Chainguard releases Wolfi, a “non-distribution” Linux

Wright Studio / Shutterstock

There are many Linux distributions designed specifically for containers. Microsoft also has one, Common Base Linux (CBL) -Mariner. Others include Alpine Linux, Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS), and RancherOS. Now Chainguard, a cloud-native software security company, has a new version of this popular cloud-compatible type of Linux: Wolfi, a “nondistribution”.

I asked Chainguard CEO and founder Dan Lorenc at the Open Source Summit Europe in Dublin what he meant by “distribution”. He explained: “We call it nondistribution because it’s technically correct. Inside a container, you have everything but Linux, right? So even if it’s based on Linux, it’s not really fair to call it Linux distribution.”

What most people call a Linux container, Lorenc continued, is “a distro that starts on the hardware and takes you to a container runtime. Alpine is probably the most used distro. Wolfi is the opposite of this. . It’s distro-free. It’s minimal to the point that it doesn’t even have a package manager. ” It just has enough to run your containerized application, and that’s it.

To build this new Linux variant, Lorenc said, “We hired a group from the original Alpine team. But Alpine was never designed for containers. It was originally designed for routers, firmware and that sort of thing. what made it attractive to containers were its size and safety. ” Wolfi takes that minimal approach to the extreme for safety reasons.

Also: Rust will come in Linux 6.1, says Linus Torvalds

Lorenc explained: “We believe in reducing dependencies as much as possible, which simplifies auditing, updating and image transfer, as well as reducing the potential attack surface. Wolfi [named for the smallest and most flexible octopus] is designed from the ground up to take full advantage of these containerized environments while maximizing security. ”

Wolfi does more than just shed all the fat to protect itself. It also comes with built-in software supply chain security measures. Specifically, the main features are:

  • Based on the Alpine Package (APK) format.
  • The packages are of adequate granularity and independence to support minimal images
  • Comes with a high quality software bill of materials (SBOM) for all packages
  • Fully declarative and reproducible build system

In practice, Chainguard’s distro-free images are reconstructed daily from upstream sources. The images are signed using Sigstore, the standard for code signing and verification, and described in an SBOM. This signature can be verified to prove that the image is what you wanted and is free from any tampering.

Chainguard states that every single package in these images is playable by default. In other words, you will get the same image if you create the package yourself from the source code. This is also ensured by the supply chain levels for software artifacts (SLSA, pronounced sauce). This is a source-to-service security framework to ensure the integrity of software artifacts by protecting against unauthorized changes to the software package.

Also: It’s time to stop using C and C ++ for new projects, says the Microsoft Azure CTO

All these signatures, provenance and SBOM are stored in a new Open Container Initiative (OCI) registry along with the images. You can then check them with Sigstore’s cosign tools so you can trust the images.

Ironically, Lorenc said, “By keeping everything up to date and minimizing the number of dependencies,” Chainguard makes sure that “code security scanners like grype, Snyk and trivy report so few vulnerabilities for our images, people. sometimes they think their scanners aren’t working. But this reduction dramatically reduces the burden on teams responsible for investigating and mitigating potential security issues. ”

In addition to Wolfi, Chainguard is updating its Chainguard images, including base images for standalone binaries, applications like Nginx, and development tools like its Go and C compilers.

So, if you like the idea of ​​having the latest code and complete supply chain security built into your images, I highly recommend giving Wolfi a try. You can do this by browsing and selecting images from the Wolfi GitHub repository, they come with practical documentation and can be easily integrated into existing production pipelines. And, of course, you can check the security signature and SBOMs with the cosign tool.

Related Stories:

Leave a Comment

%d bloggers like this: