Chainguard launches Wolfi, a Linux "non-distribution"

Chainguard launches Wolfi, a Linux “non-distribution”

Studio Wright/Shutterstock

There are many Linux distributions designed expressly for containers. Even Microsoft has one, Common Base Linux (CBL)-Mariner. Others include Alpine Linux, Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS), and RancherOS. Today, Chainguard, a cloud-native software security company, offers a new take on this popular type of cloud-enabled Linux: Wolfi, a “non-distribution.”

I asked Chainguard CEO and Founder Dan Lorenc at the Open Source Summit Europe in Dublin what he meant by “undistrbution”. He explained: “We call it a non-distribution because it’s technically correct. Inside a container you have everything but Linux, right? So even if it’s based on Linux, it’s not really correct to call it a Linux distribution.”

What most people call a Linux container, Lorenc continued, is “a distro that boots on hardware and takes you to a container runtime environment. Alpine is probably the most widely used such distro. Wolfi is the opposite of that. It’s distributionless. It’s minimal to the point of not even having a package manager.” It has just enough to run your containerized application, and that’s it.

To create this new Linux variant, Lorenc said, “We hired a group from the original Alpine team. But Alpine was never designed for containers. It was originally designed for routers, firmware and that sort of thing. containers was its size and security.” Wolfi takes this minimal approach to the extreme for security reasons.

Also: Rust will go in Linux 6.1, says Linus Torvalds

Lorenc explained, “We believe in minimizing dependencies as much as possible, making it easier to audit, update, and transfer images, as well as reducing the potential attack surface. Wolfi [named for the smallest and most flexible octopus] is designed from the ground up to take full advantage of these containerized environments while maximizing security.”

Wolfi does more than just cut all the fat to secure himself. It also comes with built-in software security measures for the supply chain. More specifically, the key features are:

  • Based on Alpine Package (APK) format
  • Packages are of appropriate granularity and independence to support minimal images
  • Comes with high quality Software Bill of Materials (SBOM) for all packages
  • Fully declarative and reproducible build system

In practice, Chainguard’s distroless images are reconstructed daily from upstream sources. Images are signed via Sigstore, the code signing and verification standard, and described in an SBOM. This signature can be verified to show that the image is what you intended and is free from tampering.

Chainguard claims that every package in these images is reproducible by default. In other words, you will get the same picture if you build the package yourself from source code. This is also guaranteed by the Levels of Supply Chain for Software Artifacts (SLSA, pronounced salsa). It is a source-to-service security framework to ensure the integrity of software artifacts by protecting against unauthorized modification of software packages.

Also: It’s time to stop using C and C++ for new projects, says Microsoft Azure CTO

All of these signatures, provenances, and SBOMs are stored in a new Open Container Initiative (OCI) registry alongside the images. You can then verify them with Sigstore’s co-signing tools so that you can trust the images.

Ironically, Lorenc said, “By keeping everything up-to-date and minimizing the number of dependencies,” Chainguard makes “code security scanners such as grype, Snyk, and trivy report so few vulnerabilities for our images, the people sometimes think their scanners aren’t working, but this reduction dramatically reduces the burden on teams to investigate and mitigate potential security issues.

In addition to Wolfi, Chainguard updates its Chainguard images, including base images for standalone binaries, apps like Nginx, and developer tools like its Go and C compilers.

So if you like the idea of ​​having the latest code and full supply chain security in your images, I highly suggest giving Wolfi a try. You can do this by browsing and selecting images from the Wolfi GitHub repository. They come with handy documentation and can be easily integrated into your existing production pipelines. And, of course, you can check the security signature and SBOMs with the cosign tool.

Related stories:

#Chainguard #launches #Wolfi #Linux #nondistribution

Leave a Comment

Your email address will not be published.