There are numerous Linux distributions designed expressly for containers. Even Microsoft has one, Common Base Linux (CBL)-Mariner. Others embrace Alpine Linux, Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS), and RancherOS. Now Chainguard, a cloud-native software program safety firm, has a brand new tackle this in style cloud-friendly sort of Linux: Wolfi, an “undistribution.”
I requested Chainguard CEO and founder Dan Lorenc at Open Source Summit Europe in Dublin what he meant by an “undistrbution.” He defined, “We name it an undistribution as a result of that is technically right. Within a container, you’ve gotten all the things however Linux, proper? So, though it is primarily based on Linux, it is not likely right to name it a Linux distribution.”
What most individuals name a Linux container, Lorenc continued, is “a distro that boots up on {hardware} and will get you to a container runtime. Alpine might be probably the most closely used such distro. Wolfi is the other of this. It is distroless. It is minimal to the purpose of not even having a package deal supervisor.” It has simply sufficient to run your containerized software, and that is it.
To make this new Linux variant, Lorenc mentioned, “We employed a bunch of the unique Alpine workforce. However, Alpine was by no means designed for containers. It was initially designed for routers, firmware, and that sort of factor. What made it engaging for containers was its measurement and safety.” Wolfi takes that minimal strategy to an excessive for the sake of safety.
Additionally: Rust will go into Linux 6.1, Linus Torvalds says
Lorenc defined, “We imagine in minimizing dependencies as a lot as doable, which simplifies auditing, updating, and transferring photographs, in addition to lowering the potential assault floor. Wolfi [named for the smallest and most flexible octopus] is designed from the bottom as much as take full benefit of those containerized environments whereas maximizing safety.”
Wolfi does extra than simply minimize out all of the fats to safe itself. It additionally comes with built-in software program provide chain safety measures. Particularly, key options are:
- Based mostly on the Alpine Package (APK) format
- Packages are of an applicable granularity and independence to help minimal photographs
- Comes with a high-quality, build-time software bill of materials (SBOM) for all packages
- Absolutely declarative and reproducible construct system
In observe, Chainguard’s distroless photographs are rebuilt each day from upstream sources. The photographs are signed by way of Sigstore, the usual for signing and verifying code, and described in an SBOM. This signature might be verified to indicate that the picture is the one you wished and is freed from any tampering.
Chainguard claims that each single package deal in these photographs is reproducible by default. In different phrases, you may get the identical picture when you construct the package deal your self from the supply code. That is additionally assured by Provide Chain Ranges for Software program Artifacts (SLSA, pronounced salsa). This can be a source-to-service safety framework for making certain the integrity of software program artifacts by defending towards unauthorized software program package deal adjustments.
Additionally: It’s time to stop using C and C++ for new projects, says Microsoft Azure CTO
All these signatures, provenance, and SBOMs are saved in a brand new Open Container Initiative (OCI) registry alongside the photographs. You’ll be able to then verify on them with Sigstore’s cosign instruments so you’ll be able to belief the photographs.
Paradoxically, Lorenc mentioned, “By preserving all the things up-to-date and minimizing the variety of dependencies,” Chainguard makes it in order that “code safety scanners akin to grype, Snyk, and trivy report so few vulnerabilities for our photographs, individuals generally assume their scanners aren’t working. However this discount dramatically reduces the burden on groups accountable for investigating and mitigating potential safety points.”
In addition to Wolfi, Chainguard is updating its Chainguard Images, together with base images for stand-alone binaries, purposes like Nginx, and growth toolings akin to its Go and C compilers.
So, when you like the concept of getting the latest code and full provide chain safety baked into your photographs, I strongly counsel you give Wolfi a attempt. You are able to do that by searching and deciding on photographs from the Wolfi GitHub repository, They arrive with how-to documentation and might be built-in simply into your present manufacturing pipelines. And, after all, you’ll be able to verify the safety signing and SBOMs with the cosign software.
Associated tales: