Numerous Linux distributions are created specifically for containers. There is one, Common Base Linux (CBL)-Mariner, even from Microsoft.
RancherOS, Red Hat Enterprise Linux CoreOS (RHCOS), Flatcar Container Linux, Alpine Linux, and others are also available.
With Wolfi, an “undistribution,” Chainguard, a cloud-native software security startup, provides a fresh perspective on this well-liked Linux variant that is friendly to the cloud.
According to Lorenc, a Linux container is what most people refer to as “a distribution that launches on hardware and connects you to runtime for containers.
The most popular of these distributions is likely Alpine. The polar opposite of this is Wolfi. It has no distributions. It is so simple that there isn’t even a package manager.” It just has what is necessary to run your containerized application.
According to Lorenc, this new Linux variation required: “We hired a large portion of the original Alpine team. However, containers were not intended for Alpine.
It was initially intended for routers, firmware, and similar items. Its size and security made containers interested in it.” For the sake of security, Wolfi goes beyond that simple method.
Lorenc clarified, “We favor minimizing dependencies to the greatest extent possible because doing so makes auditing, upgrading, and transferring pictures easier and narrows the attack surface. From the ground up, Wolfi [named after the smallest and most flexible octopus] is built to fully utilize these containerized settings while maximizing security.”
Wolfi secures itself in many ways than merely by eliminating all the fat. Additionally, it has security safeguards for the software supply chain built right in. Specific key characteristics include:
- Utilizing the Alpine Package (APK) file format
- Packages support basic images with sufficient granularity and independence.
- Contains a superior build-time software bill of materials (SBOM) for each package.
- Build a system that is entirely declarative and repeatable.
Chainguard’s distroless images are really rebuilt every day from upstream sources.
An SBOM describes how the pictures are signed using Sigstore, a standard for signing and verifying code. This signature may be confirmed to demonstrate that the image is the one you desired and has not been altered.
According to Chainguard, every package in these images is automatically replicable. In other words, if you create the package from the source code, you’ll receive an identical image. Supply Chain Levels for Software Artifacts also ensure this (SLSA, pronounced salsa). This source-to-service security architecture works to prevent unauthorized software package changes in order to guarantee the integrity of software artefacts.
Therefore, I highly recommend giving Wolfi a try if you enjoy the notion of having the most recent code and complete supply chain security baked into your photos. This may be done by looking through and choosing photos from the Wolfi GitHub repository. These images come with the how-to documentation and are simple to incorporate into your current production pipelines. Of course, you can use the cosign tool to verify the security signing and SBOMs.
Also read: Mistakes to Avoid When Sending Text Messages