There are many Linux distributions designed expressly for containers. Even Microsoft has one, Common Base Linux (CBL)-Mariner. Others include Alpine Linux, Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS), and RancherOS. Now Chainguard, a cloud-native software security company, has a new take on this popular cloud-friendly kind of Linux: Wolfi, an “undistribution.”
I asked Chainguard CEO and founder Dan Lorenc at Open Source Summit Europe in Dublin what he meant by an “undistrbution.” He explained, “We call it an undistribution because that’s technically correct. Inside of a container, you have everything but Linux, right? So, even though it’s based on Linux, it’s not really correct to call it a Linux distribution.”
What most people call a Linux container, Lorenc continued, is “a distro that boots up on hardware and gets you to a container runtime. Alpine is probably the most heavily used such distro. Wolfi is the opposite of this. It’s distroless. It’s minimal to the point of not even having a package manager.” It has just enough to run your containerized application, and that’s it.
To make this new Linux variant, Lorenc said, “We hired a bunch of the original Alpine team. But, Alpine was never designed for containers. It was originally designed for routers, firmware, and that kind of thing. What made it attractive for containers was its size and security.” Wolfi takes that minimal approach to an extreme for the sake of security.
Lorenc explained, “We believe in minimizing dependencies as much as possible, which simplifies auditing, updating, and transferring images, as well as reducing the potential attack surface. Wolfi [named for the smallest and most flexible octopus] is designed from the ground up to take full advantage of these containerized environments while maximizing security.”
Wolfi does more than just cut out all the fat to secure itself. It also comes with built-in software supply chain security measures. Specifically, key features are:
- Based on the Alpine Package (APK) format
- Packages are of an appropriate granularity and independence to support minimal images
- Comes with a high-quality, build-time software bill of materials (SBOM) for all packages
- Fully declarative and reproducible build system
In practice, Chainguard’s distroless images are rebuilt daily from upstream sources. The images are signed via Sigstore, the standard for signing and verifying code, and described in an SBOM. This signature can be verified to show that the image is the one you wanted and is free of any tampering.
Chainguard claims that every single package in these images is reproducible by default. In other words, you’ll get the same image if you build the package yourself from the source code. This is also guaranteed by Supply Chain Levels for Software Artifacts (SLSA, pronounced salsa). This is a source-to-service security framework for ensuring the integrity of software artifacts by protecting against unauthorized software package changes.
All these signatures, provenance, and SBOMs are stored in a new Open Container Initiative (OCI) registry alongside the images. You can then check on them with Sigstore’s cosign tools so you can trust the images.
Ironically, Lorenc said, “By keeping everything up-to-date and minimizing the number of dependencies,” Chainguard makes it so that “code security scanners such as grype, Snyk, and trivy report so few vulnerabilities for our images, people sometimes think their scanners aren’t working. But this reduction dramatically reduces the burden on teams responsible for investigating and mitigating potential security issues.”
Besides Wolfi, Chainguard is updating its Chainguard Images, including base images for stand-alone binaries, applications like Nginx, and development toolings such as its Go and C compilers.
So, if you like the idea of having the newest code and full supply chain security baked into your images, I strongly suggest you give Wolfi a try. You can do that by browsing and selecting images from the Wolfi GitHub repository, They come with how-to documentation and can be integrated easily into your existing production pipelines. And, of course, you can check the security signing and SBOMs with the cosign tool.