Hopping into spring with Chainguard’s RabbitMQ Image

Dan Lorenc, CEO
  •  
February 24, 2023

Today we're announcing a Chainguard Image for RabbitMQ. RabbitMQ is an open-source message broker that’s commonly used as part of cloud-native applications. It has over 10k stars on GitHub and we even use it as part of our Chainguard Enforce platform.

The Chainguard build of RabbitMQ is based on the Wolfi undistro – meaning we bootstrap the entire toolchain ourselves. If you know much about RabbitMQ, you’ll quickly realize this means that we also had to build our own versions of Erlang and OTP, which form the memory-safe, high-performance backend that powers the RabbitMQ server. These are built using Wolfi’s best-in-class compiler hardening features and performance optimizations, providing a solid foundation for RabbitMQ itself.

As always, the Chainguard RabbitMQ Image is continuously patched to ensure it has minimal CVEs, instead of hundreds like some of the others.

To get started, you can run the image with:

-- CODE language-bash -- docker run -p 5672:5672 --rm cgr.dev/chainguard/rabbitmq 2023-01-02 00:11:37.199274+00:00 [notice] <0.44.0> Application syslog exited with reason: stopped 2023-01-02 00:11:37.206489+00:00 [notice] <0.229.0> Logging: switching to configured handler(s); following messages may not be visible in this log output ## ## RabbitMQ 3.11.5 ## ## ########## Copyright (c) 2007-2022 VMware, Inc. or its affiliates. ###### ## ########## Licensed under the MPL 2.0. Website: https://rabbitmq.com Erlang: 25.2 [jit] TLS Library: OpenSSL - OpenSSL 3.0.7 1 Nov 2022 Release series support status: supported Doc guides: https://rabbitmq.com/documentation.html Support: https://rabbitmq.com/contact.html Tutorials: https://rabbitmq.com/getstarted.html Monitoring: https://rabbitmq.com/monitoring.html Logs: /var/log/rabbitmq/rabbit@02bee2143fb7.log /var/log/rabbitmq/rabbit@02bee2143fb7_upgrade.log Config file(s): (none) Starting broker... completed with 0 plugins.

The image also supports the standard configuration files and environment variables:

-- CODE language-bash -- RABBITMQ_CONFIG_FILE=/etc/rabbitmq/rabbitmq.conf RABBITMQ_ADVANCED_CONFIG_FILE=/etc/rabbitmq/advanced.config RABBITMQ_CONF_ENV_FILE=/etc/rabbitmq/rabbitmq-env.conf

As always, the binaries in our Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

-- CODE language-bash -- $ % cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/rabbitmq Found SBOM of media type: spdx+json { "SPDXID": "SPDXRef-DOCUMENT", "name": "sbom-sha256:a5d9e5df5ea7c280157dbcd81b1d5b1a6334fea4366fee3494a2a77b901bc187", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-02-21T00:11:14Z", "creators": [ "Tool: apko (canary)", "Organization: Chainguard, Inc" ], "licenseListVersion": "3.16" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/", "documentDescribes": [ "SPDXRef-Package-sha256-fba7c2f1c16bcb3206b63eac453fd793236f19a41d095855b6cfd3414f895c21" ], "files": [ { "SPDXID": "SPDXRef-File--usr-lib-locale-C.utf8-LCC95ADDRESS", "fileName": "/usr/lib/locale/C.utf8/LC_ADDRESS", "licenseConcluded": "NOASSERTION", "checksums": [ { "algorithm": "SHA1", "checksumValue": "12d0e0600557e0dcb3c64e56894b81230e2eaa72" }, { "algorithm": "SHA256", "checksumValue": "26e2800affab801cb36d4ff9625a95c3abceeda2b6553a7aecd0cfcf34c98099" }, { "algorithm": "SHA512", "checksumValue": "d38b225e8204e1e85e6c631481f46d0b8fca8cf8d8dfc290f00adb15b605959f91f0d55dc830fdd82c22f916140090928e44f1b5123facac135705cc81df00b0" } ] }, { "SPDXID": "SPDXRef-File--usr-lib-locale-C.utf8-LCC95COLLATE", "fileName": "/usr/lib/locale/C.utf8/LC_COLLATE", "licenseConcluded": "NOASSERTION", "checksums": [ { "algorithm": "SHA1", "checksumValue": "f245e3207984879d0b736c9aa42f4268e27221b9" }, { "algorithm": "SHA256", "checksumValue": "47a5f5359a8f324abc39d69a7f6241a2ac0e2fbbeae5b9c3a756e682b75d087b" },

Get started using Chainguard’s RabbitMQ Image today at github.com/chainguard-images, or get started with our RabbitMQ image using documentation in Chainguard Academy. All Chainguard Images minimize the software components included, helping shrink your image size by 80% on average, reducing your attack surface. Chainguard Images are now available for Bazel, curl, Git, Go, Jenkins, Postgres, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Don’t break the chain – secure your supply chain today!

Product

Hopping into spring with Chainguard’s RabbitMQ Image

Dan Lorenc, CEO
February 24, 2023
copied

Today we're announcing a Chainguard Image for RabbitMQ. RabbitMQ is an open-source message broker that’s commonly used as part of cloud-native applications. It has over 10k stars on GitHub and we even use it as part of our Chainguard Enforce platform.

The Chainguard build of RabbitMQ is based on the Wolfi undistro – meaning we bootstrap the entire toolchain ourselves. If you know much about RabbitMQ, you’ll quickly realize this means that we also had to build our own versions of Erlang and OTP, which form the memory-safe, high-performance backend that powers the RabbitMQ server. These are built using Wolfi’s best-in-class compiler hardening features and performance optimizations, providing a solid foundation for RabbitMQ itself.

As always, the Chainguard RabbitMQ Image is continuously patched to ensure it has minimal CVEs, instead of hundreds like some of the others.

To get started, you can run the image with:

-- CODE language-bash -- docker run -p 5672:5672 --rm cgr.dev/chainguard/rabbitmq 2023-01-02 00:11:37.199274+00:00 [notice] <0.44.0> Application syslog exited with reason: stopped 2023-01-02 00:11:37.206489+00:00 [notice] <0.229.0> Logging: switching to configured handler(s); following messages may not be visible in this log output ## ## RabbitMQ 3.11.5 ## ## ########## Copyright (c) 2007-2022 VMware, Inc. or its affiliates. ###### ## ########## Licensed under the MPL 2.0. Website: https://rabbitmq.com Erlang: 25.2 [jit] TLS Library: OpenSSL - OpenSSL 3.0.7 1 Nov 2022 Release series support status: supported Doc guides: https://rabbitmq.com/documentation.html Support: https://rabbitmq.com/contact.html Tutorials: https://rabbitmq.com/getstarted.html Monitoring: https://rabbitmq.com/monitoring.html Logs: /var/log/rabbitmq/rabbit@02bee2143fb7.log /var/log/rabbitmq/rabbit@02bee2143fb7_upgrade.log Config file(s): (none) Starting broker... completed with 0 plugins.

The image also supports the standard configuration files and environment variables:

-- CODE language-bash -- RABBITMQ_CONFIG_FILE=/etc/rabbitmq/rabbitmq.conf RABBITMQ_ADVANCED_CONFIG_FILE=/etc/rabbitmq/advanced.config RABBITMQ_CONF_ENV_FILE=/etc/rabbitmq/rabbitmq-env.conf

As always, the binaries in our Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

-- CODE language-bash -- $ % cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/rabbitmq Found SBOM of media type: spdx+json { "SPDXID": "SPDXRef-DOCUMENT", "name": "sbom-sha256:a5d9e5df5ea7c280157dbcd81b1d5b1a6334fea4366fee3494a2a77b901bc187", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-02-21T00:11:14Z", "creators": [ "Tool: apko (canary)", "Organization: Chainguard, Inc" ], "licenseListVersion": "3.16" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/", "documentDescribes": [ "SPDXRef-Package-sha256-fba7c2f1c16bcb3206b63eac453fd793236f19a41d095855b6cfd3414f895c21" ], "files": [ { "SPDXID": "SPDXRef-File--usr-lib-locale-C.utf8-LCC95ADDRESS", "fileName": "/usr/lib/locale/C.utf8/LC_ADDRESS", "licenseConcluded": "NOASSERTION", "checksums": [ { "algorithm": "SHA1", "checksumValue": "12d0e0600557e0dcb3c64e56894b81230e2eaa72" }, { "algorithm": "SHA256", "checksumValue": "26e2800affab801cb36d4ff9625a95c3abceeda2b6553a7aecd0cfcf34c98099" }, { "algorithm": "SHA512", "checksumValue": "d38b225e8204e1e85e6c631481f46d0b8fca8cf8d8dfc290f00adb15b605959f91f0d55dc830fdd82c22f916140090928e44f1b5123facac135705cc81df00b0" } ] }, { "SPDXID": "SPDXRef-File--usr-lib-locale-C.utf8-LCC95COLLATE", "fileName": "/usr/lib/locale/C.utf8/LC_COLLATE", "licenseConcluded": "NOASSERTION", "checksums": [ { "algorithm": "SHA1", "checksumValue": "f245e3207984879d0b736c9aa42f4268e27221b9" }, { "algorithm": "SHA256", "checksumValue": "47a5f5359a8f324abc39d69a7f6241a2ac0e2fbbeae5b9c3a756e682b75d087b" },

Get started using Chainguard’s RabbitMQ Image today at github.com/chainguard-images, or get started with our RabbitMQ image using documentation in Chainguard Academy. All Chainguard Images minimize the software components included, helping shrink your image size by 80% on average, reducing your attack surface. Chainguard Images are now available for Bazel, curl, Git, Go, Jenkins, Postgres, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog. 

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.