and the mechanisms behind container storage and runtime security.

This release introduces version 3.8.0, adopting full semver. It features extensive improvements across core APIs, operations, and facts, including enhanced Docker support, robust security command injection protection, SSH configuration updates, and new compatibility features for Python 3.14 and macOS. Documentation and internal dependencies were also updated.

This article analyzes the CVE-2026-31431 'Copy Fail' kernel vulnerability. The author creates a lab to trace the exploit's shellcode, which corrupts the page cache to execute malicious code. While the exploit successfully achieves root status inside a container, rootless Podman's User Namespace mapping confines this privilege to an unprivileged host user, effectively preventing host-level escalation.

Traceway is an OpenTelemetry-native observability platform that unifies logs, traces, metrics, exceptions, and session replay. It features MIT-licensed, all-in-one software that supports OTLP ingestion without requiring vendor SDKs or complex configurations. Traceway offers self-hosted deployment options, including an embedded mode for Go applications, and a managed cloud service.

The 'Copy Fail' vulnerability (CVE-2026-31431) allows privilege escalation. Analysis shows that while Podman rootless containers are susceptible, their architecture and security configurations—such as user namespaces, dropping capabilities, and no-new-privileges flags—significantly limit the blast radius. Defense-in-depth, including read-only filesystems and resource constraints, remains essential for hardening containerized environments.

Docker Engine 29.0+ defaults to the containerd image store, which utilizes snapshotters instead of legacy graph drivers. This enables multi-platform builds, attestations, and Wasm support, though it increases disk usage by storing both compressed and uncompressed image layers. Users can enable it via daemon.json or experimental migration features.