Thin images. The stack lives on the mount.
The containers the Posit/EKS pods run are built here with
rootless Podman
. The rule that makes them portable is the rule the whole suite runs on: an image is
Link 0′
— the borrowed layer — so it carries only the kernel-adjacent bits and the CVMFS client.
R, its compiler, and every library resolve from
/cvmfs/software.ndexr.io/…/current
, never from the image. Nothing of the image's userland enters a loaded binary.
Image lifecycle
The thin-image policy (§2 / §3)
An image that bakes a library a session ends up linking reintroduces host leakage — the exact failure the CVMFS/prefix stack exists to prevent. Keep images minimal and let the mount do the work.
Link 0′ — the borrowed layer
The base image replaces the bare-metal host. It may contribute the kernel-adjacent bits and the CVMFS client; nothing else may end up in a loaded binary.
readelf proof on stored images
loader (PT_INTERP) and RPATH/RUNPATH of any executable/.so must be under /cvmfs. A host/image path means the image is contaminated — rebuild, don't ship.
No LD_LIBRARY_PATH crutch
The stack is RPATH-only by design. An image that sets LD_LIBRARY_PATH to make something load is masking a contamination bug — report it, don't ship it.
No microarch / GPU pin
A base image tuned to the build node's ISA can SIGILL on a client. Images stay GENERIC-compatible; any accelerator pin is a §2 report-up.
Digest-pinned, never latest
Base images are pinned by digest (§7) so a rebuild is byte-reproducible. 'latest' is a floating input and is not allowed.
R packages off the image
install.packages() pulls pre-compiled binaries from repo.ndexr.io (zero compilation) — packages are never baked into the image either.