Wolfi ● Tiny Linux Distribution ● "Undistro" because it doesn't have stuff that normally goes into a Linux distribution (kernel, man pages, a bunch of other packages that don't make sense for containers) ● Based on apk (the Alpine package manager) ● Primarily GLIB-C (but MUSL is on the roadmap) ● Packages defined as YAML and built with melange
melange ● Declarative apk builder tool ● Part of the building toolkit behind Wolfi / Chainguard Images ● Build pipelines are defined in YAML files ● Multi-architecture by default (via QUEMU) ● Platform-agnostic builds via Docker + apko image
apko ● Declarative OCI image builder tool based on apk ● Part of the building toolkit behind Wolfi / Chainguard Images ● Images are defined in YAML files ● Builds are fully reproducible ● Automatically generates SBOMs for every image ● Platform-agnostic builds via Docker + apko image
Building the image with apko via Docker $ docker run --rm -v ${PWD}:/work cgr.dev/chainguard/apko build alpine-base.yaml alpine-base:test alpine-test.tar Testing the image with Docker $ docker load < alpine-test.tar $ docker run -it alpine-base:test
Why apk ● Introduced by Alpine, it uses a different methodology to handle package management ● Package installation or removal is done as a side effect of modifying the system state ● This creates the ideal conditions for reproducible and declarative pipelines
Where do packages come from ● For Alpine-based images, use Alpine apks found at pkgs.alpinelinux.org/packages ● For Wolfi-based images, use Wolfi apks that are listed in the wolfi-os repository, hosted at packages.wolfi.dev/os ● Don't mix! ● You can also create your own apks with melange
The distroless philosophy ● Minimalist container images with only what's absolutely necessary to build or execute your application ● Popular base images are full of software that only makes sense on bare-metal ● No need for package managers or interactive shells on production images ● Less dependencies = smaller attack surface, less CVEs
Dynacover base image: before / after ● Based on php:7.4-cli ● Base image total size: 589MB ● Total CVEs: 331 ● Distroless based on Alpine ● Base image total size: 48MB ● Total CVEs: 0
Resources to Learn More ● minicli:php81 on GitHub ● Getting Started with apko tutorial on Chainguard Academy ● apko on GitHub ● Troubleshooting apko builds ● Chainguard Images documentation ● Wolfi documentation