Hello Wolfi

Transcript

1. Hello, Wolfi! An introduction to the Linux (un)distro built for

   containers and Chainguard's open source tools behind it chainguard.dev | @erikaheidi

2. What we'll cover today • Wolfi ecosystem overview ◦ apko,

   melange, Wolfi, and Chainguard Images • What are distroless images • Migrating to distroless • Demo

3. Ecosystem Overview

4. None

5. Wolfi • Tiny Linux Distribution • "Undistro" because it doesn't

   have stuff that normally goes into a Linux distribution (kernel, man pages, a bunch of other packages that don't make sense for containers) • Based on apk (the Alpine package manager) • Primarily GLIB-C (but MUSL is on the roadmap) • Packages defined as YAML and built with melange

6. melange • Declarative apk builder tool • Part of the

   building toolkit behind Wolfi / Chainguard Images • Build pipelines are defined in YAML files • Multi-architecture by default (via QUEMU) • Platform-agnostic builds via Docker + apko image

7. apko • Declarative OCI image builder tool based on apk

   • Part of the building toolkit behind Wolfi / Chainguard Images • Images are defined in YAML files • Builds are fully reproducible • Automatically generates SBOMs for every image • Platform-agnostic builds via Docker + apko image

8. Chainguard Images • Curated OCI images built with apko and

   melange • Most based on Wolfi, some still migrating from Alpine as we build more package dependencies • Nightly built for several platforms • Zero CVEs goal • High quality SBOMs • Signed with Sigstore
9. None

10. Why distroless?

11. The distroless philosophy • Minimalist container images with only what's

    absolutely necessary to build or execute your application • Popular base images are full of software that only makes sense on bare-metal • No need for package managers or interactive shells on production images • Less dependencies = smaller attack surface, less CVEs

12. The distroless philosophy

13. The distroless philosophy: Chainguard Images

14. Custom distroless images: before / after • php:8.1-cli (Debian-based, official)

    • Base image total size: 484MB • Total CVEs: 386 • minicli/php81 (alpine-based, built with apko) • Base image total size: 48MB • Total CVEs: 0

15. Composing a distroless image Steps to build your own distroless

    image
16. None

17. Example apko.yaml file contents: repositories: - https://dl-cdn.alpinelinux.org/alpine/edge/main - https://dl-cdn.alpinelinux.org/alpine/edge/community packages:

    - alpine-baselayout - php81 - php81-common entrypoint: command: /usr/bin/php81 environment: PATH: /usr/sbin:/sbin:/usr/bin:/bin accounts: groups: - groupname: nonroot gid: 65532 users: - username: nonroot uid: 65532 run-as: 65532

18. Building the image with apko via Docker $ docker run

    --rm -v ${PWD}:/work cgr.dev/chainguard/apko build \ apko.yaml apko-php:test apko-php.tar Testing the image with Docker $ docker load < alpine-test.tar $ docker run -it alpine-base:test

19. Migration Case Study DEMO: Migrating a PHP image to apko

    / distroless

20. App Overview • GitHub Action that runs on schedule •

    Using an image based on the official php:7.4-cli ◦ Size: 589MB ◦ CVEs (Trivy): 331

21. Migration step 1: collecting dependencies FROM php:7.4-cli ARG user=dynacover ARG

    uid=1000 RUN apt-get update && apt-get install -y git curl libonig-dev libxml2-dev libfreetype6-dev libjpeg62-turbo-dev libpng-dev zip unzip RUN apt-get clean && rm -rf /var/lib/apt/lists/* RUN docker-php-ext-configure gd --with-freetype --with-jpeg && \ docker-php-ext-install pdo_mysql mbstring exif pcntl bcmath gd COPY --from=composer:latest /usr/bin/composer /usr/bin/composer RUN useradd -G sudo,root -u $uid -d /home/$user $user RUN mkdir -p /home/$user/.composer && \ chown -R $user:$user /home/$user USER $user RUN mkdir -p /home/$user/dynacover COPY . /home/$user/dynacover/ WORKDIR /home/$user/dynacover RUN composer install …

22. Migration step 2: finding appropriate apks

23. None

24. Dynacover base image: before / after • Based on php:7.4-cli

    • Base image total size: 589MB • Total CVEs: 331 • Distroless based on Alpine • Base image total size: 48MB • Total CVEs: 0

25. Resources to Learn More • Chainguard Academy • Wolfi documentation

    • melange + apko tutorial on Chainguard Academy • Chainguard Images documentation • apko on GitHub • Troubleshooting apko builds

26. Questions?

27. Thank You! chainguard.dev | edu.chainguard.dev @chainguard_dev chainguard-dev