Learning Lab: WordPress With Erika Heidi

Hi, I'm Erika! ● Developer Experience Engineer at Chainguard ● Background in PHP Dev, Linux and SysAdmin ● Open Source enthusiast ● Also: the "PHP person" at Chainguard 2

What we'll cover today ● A Primer on Software Supply Chain Security and CVEs ● Chainguard Images Overview ● Migrating to Chainguard Images (in a nutshell) ● Presenting the WordPress Chainguard Image ● Demo 3

A Primer on Software Supply Chain Security and CVEs 4

Software Supply Chain Security ● Much like in manufacturing industries, the process of creating, building, and delivering software depends on a large chain of dependencies that we call "software supply chain" ● A compromise in any point of this chain (whether malicious or unintentional) is an example of software supply chain security issue ● Preventive actions include limiting surface for attack and enforcing provenance attestations 5

6

● Standing for Common Vulnerabilities and Exposures, CVEs are records of publicly disclosed software vulnerabilities ● The CVE Program was created in 1999 and has now over 200.000 registered vulnerabilities, with more being added each day ● The Common Vulnerability Scoring System (CVSS) provides a framework to classify vulnerabilities by severity (low, medium, high, and critical) ● CLI scanners such as Grype and Trivy can be used to scan container images and detect the presence of affected packages ● Patching CVEs is a time-draining task due to factors such as false positives and lack of readily-available upstream patches What are CVEs? 7

@adrianmouat

No content

CVEs Compared: WordPress Images 10 Grype data from 2024-09-18

Chainguard Images Overview 11

Chainguard Images Low (or 0)CVE, minimal, hardened container images Based on the Wolfi undistro Built daily for extra crispiness Next-level hardening with distroless SBOMs, SLSA provenance Chainguard PHP Images

13 PHP Chainguard Images Compared (Free Tier) PHP Laravel WordPress Distroless php:latest, php:latest-fpm laravel:latest wordpress:latest Non-Distroless php:latest-dev, php:latest-fpm-dev laravel:latest-dev wordpress:latest-dev Entrypoint latest: php (CLI) latest-fpm: php-fpm (server) php-fpm (server) latest: php-fpm latest-dev: entrypoint script / php-fpm PHP Extensions Basic Basic + required by Laravel Basic + required by WordPress

Chainguard Image Flavors ● Distroless: a minimal image containing only the software necessary to create a slim runtime. Does not include apk or bash, so you can't easily install other software in it or log in. Default pull is distroless (latest) ● Non-distroless: just the same as a regular apk-based container image (but still smaller / better). Includes apk, bash, and other utilities. Can be easily customized. Uses the -dev suffix (latest-dev) 14

Migrating to Chainguard Images 15

1. Identify the base image you need 2. Start with the -dev variant of the image 3. Convert Dockerfile to Wolfi 4. Identify if packages are missing 5. Migrate to a distroless image in multi-stage Dockerfile Migration Process in a Nutshell 16

Migrating from Debian and Ubuntu 17 Command Description Debian-based Dockerfile Wolfi-based Equivalent Install a Package apt install apk add Remove a package apt remove apk del Update packages repo apt update apk update Add a user useradd adduser

Presenting the WordPress Chainguard Image 18

19

20

21 Image Features latest-dev ● Same entry point script from official images ● Installs WP and copies custom plugins and themes to document root ● Sets up ENV vars for database connection ● wp-config.php uses getenv to obtain data (not hardcoded) ● Allows customization through dashboard (install themes and plugins etc) latest (distroless) ● Minimal runtime - no apk or shell ● Requires a multi stage setup with latest-dev to copy contents to temporary environment and then over to final distroless image ● Does not allow customization through dashboard (file modifications not allowed)

22 Example 1: dev environment + customization (Dockerfile) FROM cgr.dev/chainguard/wordpress:latest-dev ARG UID=1000 USER root RUN addgroup wordpress && adduser -SD -u "$UID" -s /bin/bash wordpress wordpress RUN chown -R wordpress:wordpress /var/www/html USER wordpress

23 Example 2: Multistage distroless (Dockerfile) FROM cgr.dev/chainguard/wordpress:latest-dev as builder #trigger wp-config.php creation ENV WORDPRESS_DB_HOST=foo #copy wp-content folder COPY ./wp-content /usr/src/wordpress/wp-content #run entrypoint script RUN /usr/local/bin/docker-entrypoint.sh php-fpm --version FROM cgr.dev/chainguard/wordpress:latest COPY --from=builder --chown=php:php /var/www/html /var/www/html

Demo Time! WordPress Image Demo 24

Thank you! 25 @erikaheidi | edu.chainguard.dev chainguard.dev