Best of ContainersMarch 2026

  1. 1
    Article
    Avatar of netflixNetflix TechBlog·12w

    Mount Mayhem at Netflix: Scaling Containers on Modern CPUs

    Netflix engineers diagnosed a severe container launch bottleneck when migrating from a virtual kubelet+Docker runtime to kubelet+containerd with per-container user namespaces. The new runtime uses kernel idmap mounts, generating O(n) mount operations per container layer, all competing for global VFS mount locks. On r5.metal instances (dual-socket, multi-NUMA), this caused 30-second health check timeouts and system lockups. Deep profiling with perf and Intel TMA revealed 95.5% of pipeline slots stalled on contested accesses, with NUMA remote memory latency and hyperthreading amplifying the contention. Benchmarks across instance types showed AMD's distributed chiplet cache architecture (m7a) scaled far better than Intel's centralized mesh (m7i), and disabling hyperthreading improved latency 20-30%. The software fix, contributed upstream to containerd, maps the common parent directory of all layers instead of each layer individually, reducing mount operations from O(n) to O(1) per container and eliminating the global lock as a bottleneck entirely.

  2. 2
    Article
    Avatar of kentcdoddsKent C. Dodds·11w

    Simplifying Containers with Cloudflare Sandboxes

    Kent C. Dodds shares how he replaced a Cloudflare Container-based FFmpeg audio pipeline with Cloudflare Sandboxes, eliminating heartbeat/shutdown coordination plumbing. The new design uses a one-shot sandbox.exec() call directly from the queue worker, keeping R2 credentials in the worker and passing only presigned URLs to the sandbox. The sandbox image is minimal: base Cloudflare sandbox image plus FFmpeg and a shell script. Two production bugs surfaced post-merge — a sandbox ID length limit (63 chars max) and a broken Dockerfile that replaced the required Cloudflare sandbox runtime with a plain Debian base. Both were diagnosed and fixed with help from a Cursor agent and the Cloudflare MCP server. The entire migration, including two PR iterations, took under an hour of the author's own time.

  3. 3
    Video
    Avatar of codinggopherThe Coding Gopher·9w

    99% of Developers Don't Get Docker

    A deep dive into how Docker actually works under the hood, covering the evolution from hardware virtualization (VMs with hypervisors) to OS-level containerization. Explains the Linux kernel primitives that make containers possible: namespaces (PID, net, mnt, UTS) for isolation and cgroups for resource limits. Covers the union file system and copy-on-write strategy that makes images lightweight and fast. Also walks through Dockerfile optimization via layer caching, data persistence with volumes, and briefly compares Docker Swarm vs Kubernetes for orchestration and Docker vs Podman architecturally.

  4. 4
    Article
    Avatar of freecodecampfreeCodeCamp·11w

    How to Use Docker Compose for Production Workloads — with Profiles, Watch Mode, and GPU Support

    Docker Compose has evolved significantly in 2024-2025 with features that make it viable for complex deployment scenarios beyond local development. Key improvements covered include: profiles for managing multiple environments from a single file, watch mode for instant file syncing without rebuilds, GPU passthrough for ML inference workloads, proper health checks with dependency conditions to eliminate startup race conditions, and Docker Bake integration for production image builds. The guide provides practical configuration examples for each feature, a week-by-week adoption path, and an honest assessment of where Compose still falls short compared to Kubernetes or full orchestration platforms.

See all Containers archives