$30 off During Our Annual Pro Sale. View Details »

Hello Wolfi

Erika Heidi
November 16, 2022

Hello Wolfi

Introductory Live session presented on November 16 about Wolfi, melange, apko, and Chainguard Images.

Erika Heidi

November 16, 2022
Tweet

More Decks by Erika Heidi

Other Decks in Technology

Transcript

  1. Hello, Wolfi! An introduction to the Linux (un)distro built for

    containers and Chainguard's open source tools behind it chainguard.dev | @erikaheidi
  2. What we'll cover today • Wolfi ecosystem overview ◦ apko,

    melange, Wolfi, and Chainguard Images • What are distroless images • Migrating to distroless • Demo
  3. Ecosystem Overview

  4. None
  5. Wolfi • Tiny Linux Distribution • "Undistro" because it doesn't

    have stuff that normally goes into a Linux distribution (kernel, man pages, a bunch of other packages that don't make sense for containers) • Based on apk (the Alpine package manager) • Primarily GLIB-C (but MUSL is on the roadmap) • Packages defined as YAML and built with melange
  6. melange • Declarative apk builder tool • Part of the

    building toolkit behind Wolfi / Chainguard Images • Build pipelines are defined in YAML files • Multi-architecture by default (via QUEMU) • Platform-agnostic builds via Docker + apko image
  7. apko • Declarative OCI image builder tool based on apk

    • Part of the building toolkit behind Wolfi / Chainguard Images • Images are defined in YAML files • Builds are fully reproducible • Automatically generates SBOMs for every image • Platform-agnostic builds via Docker + apko image
  8. Chainguard Images • Curated OCI images built with apko and

    melange • Most based on Wolfi, some still migrating from Alpine as we build more package dependencies • Nightly built for several platforms • Zero CVEs goal • High quality SBOMs • Signed with Sigstore
  9. None
  10. Why distroless?

  11. The distroless philosophy • Minimalist container images with only what's

    absolutely necessary to build or execute your application • Popular base images are full of software that only makes sense on bare-metal • No need for package managers or interactive shells on production images • Less dependencies = smaller attack surface, less CVEs
  12. The distroless philosophy

  13. The distroless philosophy: Chainguard Images

  14. Custom distroless images: before / after • php:8.1-cli (Debian-based, official)

    • Base image total size: 484MB • Total CVEs: 386 • minicli/php81 (alpine-based, built with apko) • Base image total size: 48MB • Total CVEs: 0
  15. Composing a distroless image Steps to build your own distroless

    image
  16. None
  17. Example apko.yaml file contents: repositories: - https://dl-cdn.alpinelinux.org/alpine/edge/main - https://dl-cdn.alpinelinux.org/alpine/edge/community packages:

    - alpine-baselayout - php81 - php81-common entrypoint: command: /usr/bin/php81 environment: PATH: /usr/sbin:/sbin:/usr/bin:/bin accounts: groups: - groupname: nonroot gid: 65532 users: - username: nonroot uid: 65532 run-as: 65532
  18. Building the image with apko via Docker $ docker run

    --rm -v ${PWD}:/work cgr.dev/chainguard/apko build \ apko.yaml apko-php:test apko-php.tar Testing the image with Docker $ docker load < alpine-test.tar $ docker run -it alpine-base:test
  19. Migration Case Study DEMO: Migrating a PHP image to apko

    / distroless
  20. App Overview • GitHub Action that runs on schedule •

    Using an image based on the official php:7.4-cli ◦ Size: 589MB ◦ CVEs (Trivy): 331
  21. Migration step 1: collecting dependencies FROM php:7.4-cli ARG user=dynacover ARG

    uid=1000 RUN apt-get update && apt-get install -y git curl libonig-dev libxml2-dev libfreetype6-dev libjpeg62-turbo-dev libpng-dev zip unzip RUN apt-get clean && rm -rf /var/lib/apt/lists/* RUN docker-php-ext-configure gd --with-freetype --with-jpeg && \ docker-php-ext-install pdo_mysql mbstring exif pcntl bcmath gd COPY --from=composer:latest /usr/bin/composer /usr/bin/composer RUN useradd -G sudo,root -u $uid -d /home/$user $user RUN mkdir -p /home/$user/.composer && \ chown -R $user:$user /home/$user USER $user RUN mkdir -p /home/$user/dynacover COPY . /home/$user/dynacover/ WORKDIR /home/$user/dynacover RUN composer install …
  22. Migration step 2: finding appropriate apks

  23. None
  24. Dynacover base image: before / after • Based on php:7.4-cli

    • Base image total size: 589MB • Total CVEs: 331 • Distroless based on Alpine • Base image total size: 48MB • Total CVEs: 0
  25. Resources to Learn More • Chainguard Academy • Wolfi documentation

    • melange + apko tutorial on Chainguard Academy • Chainguard Images documentation • apko on GitHub • Troubleshooting apko builds
  26. Questions?

  27. Thank You! chainguard.dev | edu.chainguard.dev @chainguard_dev chainguard-dev