Distributions#
A Linux distribution (“distro”) is a complete operating system built around the Linux kernel. It bundles the kernel with a userland (GNU coreutils, a shell), an init system (systemd, OpenRC, runit), a package manager, default configuration, and often a desktop environment. The package manager and ancestry define the family: cousins inside a family share commands, paths, and conventions; cousins across families don’t.
cat /etc/os-release tells the operator which family they are working on.
Family |
Package manager |
Common members |
|---|---|---|
Debian |
|
Debian, Ubuntu, Linux Mint, Kali, Raspberry Pi OS, Tails, Pop!_OS, Proxmox VE |
RedHat |
|
RHEL, CentOS Stream, Rocky Linux, AlmaLinux, Fedora, Oracle Linux, Qubes OS |
Arch |
|
Arch, Manjaro, EndeavourOS, SteamOS 3, BlackArch, Artix |
SUSE |
|
openSUSE Leap, Tumbleweed, SLES |
Gentoo |
|
Gentoo, Funtoo, Calculate, ChromeOS |
Alpine |
|
Alpine Linux |
Other |
|
NixOS, Void Linux, Slackware, Solus, Clear Linux |
mindmap
root((Linux kernel))
Debian
Ubuntu
Linux Mint
Pop!_OS
elementary OS
Zorin OS
KDE Neon
Kali
Parrot OS
MX Linux
Devuan
Tails
Raspberry Pi OS
Deepin
Q4OS
Red Hat
RHEL
Fedora
Nobara
Qubes OS
CentOS Stream
Rocky Linux
AlmaLinux
Oracle Linux
Amazon Linux
Mageia
OpenMandriva
Arch
Manjaro
EndeavourOS
SteamOS 3
BlackArch
ArcoLinux
Garuda Linux
Artix
Parabola
SUSE
openSUSE Leap
Tumbleweed
SLES
GeckoLinux
Gentoo
Calculate Linux
Funtoo
ChromeOS
Pentoo
Alpine
postmarketOS
Slackware
Salix
Slax
Zenwalk
NixOS
Void Linux
Solus
Clear Linux
KaOS
The Families#
Linux is “Linux”, but the muscle memory the operator builds on, say, Debian does not transfer cleanly to Red Hat or Alpine. The split shows up first in package management: the same intent, different incantations.
Action |
Debian / Ubuntu |
Red Hat / Fedora |
Arch |
Alpine |
|---|---|---|---|---|
Refresh index |
|
|
|
|
Install |
|
|
|
|
Remove |
|
|
|
|
Upgrade all |
|
|
|
|
Search |
|
|
|
|
List installed |
|
|
|
|
Owns |
|
|
|
|
Beyond packages, families differ on details that bite when the operator assumes:
C library. Almost every family ships glibc; Alpine ships musl. Static binaries and prebuilt wheels built against glibc fail on Alpine; some language runtimes need Alpine-specific builds. Watch for this in container work.
Init system. systemd is the modern default everywhere except Alpine (OpenRC), Slackware, Gentoo (multi-init), and Devuan (sysvinit by design).
Firewall. nftables is the kernel-level standard everywhere modern; the user-facing front end differs (
ufwon Debian/Ubuntu,firewalldon Red Hat/SUSE, rawnfton Arch and Alpine by default).Network config. Netplan + systemd-networkd on Ubuntu Server, NetworkManager on RHEL/Fedora desktop and server, systemd-networkd or NM on Arch,
/etc/network/interfaceson Alpine.SELinux vs AppArmor. Red Hat and Fedora ship SELinux in enforcing mode; Debian, Ubuntu, and SUSE ship AppArmor. Arch and Alpine ship neither by default.
Identification#
Identifying the distro on any box is a routine first move. It tells the operator which package manager applies, which init system is running, and which family’s conventions to follow. Three commands answer the question from different angles.
Command |
Effect |
|---|---|
|
the standard answer ( |
|
standardized, not always installed |
|
kernel and architecture only (does not identify the userland) |
/etc/os-release#
The standard, always-present, machine-parseable answer. Every modern
distro ships this file; ID and ID_LIKE are the operator’s
reference points. ID names the distro itself; ID_LIKE names
the parent family and tells the operator which package manager and
conventions apply on a derivative distro.
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 22.04.4 LTS"
VERSION_ID="22.04"
VERSION_CODENAME=jammy
The fields the operator reads.
Key |
Meaning |
|---|---|
|
pretty distro name; not stable across releases, so don’t key scripts off it |
|
full version label, often including the codename in parentheses |
|
short, lowercase identifier ( |
|
space-separated parent-family hint ( |
|
display string suited for banners and login prompts |
|
short version number suitable for comparison ( |
|
release codename ( |
The file is shell-sourceable, so a script can branch on family without parsing:
. /etc/os-release
case "$ID_LIKE $ID" in
*debian*) apt-get install -y curl jq ;;
*rhel*) dnf install -y curl jq ;;
*arch*) pacman -S --noconfirm curl jq ;;
*alpine*) apk add --no-cache curl jq ;;
esac
lsb_release -a#
The Linux Standard Base front end. Useful for human-readable
output, but not always installed on minimal images: the
Debian family ships it via the lsb-release package, the Red
Hat family via redhat-lsb-core. Cloud and container base
images frequently omit both. Where the goal is scripting,
/etc/os-release is the better pick.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
uname -a#
Reports the kernel and machine architecture only. It does not tell the operator the userland or the distro. A Debian box and an Alpine box on the same kernel produce indistinguishable output. Useful for kernel-version checks (CVE applicability, syscall and capability availability) and nothing else.
$ uname -a
Linux box 6.5.0-15-generic #15-Ubuntu SMP PREEMPT_DYNAMIC x86_64 GNU/Linux
On systemd boxes hostnamectl is a fourth option that combines
kernel info with distro and machine identity in a single readable
block.
Releases#
Linux distributions pick one of three release models. The operator’s patch cadence, package availability, and CVE response window all flow from the choice.
Model |
Examples (with support window) |
Operator angle |
|---|---|---|
Long-term support (LTS) |
Ubuntu LTS; Debian stable; RHEL. |
The default for production. Stable APIs, predictable patches, long CVE backport coverage. |
Rolling release |
Arch, openSUSE Tumbleweed, Gentoo, Void, NixOS unstable. |
No version-bump events; packages update continuously. The operator gets the newest toolchains and the newest breakage. Not the right call for a long-running production target. |
Point release |
Fedora; Ubuntu interim. |
Newer than LTS, more stable than rolling. Common on developer workstations. |
The Debian family flow shows up directly in apt sources and
Docker tags, so the operator should know it.
Channel |
Codename (today) |
Notes |
|---|---|---|
|
|
The current release. Default for production. |
|
|
The next release in preparation. Useful preview, not for production. |
|
|
The rolling integration branch where new packages land first. |
|
n+1 / n+2 codenames back |
The previous and previous-previous releases, kept on security support or ELTS. |
The Red Hat ecosystem has its own picture, and operators move across it constantly.
Distribution |
Position |
Notes |
|---|---|---|
Fedora |
upstream |
The labs distro where new features are exercised before they reach RHEL. |
CentOS Stream |
midstream |
Rolling preview of the next RHEL minor release. |
RHEL |
downstream (paid) |
The commercial release. 10-year lifecycle. |
Rocky Linux, AlmaLinux, Oracle Linux |
downstream (free) |
1:1 rebuilds of RHEL by independent groups. Picked up by most teams who left CentOS Linux when it stopped being a downstream rebuild in 2020. |
Codenames#
Each Debian-family release carries a codename: a stable
string the operator embeds in repository URLs, apt source
lines, container tags, and provisioning scripts. Codenames are
often more useful than version numbers in those places: they
don’t shift during a point release (22.04 becomes 22.04.5,
but jammy stays jammy), and they distinguish stable
from testing without ambiguity.
The codename appears in three places the operator touches every day:
/etc/os-release: VERSION_CODENAME=jammy
/etc/apt/sources.list: deb http://archive.ubuntu.com/ubuntu jammy main
docker tag: ubuntu:jammy
Current codenames the operator will encounter:
Distro |
Version |
Codename |
Status |
|---|---|---|---|
Debian |
13 |
|
testing (next stable) |
12 |
|
stable |
|
11 |
|
oldstable |
|
10 |
|
oldoldstable / ELTS |
|
(unstable) |
|
always; rolling integration |
|
Ubuntu |
24.10 |
|
interim, 9 months |
24.04 LTS |
|
LTS, supported to 2029 |
|
22.04 LTS |
|
LTS, supported to 2027 |
|
20.04 LTS |
|
ESM-only (paid) |
|
18.04 LTS |
|
ESM-only (paid) |
|
Kali |
2024.x |
|
rolling, Debian-testing based; the operator’s offensive workstation |
|
last quarterly snapshot; pinned point-in-time mirror |
||
|
bleeding-edge tooling staged for inclusion |
||
Qubes OS |
4.2 |
(n/a; Xen-based) |
current; compartmentalised desktop OS, isolates work into per-VM “qubes” using Fedora and Debian templates |
4.1 |
EOL since December 2024 |
||
Whonix |
17 |
(n/a; Debian-based) |
hardened, Tor-only; runs as paired Gateway + Workstation VMs (often inside Qubes) |
Tails |
6.x |
(n/a; Debian-based) |
amnesic live OS; routes all traffic through Tor and forgets on shutdown |
Conventions worth knowing:
Debian picks codenames from Toy Story characters.
sid(the kid next door who breaks toys) is permanent and always names the unstable branch.Ubuntu picks an alphabetical adjective + animal for every release. The alphabet has wrapped once already;
Wwas skipped going fromnoble(24.04) tooracular(24.10).Red Hat / Fedora dropped release codenames after Fedora 21 in 2014. For RHEL, CentOS Stream, Rocky, Alma, and Fedora the operator references the version number only.
Choosing a Distro#
The right pick depends on what the operator needs the box for. Reasonable defaults by role.
Role |
Sensible default |
|---|---|
Operator laptop |
Ubuntu LTS, Debian stable, Pop!_OS, Fedora Workstation |
Offensive ops |
Kali Linux, Parrot OS (BlackArch on Arch hosts) |
Defensive / DFIR |
SIFT Workstation, REMnux, Security Onion, Tsurugi |
Generic server |
Debian stable, Ubuntu LTS, Rocky Linux, AlmaLinux |
Container base |
Alpine (small, musl); Debian-slim (compatible, glibc); distroless / Wolfi (minimal, no shell) |
Cloud VM image |
Ubuntu LTS (most ubiquitous), Debian, Amazon Linux 2023, Azure Linux |
Privacy / hardened |
Tails (live, RAM-only), Whonix (Tor-only), Qubes OS (compartmentalised) |
Embedded / IoT |
Yocto-built custom, Buildroot, Alpine, Raspberry Pi OS |
For most operators most of the time, Debian stable or Ubuntu LTS is the right answer for both daily-driver and production. Reach for something else only when the workload (container ergonomics, hardware support, OPSEC, security toolchain) argues for it specifically.
Specialized Distributions#
Offensive Security#
Distros bundled with the operator’s offensive toolchain (Metasploit,
Burp, Nmap, BloodHound, Wifite, Bettercap, …). The operator picks
one and treats it as their on-target laptop image; ad-hoc
apt install of Kali tools onto a stock Ubuntu rarely matches
the curated bundle.
Distro |
Family |
Backing |
Notes |
|---|---|---|---|
Kali Linux |
Debian (rolling) |
Offensive Security |
The default offensive workstation. Hundreds of curated tools across recon, exploitation, post-ex, forensics; live USB, persistent USB, WSL, and ARM images for Raspberry Pi. |
Parrot OS Security |
Debian (rolling) |
Parrot Sec |
Kali’s main alternative. Lighter desktop, AnonSurf integration (system-wide Tor), full pentest toolkit. |
BlackArch |
Arch (rolling) |
Community |
Arch with ~3,000 security-tool packages in a separate repo. The right pick when the host is already Arch. |
Athena OS |
Arch / NixOS (rolling) |
Community |
Newer Arch-based offensive distro; ships HTB and TryHackMe integrations and a per-tool roles structure. |
Pentoo |
Gentoo (rolling) |
Community |
Hardened, source-based; the right pick for operators who already run Gentoo and want to stay on portage. |
Commando VM |
Windows (not Linux) |
Mandiant |
Out-of-family but worth knowing: PowerShell-driven Windows-side equivalent, used for AD-focused engagements. |
Defensive Security and DFIR#
Distros built around incident response, malware analysis, network security monitoring, and forensic acquisition. Pick by phase of the defender’s loop: the SIFT and CAINE images sit on the analyst’s workstation; Security Onion is appliance infrastructure; REMnux is the lab the operator detonates a sample in.
Distro |
Family |
Backing |
Notes |
|---|---|---|---|
SIFT Workstation |
Ubuntu LTS |
SANS / FOR508 |
The DFIR analyst’s reference image. Volatility, Plaso / log2timeline, Sleuth Kit, autopsy, RegRipper preinstalled and integrated. |
REMnux |
Ubuntu |
Lenny Zeltser |
Reverse-engineering and malware-analysis lab. Ghidra, radare2, Cuckoo dependencies, Wireshark, INetSim. |
Security Onion |
Ubuntu / Rocky |
Security Onion Solutions |
NSM / SIEM appliance distro. Bundles Suricata, Zeek, Stenographer, Wazuh, Elastic, TheHive. Stand it up; point SPAN ports at it. |
Tsurugi Linux |
Ubuntu LTS |
Tsurugi project |
DFIR live distro with strong dead-disk acquisition defaults; hardware write-blocker friendly. |
CAINE |
Ubuntu LTS |
Italian community |
Computer Aided INvestigative Environment. Live forensic distro accepted in Italian and EU court contexts. |
DEFT Zero/X |
Lubuntu / Debian |
Italian community |
Lightweight live forensic distro; the smaller cousin of CAINE. |
Privacy and Hardened#
Distros engineered to reduce what the operator’s box leaks (network metadata, persistent state, host compromise blast-radius). Pick by threat model: Tails for “leave no trace on this hardware”, Whonix for “no clearnet under any circumstance”, Qubes for “if any one component is compromised, the rest are not.”
Distro |
Family |
Backing |
Notes |
|---|---|---|---|
Tails |
Debian |
Tails (Tor) |
Amnesic live OS. All traffic through Tor; no persistent state by default; encrypted persistent volume optional. Standard pick for “borrow a laptop, do the work, walk away”. |
Whonix |
Debian |
Whonix |
Two-VM design: a Gateway VM forces all traffic through Tor and isolates the Workstation VM behind it. Often run inside Qubes. |
Qubes OS |
Fedora |
Invisible Things Lab |
Xen-based compartmentalisation. Each task runs in its own disposable VM (“qube”); copy / paste and file moves go through audited inter-VM channels. The defender’s choice for high-blast-radius workflows. |
PureOS |
Debian |
Purism |
Privacy-respecting Debian derivative shipped on Librem laptops; defaults toward FOSS-only and minimal telemetry. |
Kicksecure |
Debian |
Whonix |
Hardened Debian base used by Whonix; can be installed standalone for systemd-everywhere boxes that still want Whonix-style hardening. |
Subgraph OS |
Debian |
Subgraph |
Once-promising hardened distro built around Grsec, Tor, and a per-app sandbox. Largely dormant; mentioned for historical context. |
VMs and Containers#
The next two subsections both ship Linux distros, but the distros are sized for two different units of compute. A short orientation before the picks:
A virtual machine (VM) is a full simulated computer. The hypervisor (KVM, Xen, VMware, Hyper-V) hands the VM virtual CPUs, memory, and devices; the VM boots its own kernel and runs a complete userland on top. Boot time is seconds to minutes; overhead is gigabytes; isolation is strong because the hypervisor is the trust boundary. The cloud provider’s default unit of compute (an EC2 instance, a GCE instance, an Azure VM) is a VM. See Virtualization.
A container is a process (or process tree) on the host kernel, fenced off by Linux kernel features (namespaces, cgroups, seccomp, capabilities). It does not boot a kernel of its own; it shares the host’s. Boot time is milliseconds, overhead is megabytes, and isolation is weaker than a VM because a kernel exploit on the host reaches every container. The unit of modern application deployment, packaged as an OCI image. See Containers.
The distros below are picked accordingly: VM images come with init, networking stack, and cloud-init; container base images strip everything down to “what the app needs to run”.
Cloud VM Images#
Distros optimized for cloud-init, fast boot, minimal install footprint, and the cloud provider’s tooling. The operator picks by where the workload runs, not by personal preference; AWS auto-scaling groups want Amazon Linux, Azure VMSS want Azure Linux, GCE wants Container-Optimized OS for nodes.
Distro |
Family |
Backing |
Notes |
|---|---|---|---|
Ubuntu Server LTS |
Debian |
Canonical |
The default cloud VM almost everywhere. Cloud-init upstream; first-class on AWS, GCP, Azure, DigitalOcean, Linode, Hetzner. |
Debian Cloud |
Debian |
Debian |
Official Debian images on every major cloud. Smaller and more conservative than Ubuntu; fewer extras, longer stability. |
Amazon Linux 2023 |
Fedora |
Amazon |
AWS’s first-party VM image. Tightly integrated with AWS agents (SSM, CloudWatch, IMDSv2 defaults); fast boot; Amazon-specific kernel and systemd unit set. |
Azure Linux (Mariner) |
Independent |
Microsoft |
Microsoft’s first-party container-host and VM image. Used under AKS nodes, Azure HCI, Azure-specific workloads. |
Container-Optimized OS (COS) |
ChromeOS |
The default GKE node OS. Minimal, immutable root, automatic updates; only useful as a Kubernetes node, not as a general VM. |
|
Bottlerocket |
Independent |
Amazon |
Container host OS for EKS, ECS, self-managed Kubernetes. Immutable root, A/B updates; SSH off by default; managed through API control container. |
Flatcar Container Linux |
Independent (CoreOS heir) |
Kinvolk / MS |
Successor to CoreOS Container Linux. Immutable container host with auto-updates; popular outside the big three clouds. |
RHEL on Cloud / Rocky / Alma |
Red Hat |
Various |
When the workload demands RHEL compatibility (FedRAMP, enterprise vendor support, RHEL-only ISVs). |
Container Base Images#
Distros engineered to be the bottom layer of an OCI image. The trade is between size (smaller = faster pulls, smaller attack surface), compatibility (glibc plays with everything, musl fights some prebuilt binaries), and shell access (a shell is nice for debugging, gone is safer in production).
Image |
libc |
Backing |
Notes |
|---|---|---|---|
Alpine |
musl |
Alpine |
The size winner. ~5 MB base image. |
Debian-slim |
glibc |
Debian |
Compatibility default. ~30 MB base; runs anything built for Linux. The right pick when “it works on Ubuntu” matters more than image size. |
Ubuntu Minimal |
glibc |
Canonical |
Ubuntu LTS but pruned for container use. Larger than debian-slim, identical compatibility story. |
Distroless |
glibc |
No shell, no package manager, no userland. Just the runtime and the app binary. Hardest to attack; hardest to debug. |
|
Wolfi |
glibc |
Chainguard |
“Undistro” designed for containers from the ground up. SBOM per package, daily CVE updates, tiny base. The modern security-first base image. |
Chainguard Images |
glibc |
Chainguard |
Pre-built minimal images on top of Wolfi (nginx, postgres, python, …). Distroless runtime variants available. |
UBI Minimal / Micro |
glibc |
Red Hat |
Universal Base Image; the right pick when the deployment target is RHEL or OpenShift and the security team wants Red Hat |
BusyBox / scratch |
na / minimal |
BusyBox |
|
References#
Reading material:
Linux From Scratch: build a working Linux system from source, the long-form way to understand what every distro above is doing for you.
DistroWatch: release tracker and family tree for hundreds of distros.
os-release(5): the man page for the file.
Project homepages for every distro and image cited on this page:
Debian family#
Debian: the family root; the reference Debian project.
Ubuntu: Canonical’s Debian derivative; the most-deployed cloud and desktop Linux.
Linux Mint: Ubuntu derivative with a more conservative desktop (Cinnamon).
Kali Linux: offensive-security distro curated by Offensive Security.
Raspberry Pi OS: Debian derivative for the Raspberry Pi.
Tails: amnesic live distro that routes all traffic through Tor.
Pop!_OS: System76’s Ubuntu-derivative shipped on their laptops.
Proxmox VE: Debian-based virtualisation appliance (KVM and LXC).
Devuan: Debian without systemd (sysvinit, OpenRC, runit).
Parrot OS Security: pen-test and security-focused Debian derivative; Kali’s main alternative.
Red Hat family#
Red Hat Enterprise Linux: the commercial enterprise Linux; 10-year lifecycle.
CentOS Stream: rolling preview of the next RHEL minor release.
Rocky Linux: independent 1:1 RHEL rebuild.
AlmaLinux: independent 1:1 RHEL rebuild.
Fedora: upstream of RHEL; the labs distro for new features.
Oracle Linux: Oracle’s free RHEL rebuild plus their own kernel option.
Qubes OS: Xen-based compartmentalised desktop OS using Fedora and Debian templates.
Arch family#
Arch Linux: rolling-release base distro for
pacmanusers.Manjaro: Arch with curated stable branches and an installer.
EndeavourOS: terminal-friendly Arch with a graphical installer.
SteamOS: Valve’s Arch-based gaming OS for the Steam Deck.
BlackArch: ~3,000 security tools as an Arch repo and ISO.
Artix Linux: Arch without systemd (OpenRC, runit, s6, dinit).
Athena OS: Arch-based offensive distro with HTB and TryHackMe integrations.
SUSE#
openSUSE: community SUSE; ships Leap (point release) and Tumbleweed (rolling).
SUSE Linux Enterprise Server (SLES): the commercial enterprise SUSE.
Gentoo family#
Gentoo Linux: source-based, Portage-managed; the family root.
Funtoo Linux: Gentoo fork by original Gentoo lead Daniel Robbins.
Calculate Linux: Gentoo derivative aimed at corporate workstations.
ChromeOS: Google’s Gentoo-derived OS for Chromebooks.
Pentoo: hardened Gentoo overlay for pen-testing.
Alpine and Independent#
Alpine Linux: tiny musl-based distro; the standard container base.
NixOS: declarative, reproducible distro built around the Nix package manager.
Void Linux: independent rolling distro using runit and
xbps.Slackware: the oldest active Linux distribution; minimal, traditional.
Solus: independent curated rolling desktop distro (Budgie).
Clear Linux: Intel-tuned distro optimized for benchmark and cloud workloads.
Defensive / DFIR#
SIFT Workstation (SANS): Ubuntu-based DFIR analyst image; SANS reference toolkit.
REMnux: Ubuntu-based malware-analysis and reverse-engineering lab.
Security Onion: Ubuntu-/Rocky-based NSM and SIEM appliance distro.
Tsurugi Linux: Ubuntu LTS derivative for forensic acquisition and analysis.
CAINE: Italian Computer Aided INvestigative Environment; live forensic distro.
DEFT Linux: lightweight live forensic distro; smaller cousin of CAINE.
Mandiant Commando VM: Windows-side equivalent for AD-focused engagements.
Privacy and hardened#
Tails: amnesic live OS; routes all traffic through Tor.
Whonix: paired Gateway and Workstation VMs that force traffic through Tor.
Kicksecure: hardened Debian base used by Whonix; can run standalone (formerly Heads).
PureOS: privacy-respecting Debian derivative shipped on Librem laptops.
Subgraph OS: hardened Debian with Grsec, Tor, per-app sandboxing (largely dormant).
Cloud VM images#
Ubuntu on Cloud: most-deployed cloud VM image; first-class on every major cloud.
Debian on Cloud: official Debian images on AWS, GCP, Azure.
Amazon Linux 2023: AWS first-party VM image; Fedora-based.
Azure Linux (Mariner): Microsoft first-party container-host and VM image.
Container-Optimized OS (GKE): Google’s minimal immutable host OS for GKE nodes.
Bottlerocket: Amazon’s minimal container host OS for EKS, ECS.
Flatcar Container Linux: CoreOS-heir immutable container host with auto-updates.
Container base images#
Alpine Linux: ~5 MB musl-based container base; the size winner.
Debian-slim: ~30 MB glibc base; runs anything built for Linux.
Ubuntu Minimal: pruned Ubuntu LTS; same compatibility as Debian.
Distroless: Google’s no-shell, no-package-manager runtime base.
Wolfi: Chainguard’s “undistro” purpose- built for containers; SBOM per package.
Chainguard Images: pre-built minimal images on top of Wolfi.
Red Hat UBI: Universal Base Image; the right pick for OpenShift / RHEL.
BusyBox: single multi-call binary providing
sh,ls,wget; common in Go / Rust images.