Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Learning Lab: WordPress

Erika Heidi
September 24, 2024

Learning Lab: WordPress

In this live event I presented Chainguard's new WordPress image, a minimal and low-to-zero CVE container image suitable for building and running WordPress websites.

Erika Heidi

September 24, 2024
Tweet

More Decks by Erika Heidi

Other Decks in Technology

Transcript

  1. Hi, I'm Erika! • Developer Experience Engineer at Chainguard •

    Background in PHP Dev, Linux and SysAdmin • Open Source enthusiast • Also: the "PHP person" at Chainguard 2
  2. What we'll cover today • A Primer on Software Supply

    Chain Security and CVEs • Chainguard Images Overview • Migrating to Chainguard Images (in a nutshell) • Presenting the WordPress Chainguard Image • Demo 3
  3. Software Supply Chain Security • Much like in manufacturing industries,

    the process of creating, building, and delivering software depends on a large chain of dependencies that we call "software supply chain" • A compromise in any point of this chain (whether malicious or unintentional) is an example of software supply chain security issue • Preventive actions include limiting surface for attack and enforcing provenance attestations 5
  4. 6

  5. • Standing for Common Vulnerabilities and Exposures, CVEs are records

    of publicly disclosed software vulnerabilities • The CVE Program was created in 1999 and has now over 200.000 registered vulnerabilities, with more being added each day • The Common Vulnerability Scoring System (CVSS) provides a framework to classify vulnerabilities by severity (low, medium, high, and critical) • CLI scanners such as Grype and Trivy can be used to scan container images and detect the presence of affected packages • Patching CVEs is a time-draining task due to factors such as false positives and lack of readily-available upstream patches What are CVEs? 7
  6. Chainguard Images Low (or 0)CVE, minimal, hardened container images Based

    on the Wolfi undistro Built daily for extra crispiness Next-level hardening with distroless SBOMs, SLSA provenance Chainguard PHP Images
  7. 13 PHP Chainguard Images Compared (Free Tier) PHP Laravel WordPress

    Distroless php:latest, php:latest-fpm laravel:latest wordpress:latest Non-Distroless php:latest-dev, php:latest-fpm-dev laravel:latest-dev wordpress:latest-dev Entrypoint latest: php (CLI) latest-fpm: php-fpm (server) php-fpm (server) latest: php-fpm latest-dev: entrypoint script / php-fpm PHP Extensions Basic Basic + required by Laravel Basic + required by WordPress
  8. Chainguard Image Flavors • Distroless: a minimal image containing only

    the software necessary to create a slim runtime. Does not include apk or bash, so you can't easily install other software in it or log in. Default pull is distroless (latest) • Non-distroless: just the same as a regular apk-based container image (but still smaller / better). Includes apk, bash, and other utilities. Can be easily customized. Uses the -dev suffix (latest-dev) 14
  9. 1. Identify the base image you need 2. Start with

    the -dev variant of the image 3. Convert Dockerfile to Wolfi 4. Identify if packages are missing 5. Migrate to a distroless image in multi-stage Dockerfile Migration Process in a Nutshell 16
  10. Migrating from Debian and Ubuntu 17 Command Description Debian-based Dockerfile

    Wolfi-based Equivalent Install a Package apt install apk add Remove a package apt remove apk del Update packages repo apt update apk update Add a user useradd adduser
  11. 19

  12. 20

  13. 21 Image Features latest-dev • Same entry point script from

    official images • Installs WP and copies custom plugins and themes to document root • Sets up ENV vars for database connection • wp-config.php uses getenv to obtain data (not hardcoded) • Allows customization through dashboard (install themes and plugins etc) latest (distroless) • Minimal runtime - no apk or shell • Requires a multi stage setup with latest-dev to copy contents to temporary environment and then over to final distroless image • Does not allow customization through dashboard (file modifications not allowed)
  14. 22 Example 1: dev environment + customization (Dockerfile) FROM cgr.dev/chainguard/wordpress:latest-dev

    ARG UID=1000 USER root RUN addgroup wordpress && adduser -SD -u "$UID" -s /bin/bash wordpress wordpress RUN chown -R wordpress:wordpress /var/www/html USER wordpress
  15. 23 Example 2: Multistage distroless (Dockerfile) FROM cgr.dev/chainguard/wordpress:latest-dev as builder

    #trigger wp-config.php creation ENV WORDPRESS_DB_HOST=foo #copy wp-content folder COPY ./wp-content /usr/src/wordpress/wp-content #run entrypoint script RUN /usr/local/bin/docker-entrypoint.sh php-fpm --version FROM cgr.dev/chainguard/wordpress:latest COPY --from=builder --chown=php:php /var/www/html /var/www/html