Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello Wolfi

Erika Heidi
November 16, 2022

Hello Wolfi

Introductory Live session presented on November 16 about Wolfi, melange, apko, and Chainguard Images.

Erika Heidi

November 16, 2022
Tweet

More Decks by Erika Heidi

Other Decks in Technology

Transcript

  1. Hello, Wolfi!
    An introduction to the Linux (un)distro built for containers
    and Chainguard's open source tools behind it
    chainguard.dev | @erikaheidi

    View full-size slide

  2. What we'll cover today
    ● Wolfi ecosystem overview
    ○ apko, melange, Wolfi, and Chainguard Images
    ● What are distroless images
    ● Migrating to distroless
    ● Demo

    View full-size slide

  3. Ecosystem Overview

    View full-size slide

  4. Wolfi
    ● Tiny Linux Distribution
    ● "Undistro" because it doesn't have stuff that normally goes into a Linux
    distribution (kernel, man pages, a bunch of other packages that don't make
    sense for containers)
    ● Based on apk (the Alpine package manager)
    ● Primarily GLIB-C (but MUSL is on the roadmap)
    ● Packages defined as YAML and built with melange

    View full-size slide

  5. melange
    ● Declarative apk builder tool
    ● Part of the building toolkit behind Wolfi / Chainguard Images
    ● Build pipelines are defined in YAML files
    ● Multi-architecture by default (via QUEMU)
    ● Platform-agnostic builds via Docker + apko image

    View full-size slide

  6. apko
    ● Declarative OCI image builder tool based on apk
    ● Part of the building toolkit behind Wolfi / Chainguard Images
    ● Images are defined in YAML files
    ● Builds are fully reproducible
    ● Automatically generates SBOMs for every image
    ● Platform-agnostic builds via Docker + apko image

    View full-size slide

  7. Chainguard Images
    ● Curated OCI images built with apko and melange
    ● Most based on Wolfi, some still migrating from Alpine as we build more
    package dependencies
    ● Nightly built for several platforms
    ● Zero CVEs goal
    ● High quality SBOMs
    ● Signed with Sigstore

    View full-size slide

  8. Why distroless?

    View full-size slide

  9. The distroless philosophy
    ● Minimalist container images with only what's absolutely necessary to
    build or execute your application
    ● Popular base images are full of software that only makes sense on
    bare-metal
    ● No need for package managers or interactive shells on production
    images
    ● Less dependencies = smaller attack surface, less CVEs

    View full-size slide

  10. The distroless philosophy

    View full-size slide

  11. The distroless philosophy: Chainguard Images

    View full-size slide

  12. Custom distroless images: before / after
    ● php:8.1-cli (Debian-based, official)
    ● Base image total size: 484MB
    ● Total CVEs: 386
    ● minicli/php81 (alpine-based, built with apko)
    ● Base image total size: 48MB
    ● Total CVEs: 0

    View full-size slide

  13. Composing a distroless image
    Steps to build your own distroless image

    View full-size slide

  14. Example apko.yaml file
    contents:
    repositories:
    - https://dl-cdn.alpinelinux.org/alpine/edge/main
    - https://dl-cdn.alpinelinux.org/alpine/edge/community
    packages:
    - alpine-baselayout
    - php81
    - php81-common
    entrypoint:
    command: /usr/bin/php81
    environment:
    PATH: /usr/sbin:/sbin:/usr/bin:/bin
    accounts:
    groups:
    - groupname: nonroot
    gid: 65532
    users:
    - username: nonroot
    uid: 65532
    run-as: 65532

    View full-size slide

  15. Building the image with apko via Docker
    $ docker run --rm -v ${PWD}:/work cgr.dev/chainguard/apko build \
    apko.yaml apko-php:test apko-php.tar
    Testing the image with Docker
    $ docker load < alpine-test.tar
    $ docker run -it alpine-base:test

    View full-size slide

  16. Migration Case Study
    DEMO: Migrating a PHP image to apko /
    distroless

    View full-size slide

  17. App Overview
    ● GitHub Action that runs
    on schedule
    ● Using an image based on
    the official php:7.4-cli
    ○ Size: 589MB
    ○ CVEs (Trivy): 331

    View full-size slide

  18. Migration step 1: collecting dependencies
    FROM php:7.4-cli
    ARG user=dynacover
    ARG uid=1000
    RUN apt-get update && apt-get install -y git curl libonig-dev libxml2-dev libfreetype6-dev
    libjpeg62-turbo-dev libpng-dev zip unzip
    RUN apt-get clean && rm -rf /var/lib/apt/lists/*
    RUN docker-php-ext-configure gd --with-freetype --with-jpeg && \
    docker-php-ext-install pdo_mysql mbstring exif pcntl bcmath gd
    COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
    RUN useradd -G sudo,root -u $uid -d /home/$user $user
    RUN mkdir -p /home/$user/.composer && \
    chown -R $user:$user /home/$user
    USER $user
    RUN mkdir -p /home/$user/dynacover
    COPY . /home/$user/dynacover/
    WORKDIR /home/$user/dynacover
    RUN composer install

    View full-size slide

  19. Migration step 2: finding appropriate apks

    View full-size slide

  20. Dynacover base image: before / after
    ● Based on php:7.4-cli
    ● Base image total size: 589MB
    ● Total CVEs: 331
    ● Distroless based on Alpine
    ● Base image total size: 48MB
    ● Total CVEs: 0

    View full-size slide

  21. Resources to Learn More
    ● Chainguard Academy
    ● Wolfi documentation
    ● melange + apko tutorial on Chainguard Academy
    ● Chainguard Images documentation
    ● apko on GitHub
    ● Troubleshooting apko builds

    View full-size slide

  22. Thank You!
    chainguard.dev | edu.chainguard.dev
    @chainguard_dev
    chainguard-dev

    View full-size slide