Distributions#

Linux

A Linux distribution (“distro”) is a complete operating system built around the Linux kernel. It bundles the kernel with a userland (GNU coreutils, a shell), an init system (systemd, OpenRC, runit), a package manager, default configuration, and often a desktop environment. The package manager and ancestry define the family: cousins inside a family share commands, paths, and conventions; cousins across families don’t.

cat /etc/os-release tells the operator which family they are working on.

Family

Package manager

Common members

Debian

apt / dpkg

Debian, Ubuntu, Linux Mint, Kali, Raspberry Pi OS, Tails, Pop!_OS, Proxmox VE

RedHat

dnf / rpm

RHEL, CentOS Stream, Rocky Linux, AlmaLinux, Fedora, Oracle Linux, Qubes OS

Arch

pacman

Arch, Manjaro, EndeavourOS, SteamOS 3, BlackArch, Artix

SUSE

zypper / rpm

openSUSE Leap, Tumbleweed, SLES

Gentoo

emerge (Portage)

Gentoo, Funtoo, Calculate, ChromeOS

Alpine

apk

Alpine Linux

Other

nix / xbps / slackpkg

NixOS, Void Linux, Slackware, Solus, Clear Linux

        mindmap
  root((Linux kernel))
    Debian
      Ubuntu
        Linux Mint
        Pop!_OS
        elementary OS
        Zorin OS
        KDE Neon
      Kali
      Parrot OS
      MX Linux
      Devuan
      Tails
      Raspberry Pi OS
      Deepin
      Q4OS
    Red Hat
      RHEL
      Fedora
        Nobara
        Qubes OS
      CentOS Stream
      Rocky Linux
      AlmaLinux
      Oracle Linux
      Amazon Linux
      Mageia
      OpenMandriva
    Arch
      Manjaro
      EndeavourOS
      SteamOS 3
      BlackArch
      ArcoLinux
      Garuda Linux
      Artix
      Parabola
    SUSE
      openSUSE Leap
      Tumbleweed
      SLES
      GeckoLinux
    Gentoo
      Calculate Linux
      Funtoo
      ChromeOS
      Pentoo
    Alpine
      postmarketOS
    Slackware
      Salix
      Slax
      Zenwalk
    NixOS
    Void Linux
    Solus
    Clear Linux
    KaOS
    

The Families#

Linux is “Linux”, but the muscle memory the operator builds on, say, Debian does not transfer cleanly to Red Hat or Alpine. The split shows up first in package management: the same intent, different incantations.

Action

Debian / Ubuntu

Red Hat / Fedora

Arch

Alpine

Refresh index

apt update

dnf check-update

pacman -Sy

apk update

Install

apt install foo

dnf install foo

pacman -S foo

apk add foo

Remove

apt remove foo

dnf remove foo

pacman -R foo

apk del foo

Upgrade all

apt upgrade

dnf upgrade

pacman -Syu

apk upgrade

Search

apt search foo

dnf search foo

pacman -Ss foo

apk search foo

List installed

dpkg -l

rpm -qa

pacman -Q

apk info

Owns /path

dpkg -S /path

rpm -qf /path

pacman -Qo /path

apk info -W /path

Beyond packages, families differ on details that bite when the operator assumes:

  • C library. Almost every family ships glibc; Alpine ships musl. Static binaries and prebuilt wheels built against glibc fail on Alpine; some language runtimes need Alpine-specific builds. Watch for this in container work.

  • Init system. systemd is the modern default everywhere except Alpine (OpenRC), Slackware, Gentoo (multi-init), and Devuan (sysvinit by design).

  • Firewall. nftables is the kernel-level standard everywhere modern; the user-facing front end differs (ufw on Debian/Ubuntu, firewalld on Red Hat/SUSE, raw nft on Arch and Alpine by default).

  • Network config. Netplan + systemd-networkd on Ubuntu Server, NetworkManager on RHEL/Fedora desktop and server, systemd-networkd or NM on Arch, /etc/network/interfaces on Alpine.

  • SELinux vs AppArmor. Red Hat and Fedora ship SELinux in enforcing mode; Debian, Ubuntu, and SUSE ship AppArmor. Arch and Alpine ship neither by default.

Identification#

Identifying the distro on any box is a routine first move. It tells the operator which package manager applies, which init system is running, and which family’s conventions to follow. Three commands answer the question from different angles.

Command

Effect

cat /etc/os-release

the standard answer (ID, VERSION, ID_LIKE)

lsb_release -a

standardized, not always installed

uname -a

kernel and architecture only (does not identify the userland)

/etc/os-release#

The standard, always-present, machine-parseable answer. Every modern distro ships this file; ID and ID_LIKE are the operator’s reference points. ID names the distro itself; ID_LIKE names the parent family and tells the operator which package manager and conventions apply on a derivative distro.

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 22.04.4 LTS"
VERSION_ID="22.04"
VERSION_CODENAME=jammy

The fields the operator reads.

Key

Meaning

NAME

pretty distro name; not stable across releases, so don’t key scripts off it

VERSION

full version label, often including the codename in parentheses

ID

short, lowercase identifier (ubuntu, debian, rhel, alpine); the field to script against

ID_LIKE

space-separated parent-family hint (debian, rhel, arch, …); tells the operator which package manager and conventions apply on a derivative distro, answering “is this in the Debian family?”

PRETTY_NAME

display string suited for banners and login prompts

VERSION_ID

short version number suitable for comparison (22.04, 9, 3.18)

VERSION_CODENAME

release codename (jammy, bookworm, noble); often what the operator types into a repository URL

The file is shell-sourceable, so a script can branch on family without parsing:

. /etc/os-release
case "$ID_LIKE $ID" in
    *debian*)  apt-get install -y curl jq ;;
    *rhel*)    dnf install -y curl jq ;;
    *arch*)    pacman -S --noconfirm curl jq ;;
    *alpine*)  apk add --no-cache curl jq ;;
esac

lsb_release -a#

The Linux Standard Base front end. Useful for human-readable output, but not always installed on minimal images: the Debian family ships it via the lsb-release package, the Red Hat family via redhat-lsb-core. Cloud and container base images frequently omit both. Where the goal is scripting, /etc/os-release is the better pick.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

uname -a#

Reports the kernel and machine architecture only. It does not tell the operator the userland or the distro. A Debian box and an Alpine box on the same kernel produce indistinguishable output. Useful for kernel-version checks (CVE applicability, syscall and capability availability) and nothing else.

$ uname -a
Linux box 6.5.0-15-generic #15-Ubuntu SMP PREEMPT_DYNAMIC x86_64 GNU/Linux

On systemd boxes hostnamectl is a fourth option that combines kernel info with distro and machine identity in a single readable block.

Releases#

Linux distributions pick one of three release models. The operator’s patch cadence, package availability, and CVE response window all flow from the choice.

Model

Examples (with support window)

Operator angle

Long-term support (LTS)

Ubuntu LTS; Debian stable; RHEL.

The default for production. Stable APIs, predictable patches, long CVE backport coverage.

Rolling release

Arch, openSUSE Tumbleweed, Gentoo, Void, NixOS unstable.

No version-bump events; packages update continuously. The operator gets the newest toolchains and the newest breakage. Not the right call for a long-running production target.

Point release

Fedora; Ubuntu interim.

Newer than LTS, more stable than rolling. Common on developer workstations.

The Debian family flow shows up directly in apt sources and Docker tags, so the operator should know it.

Channel

Codename (today)

Notes

stable

bookworm

The current release. Default for production.

testing

trixie

The next release in preparation. Useful preview, not for production.

unstable

sid

The rolling integration branch where new packages land first.

oldstable, oldoldstable

n+1 / n+2 codenames back

The previous and previous-previous releases, kept on security support or ELTS.

The Red Hat ecosystem has its own picture, and operators move across it constantly.

Distribution

Position

Notes

Fedora

upstream

The labs distro where new features are exercised before they reach RHEL.

CentOS Stream

midstream

Rolling preview of the next RHEL minor release.

RHEL

downstream (paid)

The commercial release. 10-year lifecycle.

Rocky Linux, AlmaLinux, Oracle Linux

downstream (free)

1:1 rebuilds of RHEL by independent groups. Picked up by most teams who left CentOS Linux when it stopped being a downstream rebuild in 2020.

Codenames#

Each Debian-family release carries a codename: a stable string the operator embeds in repository URLs, apt source lines, container tags, and provisioning scripts. Codenames are often more useful than version numbers in those places: they don’t shift during a point release (22.04 becomes 22.04.5, but jammy stays jammy), and they distinguish stable from testing without ambiguity.

The codename appears in three places the operator touches every day:

/etc/os-release:       VERSION_CODENAME=jammy
/etc/apt/sources.list:  deb http://archive.ubuntu.com/ubuntu jammy main
docker tag:             ubuntu:jammy

Current codenames the operator will encounter:

Distro

Version

Codename

Status

Debian

13

trixie

testing (next stable)

12

bookworm

stable

11

bullseye

oldstable

10

buster

oldoldstable / ELTS

(unstable)

sid

always; rolling integration

Ubuntu

24.10

oracular (Oriole)

interim, 9 months

24.04 LTS

noble (Numbat)

LTS, supported to 2029

22.04 LTS

jammy (Jellyfish)

LTS, supported to 2027

20.04 LTS

focal (Fossa)

ESM-only (paid)

18.04 LTS

bionic (Beaver)

ESM-only (paid)

Kali

2024.x

kali-rolling

rolling, Debian-testing based; the operator’s offensive workstation

kali-last-snapshot

last quarterly snapshot; pinned point-in-time mirror

kali-experimental

bleeding-edge tooling staged for inclusion

Qubes OS

4.2

(n/a; Xen-based)

current; compartmentalised desktop OS, isolates work into per-VM “qubes” using Fedora and Debian templates

4.1

EOL since December 2024

Whonix

17

(n/a; Debian-based)

hardened, Tor-only; runs as paired Gateway + Workstation VMs (often inside Qubes)

Tails

6.x

(n/a; Debian-based)

amnesic live OS; routes all traffic through Tor and forgets on shutdown

Conventions worth knowing:

  • Debian picks codenames from Toy Story characters. sid (the kid next door who breaks toys) is permanent and always names the unstable branch.

  • Ubuntu picks an alphabetical adjective + animal for every release. The alphabet has wrapped once already; W was skipped going from noble (24.04) to oracular (24.10).

  • Red Hat / Fedora dropped release codenames after Fedora 21 in 2014. For RHEL, CentOS Stream, Rocky, Alma, and Fedora the operator references the version number only.

Choosing a Distro#

The right pick depends on what the operator needs the box for. Reasonable defaults by role.

Role

Sensible default

Operator laptop

Ubuntu LTS, Debian stable, Pop!_OS, Fedora Workstation

Offensive ops

Kali Linux, Parrot OS (BlackArch on Arch hosts)

Defensive / DFIR

SIFT Workstation, REMnux, Security Onion, Tsurugi

Generic server

Debian stable, Ubuntu LTS, Rocky Linux, AlmaLinux

Container base

Alpine (small, musl); Debian-slim (compatible, glibc); distroless / Wolfi (minimal, no shell)

Cloud VM image

Ubuntu LTS (most ubiquitous), Debian, Amazon Linux 2023, Azure Linux

Privacy / hardened

Tails (live, RAM-only), Whonix (Tor-only), Qubes OS (compartmentalised)

Embedded / IoT

Yocto-built custom, Buildroot, Alpine, Raspberry Pi OS

For most operators most of the time, Debian stable or Ubuntu LTS is the right answer for both daily-driver and production. Reach for something else only when the workload (container ergonomics, hardware support, OPSEC, security toolchain) argues for it specifically.

Specialized Distributions#

Offensive Security#

Distros bundled with the operator’s offensive toolchain (Metasploit, Burp, Nmap, BloodHound, Wifite, Bettercap, …). The operator picks one and treats it as their on-target laptop image; ad-hoc apt install of Kali tools onto a stock Ubuntu rarely matches the curated bundle.

Distro

Family

Backing

Notes

Kali Linux

Debian (rolling)

Offensive Security

The default offensive workstation. Hundreds of curated tools across recon, exploitation, post-ex, forensics; live USB, persistent USB, WSL, and ARM images for Raspberry Pi.

Parrot OS Security

Debian (rolling)

Parrot Sec

Kali’s main alternative. Lighter desktop, AnonSurf integration (system-wide Tor), full pentest toolkit.

BlackArch

Arch (rolling)

Community

Arch with ~3,000 security-tool packages in a separate repo. The right pick when the host is already Arch.

Athena OS

Arch / NixOS (rolling)

Community

Newer Arch-based offensive distro; ships HTB and TryHackMe integrations and a per-tool roles structure.

Pentoo

Gentoo (rolling)

Community

Hardened, source-based; the right pick for operators who already run Gentoo and want to stay on portage.

Commando VM

Windows (not Linux)

Mandiant

Out-of-family but worth knowing: PowerShell-driven Windows-side equivalent, used for AD-focused engagements.

Defensive Security and DFIR#

Distros built around incident response, malware analysis, network security monitoring, and forensic acquisition. Pick by phase of the defender’s loop: the SIFT and CAINE images sit on the analyst’s workstation; Security Onion is appliance infrastructure; REMnux is the lab the operator detonates a sample in.

Distro

Family

Backing

Notes

SIFT Workstation

Ubuntu LTS

SANS / FOR508

The DFIR analyst’s reference image. Volatility, Plaso / log2timeline, Sleuth Kit, autopsy, RegRipper preinstalled and integrated.

REMnux

Ubuntu

Lenny Zeltser

Reverse-engineering and malware-analysis lab. Ghidra, radare2, Cuckoo dependencies, Wireshark, INetSim.

Security Onion

Ubuntu / Rocky

Security Onion Solutions

NSM / SIEM appliance distro. Bundles Suricata, Zeek, Stenographer, Wazuh, Elastic, TheHive. Stand it up; point SPAN ports at it.

Tsurugi Linux

Ubuntu LTS

Tsurugi project

DFIR live distro with strong dead-disk acquisition defaults; hardware write-blocker friendly.

CAINE

Ubuntu LTS

Italian community

Computer Aided INvestigative Environment. Live forensic distro accepted in Italian and EU court contexts.

DEFT Zero/X

Lubuntu / Debian

Italian community

Lightweight live forensic distro; the smaller cousin of CAINE.

Privacy and Hardened#

Distros engineered to reduce what the operator’s box leaks (network metadata, persistent state, host compromise blast-radius). Pick by threat model: Tails for “leave no trace on this hardware”, Whonix for “no clearnet under any circumstance”, Qubes for “if any one component is compromised, the rest are not.”

Distro

Family

Backing

Notes

Tails

Debian

Tails (Tor)

Amnesic live OS. All traffic through Tor; no persistent state by default; encrypted persistent volume optional. Standard pick for “borrow a laptop, do the work, walk away”.

Whonix

Debian

Whonix

Two-VM design: a Gateway VM forces all traffic through Tor and isolates the Workstation VM behind it. Often run inside Qubes.

Qubes OS

Fedora

Invisible Things Lab

Xen-based compartmentalisation. Each task runs in its own disposable VM (“qube”); copy / paste and file moves go through audited inter-VM channels. The defender’s choice for high-blast-radius workflows.

PureOS

Debian

Purism

Privacy-respecting Debian derivative shipped on Librem laptops; defaults toward FOSS-only and minimal telemetry.

Kicksecure

Debian

Whonix

Hardened Debian base used by Whonix; can be installed standalone for systemd-everywhere boxes that still want Whonix-style hardening.

Subgraph OS

Debian

Subgraph

Once-promising hardened distro built around Grsec, Tor, and a per-app sandbox. Largely dormant; mentioned for historical context.

VMs and Containers#

The next two subsections both ship Linux distros, but the distros are sized for two different units of compute. A short orientation before the picks:

A virtual machine (VM) is a full simulated computer. The hypervisor (KVM, Xen, VMware, Hyper-V) hands the VM virtual CPUs, memory, and devices; the VM boots its own kernel and runs a complete userland on top. Boot time is seconds to minutes; overhead is gigabytes; isolation is strong because the hypervisor is the trust boundary. The cloud provider’s default unit of compute (an EC2 instance, a GCE instance, an Azure VM) is a VM. See Virtualization.

A container is a process (or process tree) on the host kernel, fenced off by Linux kernel features (namespaces, cgroups, seccomp, capabilities). It does not boot a kernel of its own; it shares the host’s. Boot time is milliseconds, overhead is megabytes, and isolation is weaker than a VM because a kernel exploit on the host reaches every container. The unit of modern application deployment, packaged as an OCI image. See Containers.

The distros below are picked accordingly: VM images come with init, networking stack, and cloud-init; container base images strip everything down to “what the app needs to run”.

Cloud VM Images#

Distros optimized for cloud-init, fast boot, minimal install footprint, and the cloud provider’s tooling. The operator picks by where the workload runs, not by personal preference; AWS auto-scaling groups want Amazon Linux, Azure VMSS want Azure Linux, GCE wants Container-Optimized OS for nodes.

Distro

Family

Backing

Notes

Ubuntu Server LTS

Debian

Canonical

The default cloud VM almost everywhere. Cloud-init upstream; first-class on AWS, GCP, Azure, DigitalOcean, Linode, Hetzner.

Debian Cloud

Debian

Debian

Official Debian images on every major cloud. Smaller and more conservative than Ubuntu; fewer extras, longer stability.

Amazon Linux 2023

Fedora

Amazon

AWS’s first-party VM image. Tightly integrated with AWS agents (SSM, CloudWatch, IMDSv2 defaults); fast boot; Amazon-specific kernel and systemd unit set.

Azure Linux (Mariner)

Independent

Microsoft

Microsoft’s first-party container-host and VM image. Used under AKS nodes, Azure HCI, Azure-specific workloads.

Container-Optimized OS (COS)

ChromeOS

Google

The default GKE node OS. Minimal, immutable root, automatic updates; only useful as a Kubernetes node, not as a general VM.

Bottlerocket

Independent

Amazon

Container host OS for EKS, ECS, self-managed Kubernetes. Immutable root, A/B updates; SSH off by default; managed through API control container.

Flatcar Container Linux

Independent (CoreOS heir)

Kinvolk / MS

Successor to CoreOS Container Linux. Immutable container host with auto-updates; popular outside the big three clouds.

RHEL on Cloud / Rocky / Alma

Red Hat

Various

When the workload demands RHEL compatibility (FedRAMP, enterprise vendor support, RHEL-only ISVs).

Container Base Images#

Distros engineered to be the bottom layer of an OCI image. The trade is between size (smaller = faster pulls, smaller attack surface), compatibility (glibc plays with everything, musl fights some prebuilt binaries), and shell access (a shell is nice for debugging, gone is safer in production).

Image

libc

Backing

Notes

Alpine

musl

Alpine

The size winner. ~5 MB base image. apk for adding packages. Watch out for musl-incompatible prebuilt wheels and Go cgo binaries.

Debian-slim

glibc

Debian

Compatibility default. ~30 MB base; runs anything built for Linux. The right pick when “it works on Ubuntu” matters more than image size.

Ubuntu Minimal

glibc

Canonical

Ubuntu LTS but pruned for container use. Larger than debian-slim, identical compatibility story.

Distroless

glibc

Google

No shell, no package manager, no userland. Just the runtime and the app binary. Hardest to attack; hardest to debug.

Wolfi

glibc

Chainguard

“Undistro” designed for containers from the ground up. SBOM per package, daily CVE updates, tiny base. The modern security-first base image.

Chainguard Images

glibc

Chainguard

Pre-built minimal images on top of Wolfi (nginx, postgres, python, …). Distroless runtime variants available.

UBI Minimal / Micro

glibc

Red Hat

Universal Base Image; the right pick when the deployment target is RHEL or OpenShift and the security team wants Red Hat

BusyBox / scratch

na / minimal

BusyBox

scratch (empty) is the floor: only the static-linked app. BusyBox adds a single multi-call binary for sh, ls, wget. Common in Go and Rust container images.

References#

Reading material:

  • Linux From Scratch: build a working Linux system from source, the long-form way to understand what every distro above is doing for you.

  • DistroWatch: release tracker and family tree for hundreds of distros.

  • os-release(5): the man page for the file.

Project homepages for every distro and image cited on this page:

Debian family#

  • Debian: the family root; the reference Debian project.

  • Ubuntu: Canonical’s Debian derivative; the most-deployed cloud and desktop Linux.

  • Linux Mint: Ubuntu derivative with a more conservative desktop (Cinnamon).

  • Kali Linux: offensive-security distro curated by Offensive Security.

  • Raspberry Pi OS: Debian derivative for the Raspberry Pi.

  • Tails: amnesic live distro that routes all traffic through Tor.

  • Pop!_OS: System76’s Ubuntu-derivative shipped on their laptops.

  • Proxmox VE: Debian-based virtualisation appliance (KVM and LXC).

  • Devuan: Debian without systemd (sysvinit, OpenRC, runit).

  • Parrot OS Security: pen-test and security-focused Debian derivative; Kali’s main alternative.

Red Hat family#

  • Red Hat Enterprise Linux: the commercial enterprise Linux; 10-year lifecycle.

  • CentOS Stream: rolling preview of the next RHEL minor release.

  • Rocky Linux: independent 1:1 RHEL rebuild.

  • AlmaLinux: independent 1:1 RHEL rebuild.

  • Fedora: upstream of RHEL; the labs distro for new features.

  • Oracle Linux: Oracle’s free RHEL rebuild plus their own kernel option.

  • Qubes OS: Xen-based compartmentalised desktop OS using Fedora and Debian templates.

Arch family#

  • Arch Linux: rolling-release base distro for pacman users.

  • Manjaro: Arch with curated stable branches and an installer.

  • EndeavourOS: terminal-friendly Arch with a graphical installer.

  • SteamOS: Valve’s Arch-based gaming OS for the Steam Deck.

  • BlackArch: ~3,000 security tools as an Arch repo and ISO.

  • Artix Linux: Arch without systemd (OpenRC, runit, s6, dinit).

  • Athena OS: Arch-based offensive distro with HTB and TryHackMe integrations.

SUSE#

Gentoo family#

  • Gentoo Linux: source-based, Portage-managed; the family root.

  • Funtoo Linux: Gentoo fork by original Gentoo lead Daniel Robbins.

  • Calculate Linux: Gentoo derivative aimed at corporate workstations.

  • ChromeOS: Google’s Gentoo-derived OS for Chromebooks.

  • Pentoo: hardened Gentoo overlay for pen-testing.

Alpine and Independent#

  • Alpine Linux: tiny musl-based distro; the standard container base.

  • NixOS: declarative, reproducible distro built around the Nix package manager.

  • Void Linux: independent rolling distro using runit and xbps.

  • Slackware: the oldest active Linux distribution; minimal, traditional.

  • Solus: independent curated rolling desktop distro (Budgie).

  • Clear Linux: Intel-tuned distro optimized for benchmark and cloud workloads.

Defensive / DFIR#

  • SIFT Workstation (SANS): Ubuntu-based DFIR analyst image; SANS reference toolkit.

  • REMnux: Ubuntu-based malware-analysis and reverse-engineering lab.

  • Security Onion: Ubuntu-/Rocky-based NSM and SIEM appliance distro.

  • Tsurugi Linux: Ubuntu LTS derivative for forensic acquisition and analysis.

  • CAINE: Italian Computer Aided INvestigative Environment; live forensic distro.

  • DEFT Linux: lightweight live forensic distro; smaller cousin of CAINE.

  • Mandiant Commando VM: Windows-side equivalent for AD-focused engagements.

Privacy and hardened#

  • Tails: amnesic live OS; routes all traffic through Tor.

  • Whonix: paired Gateway and Workstation VMs that force traffic through Tor.

  • Kicksecure: hardened Debian base used by Whonix; can run standalone (formerly Heads).

  • PureOS: privacy-respecting Debian derivative shipped on Librem laptops.

  • Subgraph OS: hardened Debian with Grsec, Tor, per-app sandboxing (largely dormant).

Cloud VM images#

Container base images#

  • Alpine Linux: ~5 MB musl-based container base; the size winner.

  • Debian-slim: ~30 MB glibc base; runs anything built for Linux.

  • Ubuntu Minimal: pruned Ubuntu LTS; same compatibility as Debian.

  • Distroless: Google’s no-shell, no-package-manager runtime base.

  • Wolfi: Chainguard’s “undistro” purpose- built for containers; SBOM per package.

  • Chainguard Images: pre-built minimal images on top of Wolfi.

  • Red Hat UBI: Universal Base Image; the right pick for OpenShift / RHEL.

  • BusyBox: single multi-call binary providing sh, ls, wget; common in Go / Rust images.