Chainguard started with a plan to build secure container images. They ended up building a whole new Linux (un)distribution and tooling.
Why a new distro?
The sensible among you are probably asking why — why does creating secure container images require the creation of a new Linux distribution?
Linux distributions — such as Red Hat and Ubuntu — haven't changed much in the past couple of decades. They were originally designed for running on servers in a physical rack and installed via CD or even floppies. The jump to VMs didn't change things too much, but now with containers, it feels like the original Linux distributions are starting to creak a bit.
In a container, you're generally only running a single application, so you need much less “stuff.” Static binaries are often a better solution than shared libraries. Both of these things are contrary to the founding principles of many Linux distributions.
At Chainguard, we started down the path of creating our own tooling to create packages for containers and we realized that extending this to create our own distribution was the best path — after all, the vast majority of work in a distribution is package management and distribution.
Finally, having a distro like Wolfi also meant that we could issue security advisories, which are used by scanners and similar when identifying vulnerabilities in containers and other packaging formats. This turned out to be crucial for developing low-to-no CVE images.
Those are the technical reasons why, but — honestly, at the time — I think we thought it would be something innovative to try, and it turned out to be an excellent idea.
Apko and Melange
The cornerstones of Chainguard's tooling are the open source projects Apko and Melange:
- Melange is used to build APK packages, the same format as used in Alpine Linux. Chainguard could have used the existing Alpine build tools, but we wanted something that was more declarative and more modern. In particular, we wanted something pipeline oriented, in the same way as commontooling like GitHub Actions.
- Apko is used to stitch together the packages produced by melange into container images. Apko itself is very simple compared to tooling such as Docker Build. All it will do is assemble the list of packages into a filesystem and set some metadata. There's no running arbitrary Linux commands or even adding in extra files. The upside of this is that it's fast and reproducible — run the same build twice and you will get the same result.
Chainguard Images
All these tools were built so we could create Chainguard Images – our hardened, minimal container images that are secure by default. Without Wolfi, we wouldn't be able to update images at the speed required to meet our low-CVE standards. Without apko and melange we wouldn't have complete build-time SBOMs (software bills of materials) and reproducible builds. But with these tools we have been able to create something game-changing – make sure to check out our Images and save your team hours investigating and triaging vulnerabilities.
Tell me more!
To get the full details on how and why we built a distro, check out the presentation available below. Note that this presentation was created for PackagingCon, so it's heavy on packaging details.
If you'd like to learn more about Wolfi please take a look at Chainguard Academy and our GitHub repo.
You can find me on X at @adrianmouat if you have any questions.
