Learning Lab: WordPress

Transcript

1. Learning Lab: WordPress With Erika Heidi

2. Hi, I'm Erika! • Developer Experience Engineer at Chainguard •

   Background in PHP Dev, Linux and SysAdmin • Open Source enthusiast • Also: the "PHP person" at Chainguard 2

3. What we'll cover today • A Primer on Software Supply

   Chain Security and CVEs • Chainguard Images Overview • Migrating to Chainguard Images (in a nutshell) • Presenting the WordPress Chainguard Image • Demo 3

4. A Primer on Software Supply Chain Security and CVEs 4

5. Software Supply Chain Security • Much like in manufacturing industries,

   the process of creating, building, and delivering software depends on a large chain of dependencies that we call "software supply chain" • A compromise in any point of this chain (whether malicious or unintentional) is an example of software supply chain security issue • Preventive actions include limiting surface for attack and enforcing provenance attestations 5

6. 6

7. • Standing for Common Vulnerabilities and Exposures, CVEs are records

   of publicly disclosed software vulnerabilities • The CVE Program was created in 1999 and has now over 200.000 registered vulnerabilities, with more being added each day • The Common Vulnerability Scoring System (CVSS) provides a framework to classify vulnerabilities by severity (low, medium, high, and critical) • CLI scanners such as Grype and Trivy can be used to scan container images and detect the presence of affected packages • Patching CVEs is a time-draining task due to factors such as false positives and lack of readily-available upstream patches What are CVEs? 7

8. @adrianmouat

9. None

10. CVEs Compared: WordPress Images 10 Grype data from 2024-09-18

11. Chainguard Images Overview 11

12. Chainguard Images Low (or 0)CVE, minimal, hardened container images Based

    on the Wolfi undistro Built daily for extra crispiness Next-level hardening with distroless SBOMs, SLSA provenance Chainguard PHP Images

13. 13 PHP Chainguard Images Compared (Free Tier) PHP Laravel WordPress

    Distroless php:latest, php:latest-fpm laravel:latest wordpress:latest Non-Distroless php:latest-dev, php:latest-fpm-dev laravel:latest-dev wordpress:latest-dev Entrypoint latest: php (CLI) latest-fpm: php-fpm (server) php-fpm (server) latest: php-fpm latest-dev: entrypoint script / php-fpm PHP Extensions Basic Basic + required by Laravel Basic + required by WordPress

14. Chainguard Image Flavors • Distroless: a minimal image containing only

    the software necessary to create a slim runtime. Does not include apk or bash, so you can't easily install other software in it or log in. Default pull is distroless (latest) • Non-distroless: just the same as a regular apk-based container image (but still smaller / better). Includes apk, bash, and other utilities. Can be easily customized. Uses the -dev suffix (latest-dev) 14

15. Migrating to Chainguard Images 15

16. 1. Identify the base image you need 2. Start with

    the -dev variant of the image 3. Convert Dockerfile to Wolfi 4. Identify if packages are missing 5. Migrate to a distroless image in multi-stage Dockerfile Migration Process in a Nutshell 16

17. Migrating from Debian and Ubuntu 17 Command Description Debian-based Dockerfile

    Wolfi-based Equivalent Install a Package apt install apk add Remove a package apt remove apk del Update packages repo apt update apk update Add a user useradd adduser

18. Presenting the WordPress Chainguard Image 18

19. 19

20. 20

21. 21 Image Features latest-dev • Same entry point script from

    official images • Installs WP and copies custom plugins and themes to document root • Sets up ENV vars for database connection • wp-config.php uses getenv to obtain data (not hardcoded) • Allows customization through dashboard (install themes and plugins etc) latest (distroless) • Minimal runtime - no apk or shell • Requires a multi stage setup with latest-dev to copy contents to temporary environment and then over to final distroless image • Does not allow customization through dashboard (file modifications not allowed)

22. 22 Example 1: dev environment + customization (Dockerfile) FROM cgr.dev/chainguard/wordpress:latest-dev

    ARG UID=1000 USER root RUN addgroup wordpress && adduser -SD -u "$UID" -s /bin/bash wordpress wordpress RUN chown -R wordpress:wordpress /var/www/html USER wordpress

23. 23 Example 2: Multistage distroless (Dockerfile) FROM cgr.dev/chainguard/wordpress:latest-dev as builder

    #trigger wp-config.php creation ENV WORDPRESS_DB_HOST=foo #copy wp-content folder COPY ./wp-content /usr/src/wordpress/wp-content #run entrypoint script RUN /usr/local/bin/docker-entrypoint.sh php-fpm --version FROM cgr.dev/chainguard/wordpress:latest COPY --from=builder --chown=php:php /var/www/html /var/www/html

24. Demo Time! WordPress Image Demo 24

25. Thank you! 25 @erikaheidi | edu.chainguard.dev chainguard.dev