There are many Linux distributions designed specifically for containers. Even Microsoft has one, Common Base Linux (CBL) mariner. Others include Alpine Linux, Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS), and RancherOS. Now Chainguard, a cloud-native software security company, has a new version of this popular cloud-friendly breed of Linux: Wolfi, a “non-distribution”.
I asked Dan Lorenc, CEO and Founder of Chainguard, what he meant by “non-distribution” at the Open Source Summit Europe in Dublin. He explained, “We call it an undistribution because that’s technically correct. Inside a container you have everything but linux right? So even though it’s based on Linux, calling it a Linux distribution isn’t really accurate.”
What most people call a Linux container, Lorenc continued, is “a distribution that boots onto hardware and brings you to a containerized runtime. Alpine is probably the most used distro of this type. Wolfi is the opposite of that. It’s distroless. It’s minimal to the point where it doesn’t even have a package manager.” It has just enough to run your containerized application and that’s it.
To create this new flavor of Linux, Lorenc said, “We hired a bunch from the original Alpine team. But Alpine was never designed for containers. It was originally developed for routers, firmware and the like. What made the container attractive was its size and security.” Wolfi takes this minimal approach to the extreme for security reasons.
Likewise: Rust will move into Linux 6.1, says Linus Torvalds
Lorenc explained: “We believe in minimizing dependencies as much as possible, which simplifies the checking, updating and transfer of images and reduces the potential attack surface.” Wolfi [named for the smallest and most flexible octopus] is designed from the ground up to take full advantage of these containerized environments while maximizing security.”
Wolfi does more than just cut out all the fat to secure himself. It also has built-in security measures for the software supply chain. The most important features are in particular:
- Based on Alpine Package (APK) format
- Packages have adequate granularity and independence to support minimal images
- Comes with a high-quality build-time software bill of materials (SBOM) for all packages
- Fully declarative and reproducible build system
In practice, Chainguard’s Distroless images are rebuilt daily from upstream sources. The images are signed via Sigstore, the standard for signing and verifying code, and described in an SBOM. This signature can be verified to show that the image is the desired one and is free from tampering.
Chainguard claims that every single packet in these images is reproducible by default. In other words, you get the same picture if you build the package yourself from source. This is also guaranteed by Supply Chain Levels for Software Artifacts (SLSA, pronounced Salsa). This is a source-to-service security framework to ensure the integrity of software artifacts by protecting against unauthorized software package modifications.
Likewise: It’s time to stop using C and C++ for new projects, says Microsoft Azure CTO
All of these signatures, provenances and SBOMs are stored along with the images in a new Open Container Initiative (OCI) registry. You can then verify them with Sigstore’s cosign tools so you can trust the images.
Ironically, Lorenc said, “By keeping everything up to date and minimizing the number of dependencies,” Chainguard ensures that “code security scanners like Grype, Snyk, and Trivy report so few vulnerabilities for our images that people sometimes think their scanners.” don’t work. But this reduction significantly reduces the burden on the teams responsible for investigating and mitigating potential security issues.”
Alongside Wolfi, Chainguard updates its Chainguard images, including base images for standalone binaries, applications like Nginx, and development tools like its Go and C compilers.
So if you like the idea of bringing the latest code and full supply chain security to your images, I highly recommend you try Wolfi. You can do this by browsing and selecting images from the Wolfi GitHub repository. They come with instructional documentation and can be easily integrated into your existing production pipelines. And of course you can verify security signing and SBOMs with the Cosign tool.