Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building the World: The Story Behind Wolfi

Building the World: The Story Behind Wolfi

As the container ecosystem matures, there is an increased need for new standards and runtime environments that take into consideration security and provenance concerns, driving the next generation of tools and recommended practices to build container images.

In this talk, you'll learn everything about Wolfi, a Linux "undistro" built for containers. We'll see why it was created and how it is maintained, using the Wolfi PHP package to demonstrate our open source apk build system.

Erika Heidi

October 13, 2023
Tweet

More Decks by Erika Heidi

Other Decks in Programming

Transcript

  1. Building the World
    The story behind Wolfi, the Linux undistro built for containers

    View full-size slide

  2. Hi, I'm Erika!
    ● Developer Experience Engineer at Chainguard
    ○ Writing docs, tutorials, presentations, demos…
    ● Open Source enthusiast
    ○ PHP Developer focused on CLI applications
    ○ Author of Minicli, Librarian, autodocs…
    ● Too many hobbies

    View full-size slide

  3. What is Wolfi

    View full-size slide

  4. ● Small Linux Distro for Containers
    ● "Undistro" because it doesn't
    have stuff that normally goes into
    a Linux distribution
    ● Based on apk (the Alpine
    package manager)
    ● Fast updates
    What is Wolfi?

    View full-size slide

  5. ● Has a design that facilitates reproducible builds
    ● System state is not changed if the apk resolver can't
    "fix the world"
    Why APK?

    View full-size slide

  6. Images Comparison

    View full-size slide

  7. Wolfi on GitHub

    View full-size slide

  8. How it all started

    View full-size slide

  9. How everything started

    View full-size slide

  10. Jason explains it all

    View full-size slide

  11. Naming is hard

    View full-size slide

  12. Boxxy memorial

    View full-size slide

  13. Wolfi it is

    View full-size slide

  14. Release Day - September 22, 2022

    View full-size slide

  15. The ecosystem

    View full-size slide

  16. melange
    ● Declarative apk builder tool
    ● Build pipelines are defined in YAML files
    ● Multi-architecture by default
    ● Platform-agnostic builds via Docker +
    melange image
    The Tools
    apko
    ● Declarative OCI image builder tool based on
    apk
    ● Generates flat images w/ a single layer
    ● Images are defined in YAML files
    ● Builds are fully reproducible
    ● Automatically generates SBOMs for every
    image
    ● Platform-agnostic builds via Docker + apko
    image

    View full-size slide

  17. Why apko: building distroless images
    ● Minimalist container images with only what's absolutely necessary to
    build or execute your application
    ● Popular base images are full of software that only makes sense on
    bare-metal
    ● No need for package managers or interactive shells on production
    images
    ● Less dependencies = smaller attack surface, less CVEs

    View full-size slide

  18. PHP in Wolfi

    View full-size slide

  19. How PHP landed in Wolfi

    View full-size slide

  20. How PHP landed in Wolfi

    View full-size slide

  21. How PHP landed in Wolfi

    View full-size slide

  22. How PHP landed in Wolfi

    View full-size slide

  23. How PHP landed in Wolfi

    View full-size slide

  24. How PHP landed in Wolfi

    View full-size slide

  25. How PHP landed in Wolfi

    View full-size slide

  26. Building Wolfi-based PHP Images
    ● Use cgr.dev/chainguard/php:latest-dev with a Dockerfile and install missing dependencies
    ● Use cgr.dev/chainguard/wolfi-base:latest with a Dockerfile and install all dependencies
    ● Use apko for composing a flat, distroless image using Wolfi packages
    3 ways to use Wolfi for your PHP runtimes

    View full-size slide

  27. Where we are today

    View full-size slide

  28. Happy birthday Wolfi!
    From zero to 1600+ package configs in one year, which
    builds into 18k+ packages available via Wolfi's repo
    In the month of September, we
    celebrated Wolfi's first birthday
    🎉
    18k+ packages
    With more than 60 contributors from around the world and
    a strong team of in-house maintainers, for a fast-paced
    update cadence and new packages added daily
    4k+ PRs merged
    Is the average time it takes for a package to be updated or
    patched to their latest release and made available
    upstream
    Less than 24h

    View full-size slide

  29. Learn more and get involved
    ● Wolfi documentation at Chainguard Academy
    ● Wolfi repository on GitHub
    ● Building a Wolfi Package - tutorial
    ● Issues tagged for Hacktoberfest
    ● Wolfi Community Call Calendar
    ● Wolfi on X/Twitter

    View full-size slide