What to Expect from this Talk ● What is apko ○ Tool overview ○ Why apk ● Why Distroless ● Case Study / Demo ○ Migrating dynacover to a distroless apko image ● Q&A
What is apko ● Declarative OCI image builder tool based on apk ● Part of the building toolkit behind Wolfi / Chainguard Images ● Images are defined in YAML files ● Builds are fully reproducible ● Automatically generates SBOMs for every image ● Platform-agnostic builds via Docker + apko image
Building the image with apko via Docker $ docker run --rm -v ${PWD}:/work cgr.dev/chainguard/apko build alpine-base.yaml alpine-base:test alpine-test.tar Testing the image with Docker $ docker load < alpine-test.tar $ docker run -it alpine-base:test
Why apk ● Introduced by Alpine, it uses a different methodology to handle package management ● Package installation or removal is done as a side effect of modifying the system state ● This creates the ideal conditions for reproducible and declarative pipelines
Where do packages come from ● For Alpine-based images, use Alpine apks found at pkgs.alpinelinux.org/packages ● For Wolfi-based images, use Wolfi apks that are listed in the wolfi-os repository, hosted at packages.wolfi.dev/os ● Don't mix! ● You can also create your own apks with melange
The distroless philosophy ● Minimalist container images with only what's absolutely necessary to build or execute your application ● Popular base images are full of software that only makes sense on bare-metal ● No need for package managers or interactive shells on production images ● Less dependencies = smaller attack surface, less CVEs
Dynacover base image: before / after ● Based on php:7.4-cli ● Base image total size: 589MB ● Total CVEs: 331 ● Distroless based on Alpine ● Base image total size: 48MB ● Total CVEs: 0
Resources to Learn More ● minicli:php81 on GitHub ● Getting Started with apko tutorial on Chainguard Academy ● apko on GitHub ● Troubleshooting apko builds ● Chainguard Images documentation ● Wolfi documentation