Introducing Chainguard Images for Safer PHP Runtimes

Transcript

1. Chainguard Creating Safer PHP Runtimes An introduction to Chainguard minimal

   images for the PHP ecosystem chainguard.dev

2. Hi, I'm Erika! • Developer Experience Engineer at Chainguard ◦

   Writing docs, tutorials, presentations, demos… • Open Source enthusiast ◦ PHP Developer focused on CLI applications ◦ Author of Minicli, Librarian, Autodocs… • Too many hobbies

3. What we'll cover today • A Primer on Software Supply

   Chain Security and CVEs • Introducing Chainguard Images • Migrating to (PHP) Chainguard Images • Demo

4. A Primer on Software Supply Chain Security and CVEs

5. Software Supply Chain Security • Much like in manufacturing industries,

   the process of creating, building, and delivering software depends on a large chain of dependencies that we call "software supply chain" • A compromise in any point of this chain (whether malicious or unintentional) is an example of software supply chain security issue • Preventive actions include limiting surface for attack and enforcing provenance attestations

6. • Standing for Common Vulnerabilities and Exposures, CVEs are records

   of publicly disclosed software vulnerabilities • The CVE Program was created in 1999 and has now over 200.000 registered vulnerabilities, with more being added each day • The Common Vulnerability Scoring System (CVSS) provides a framework to classify vulnerabilities by severity (low, medium, high, and critical) • CLI scanners such as Grype and Trivy can be used to scan container images and detect the presence of affected packages • Patching CVEs is a time-draining task due to factors such as false positives and lack of readily-available upstream patches What are CVEs?

7. How many is too many?

8. How long does it take to be fixed? CVE-2024-2961 Last

   scanned: April 22

9. How long does it take to be fixed? CVE-2024-2961 Last

   scanned: April 22

10. Introducing Chainguard Images Minimal images aiming for zero CVEs

11. Chainguard Images • Minimal, "flat" container images based on Wolfi,

    the Linux undistro built for containers • Includes distroless and builder images • Zero CVEs goal (achieved most of the time) • High quality SBOMs • Cryptographic signatures to attest provenance for every build

12. Comparing Images: PHP (Alpine)

13. CVEs Compared: Alpine vs Chainguard Images

14. Remember CVE-2024-2961 ? ???

15. Migrating to Chainguard Images Migrating PHP Dockerfiles to Chainguard Images

16. 1. Identify the base image you need a. Refer to

    the images directory to identify the image that is the closest match to what you currently use, or start with wolfi-base for a clean canvas. 2. Try the -dev variant of the image first a. Chainguard Images typically have a distroless variant, which is very minimal and doesn’t include apk, and a builder variant that contains tooling necessary to build applications and install new packages. Start with the dev variant or the wolfi-base image to have more room for customization. 3. Identify packages you need to install a. Depending on your current base image, you may need to include additional packages to meet dependencies. 4. Migrate to a distroless image a. Evaluate the option of using a Docker multi-stage build to create a final distroless image containing only what you need. Migration Process in a Nutshell

17. Migrating from Debian and Ubuntu

18. Migrating from Red Hat UBI

19. docker run --rm -v ${PWD}:/work --entrypoint composer --user root \

    cgr.dev/chainguard/php:latest-dev \ install --working-dir=/work PHP Development Running Composer from Host

20. docker run --rm -v ${PWD}:/work --entrypoint composer --user laravel \

    cgr.dev/chainguard/laravel:latest-dev \ create-project laravel/laravel demo-laravel --working-dir=/work Laravel Development Running Composer from Host (create new app) docker run -p 8000:8000 --rm -it -v ${PWD}:/work \ --entrypoint /work/demo-laravel/artisan --user laravel \ cgr.dev/chainguard/laravel:latest-dev serve --host=0.0.0.0 Previewing app with Artisan

21. Using Docker Compose for Development

22. FROM cgr.dev/chainguard/php:latest-dev AS builder USER root COPY . /app RUN

    cd /app && chown -R php.php /app USER php RUN composer install --no-progress --no-dev --prefer-dist FROM cgr.dev/chainguard/php:latest COPY --from=builder /app /app ENTRYPOINT [ "php", "/app/autodocs" ] Multi-Stage Builds for CLI PHP Applications

23. FROM cgr.dev/chainguard/php:latest-fpm-dev AS builder USER root COPY . /app RUN

    cd /app && chown -R php.php /app USER php RUN composer install --no-progress --no-dev --prefer-dist FROM cgr.dev/chainguard/php:latest-fpm COPY --from=builder /app /app Multi-Stage Builds for Web PHP Applications

24. Demos

25. Questions?

26. Resources to Learn More • Chainguard Academy • Chainguard Images

    Directory • Migrating to PHP Chainguard Images • Debugging Distroless Images • PHP image docs • Laravel image docs

27. chainguard.dev | edu.chainguard.dev @chainguard_dev chainguard-dev