Hello Wolfi

Transcript

1. Hello, Wolfi!
   An introduction to the Linux (un)distro built for containers
   and Chainguard's open source tools behind it
   chainguard.dev | @erikaheidi
   

   View Slide

2. What we'll cover today
   ● Wolfi ecosystem overview
   ○ apko, melange, Wolfi, and Chainguard Images
   ● What are distroless images
   ● Migrating to distroless
   ● Demo
   

   View Slide

3. Ecosystem Overview
   

   View Slide

4. View Slide

5. Wolfi
   ● Tiny Linux Distribution
   ● "Undistro" because it doesn't have stuff that normally goes into a Linux
   distribution (kernel, man pages, a bunch of other packages that don't make
   sense for containers)
   ● Based on apk (the Alpine package manager)
   ● Primarily GLIB-C (but MUSL is on the roadmap)
   ● Packages defined as YAML and built with melange
   

   View Slide

6. melange
   ● Declarative apk builder tool
   ● Part of the building toolkit behind Wolfi / Chainguard Images
   ● Build pipelines are defined in YAML files
   ● Multi-architecture by default (via QUEMU)
   ● Platform-agnostic builds via Docker + apko image
   

   View Slide

7. apko
   ● Declarative OCI image builder tool based on apk
   ● Part of the building toolkit behind Wolfi / Chainguard Images
   ● Images are defined in YAML files
   ● Builds are fully reproducible
   ● Automatically generates SBOMs for every image
   ● Platform-agnostic builds via Docker + apko image
   

   View Slide

8. Chainguard Images
   ● Curated OCI images built with apko and melange
   ● Most based on Wolfi, some still migrating from Alpine as we build more
   package dependencies
   ● Nightly built for several platforms
   ● Zero CVEs goal
   ● High quality SBOMs
   ● Signed with Sigstore
   

   View Slide

9. View Slide

10. Why distroless?
    

    View Slide

11. The distroless philosophy
    ● Minimalist container images with only what's absolutely necessary to
    build or execute your application
    ● Popular base images are full of software that only makes sense on
    bare-metal
    ● No need for package managers or interactive shells on production
    images
    ● Less dependencies = smaller attack surface, less CVEs
    

    View Slide

12. The distroless philosophy
    

    View Slide

13. The distroless philosophy: Chainguard Images
    

    View Slide

14. Custom distroless images: before / after
    ● php:8.1-cli (Debian-based, official)
    ● Base image total size: 484MB
    ● Total CVEs: 386
    ● minicli/php81 (alpine-based, built with apko)
    ● Base image total size: 48MB
    ● Total CVEs: 0
    

    View Slide

15. Composing a distroless image
    Steps to build your own distroless image
    

    View Slide

16. View Slide

17. Example apko.yaml file
    contents:
    repositories:
    - https://dl-cdn.alpinelinux.org/alpine/edge/main
    - https://dl-cdn.alpinelinux.org/alpine/edge/community
    packages:
    - alpine-baselayout
    - php81
    - php81-common
    entrypoint:
    command: /usr/bin/php81
    environment:
    PATH: /usr/sbin:/sbin:/usr/bin:/bin
    accounts:
    groups:
    - groupname: nonroot
    gid: 65532
    users:
    - username: nonroot
    uid: 65532
    run-as: 65532
    

    View Slide

18. Building the image with apko via Docker
    $ docker run --rm -v ${PWD}:/work cgr.dev/chainguard/apko build \
    apko.yaml apko-php:test apko-php.tar
    Testing the image with Docker
    $ docker load < alpine-test.tar
    $ docker run -it alpine-base:test
    

    View Slide

19. Migration Case Study
    DEMO: Migrating a PHP image to apko /
    distroless
    

    View Slide

20. App Overview
    ● GitHub Action that runs
    on schedule
    ● Using an image based on
    the official php:7.4-cli
    ○ Size: 589MB
    ○ CVEs (Trivy): 331
    

    View Slide

21. Migration step 1: collecting dependencies
    FROM php:7.4-cli
    ARG user=dynacover
    ARG uid=1000
    RUN apt-get update && apt-get install -y git curl libonig-dev libxml2-dev libfreetype6-dev
    libjpeg62-turbo-dev libpng-dev zip unzip
    RUN apt-get clean && rm -rf /var/lib/apt/lists/*
    RUN docker-php-ext-configure gd --with-freetype --with-jpeg && \
    docker-php-ext-install pdo_mysql mbstring exif pcntl bcmath gd
    COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
    RUN useradd -G sudo,root -u $uid -d /home/$user $user
    RUN mkdir -p /home/$user/.composer && \
    chown -R $user:$user /home/$user
    USER $user
    RUN mkdir -p /home/$user/dynacover
    COPY . /home/$user/dynacover/
    WORKDIR /home/$user/dynacover
    RUN composer install
    …
    

    View Slide

22. Migration step 2: finding appropriate apks
    

    View Slide

23. View Slide

24. Dynacover base image: before / after
    ● Based on php:7.4-cli
    ● Base image total size: 589MB
    ● Total CVEs: 331
    ● Distroless based on Alpine
    ● Base image total size: 48MB
    ● Total CVEs: 0
    

    View Slide

25. Resources to Learn More
    ● Chainguard Academy
    ● Wolfi documentation
    ● melange + apko tutorial on Chainguard Academy
    ● Chainguard Images documentation
    ● apko on GitHub
    ● Troubleshooting apko builds
    

    View Slide

26. Questions?
    

    View Slide

27. Thank You!
    chainguard.dev | edu.chainguard.dev
    @chainguard_dev
    chainguard-dev
    

    View Slide