Creating Secure Container Images with apko

Transcript

1. Creating Secure Container
   Images with apko
   The declarative OCI image builder
   chainguard.dev
   

   View Slide

2. What to Expect from this Talk
   ● What is apko
   ○ Tool overview
   ○ Why apk
   ● Why Distroless
   ● Case Study / Demo
   ○ Migrating dynacover to a distroless apko image
   ● Q&A
   

   View Slide

3. What is apko
   

   View Slide

4. What is apko
   ● Declarative OCI image builder tool based on apk
   ● Part of the building toolkit behind Wolfi / Chainguard Images
   ● Images are defined in YAML files
   ● Builds are fully reproducible
   ● Automatically generates SBOMs for every image
   ● Platform-agnostic builds via Docker + apko image
   

   View Slide

5. Example apko.yaml file
   contents:
   repositories:
   - https://dl-cdn.alpinelinux.org/alpine/edge/main
   packages:
   - alpine-base
   cmd: /bin/sh -l
   environment:
   PATH: /usr/sbin:/sbin:/usr/bin:/bin
   

   View Slide

6. Building the image with apko via Docker
   $ docker run --rm -v ${PWD}:/work cgr.dev/chainguard/apko build
   alpine-base.yaml alpine-base:test alpine-test.tar
   Testing the image with Docker
   $ docker load < alpine-test.tar
   $ docker run -it alpine-base:test
   

   View Slide

7. Why apk
   ● Introduced by Alpine, it uses a different methodology to
   handle package management
   ● Package installation or removal is done as a side effect of
   modifying the system state
   ● This creates the ideal conditions for reproducible and
   declarative pipelines
   

   View Slide

8. Where do packages come from
   ● For Alpine-based images, use Alpine apks found at
   pkgs.alpinelinux.org/packages
   ● For Wolfi-based images, use Wolfi apks that are listed in the
   wolfi-os repository, hosted at packages.wolfi.dev/os
   ● Don't mix!
   ● You can also create your own apks with melange
   

   View Slide

9. Why distroless?
   

   View Slide

10. The distroless philosophy
    ● Minimalist container images with only what's absolutely
    necessary to build or execute your application
    ● Popular base images are full of software that only makes sense
    on bare-metal
    ● No need for package managers or interactive shells on
    production images
    ● Less dependencies = smaller attack surface, less CVEs
    

    View Slide

11. The distroless philosophy: less CVEs = win
    

    View Slide

12. Case Study: Dynacover
    Migrating a PHP image to apko / distroless
    

    View Slide

13. Dynacover Overview
    ● Dynamic header images
    for Twitter
    ● PHP application built
    with Minicli
    ● Main dependencies: PHP
    (cli), Curl and GD
    

    View Slide

14. Dynacover Overview
    ● GitHub Action that runs
    on schedule
    ● Using an image based on
    the official php:7.4-cli
    ○ Size: 589MB
    ○ CVEs (Trivy): 331
    

    View Slide

15. Migration step 1: collecting dependencies
    FROM php:7.4-cli
    ARG user=dynacover
    ARG uid=1000
    RUN apt-get update && apt-get install -y git curl libonig-dev libxml2-dev libfreetype6-dev libjpeg62-turbo-dev libpng-dev zip unzip
    RUN apt-get clean && rm -rf /var/lib/apt/lists/*
    RUN docker-php-ext-configure gd --with-freetype --with-jpeg && \
    docker-php-ext-install pdo_mysql mbstring exif pcntl bcmath gd
    COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
    RUN useradd -G sudo,root -u $uid -d /home/$user $user
    RUN mkdir -p /home/$user/.composer && \
    chown -R $user:$user /home/$user
    USER $user
    RUN mkdir -p /home/$user/dynacover
    COPY . /home/$user/dynacover/
    WORKDIR /home/$user/dynacover
    RUN composer install
    ● git
    ● curl
    ● zip
    ● unzip
    ● libonig-dev
    ● libfreetype6-dev
    ● libjpeg62-turbo-dev
    ● libpng-dev
    ● php-mbstring
    ● php-exif
    ● php-pcntl
    ● php-bcmath
    ● php-gd
    

    View Slide

16. Migration step 2: finding appropriate apks
    

    View Slide

17. Migration step 3: creating the apko.yaml file
    contents:
    repositories:
    - https://dl-cdn.alpinelinux.org/alpine/edge/main
    - https://dl-cdn.alpinelinux.org/alpine/edge/community
    …
    …
    packages:
    - alpine-baselayout-data
    - ca-certificates-bundle
    - curl
    - git
    - zip
    - unzip
    - libxml2-dev
    - freetype
    - freetype-dev
    - libjpeg-turbo
    - libjpeg-turbo-dev
    - libpng
    - php81
    - php81-gd
    - php81-curl
    - php81-mbstring
    - php81-phar
    - php81-openssl
    - php81-pcntl
    

    View Slide

18. Migration step 3: creating the apko.yaml file
    entrypoint:
    command: /usr/bin/php81
    environment:
    PATH: /usr/sbin:/sbin:/usr/bin:/bin
    …
    …
    accounts:
    groups:
    - groupname: minicli
    gid: 65532
    users:
    - username: minicli
    uid: 65532
    run-as: root
    - php81-pcntl
    

    View Slide

19. Migration step 4: building/pushing the image
    $ docker run --rm -v ${PWD}:/work cgr.dev/chainguard/apko build apko.yaml \
    erikaheidi/minicli:php81 minicli-php81.tar
    $ docker load < minicli-php81.tar
    $ docker push erikaheidi/minicli:php81
    

    View Slide

20. Migration step 5: updating GH Action Dockerfile
    FROM erikaheidi/minicli:php81
    COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
    RUN git clone -b 1.0.1 --depth 1 https://github.com/erikaheidi/dynacover.git && \
    cd dynacover && \
    composer install --no-progress --no-dev --prefer-dist
    ENTRYPOINT [ "php81", "/dynacover/dynacover" ]
    CMD ["cover", "update"]
    

    View Slide

21. View Slide

22. Dynacover base image: before / after
    ● Based on php:7.4-cli
    ● Base image total size: 589MB
    ● Total CVEs: 331
    ● Distroless based on Alpine
    ● Base image total size: 48MB
    ● Total CVEs: 0
    

    View Slide

23. Resources to Learn More
    ● minicli:php81 on GitHub
    ● Getting Started with apko tutorial on Chainguard Academy
    ● apko on GitHub
    ● Troubleshooting apko builds
    ● Chainguard Images documentation
    ● Wolfi documentation
    

    View Slide

24. Questions?
    

    View Slide

25. Thank You!
    

    View Slide