Reimagining the Linux distro with Wolfi
Chainguard started with a plan to build secure container images. They ended up building a whole new Linux (un)distribution and tooling.
Why a new distro?
The sensible among you are probably asking why — why does creating secure container images require the creation of a new Linux distribution?
Linux distributions — such as Red Hat and Ubuntu — haven't changed much in the past couple of decades. They were originally designed for running on servers in a physical rack and installed via CD or even floppies. The jump to VMs didn't change things too much, but now with containers, it feels like the original Linux distributions are starting to creak a bit.
In a container, you're generally only running a single application, so you need much less “stuff.” Static binaries are often a better solution than shared libraries. Both of these things are contrary to the founding principles of many Linux distributions.
At Chainguard, we started down the path of creating our own tooling to create packages for containers and we realized that extending this to create our own distribution was the best path — after all, the vast majority of work in a distribution is package management and distribution.
Finally, having a distro like Wolfi also meant that we could issue security advisories, which are used by scanners and similar when identifying vulnerabilities in containers and other packaging formats. This turned out to be crucial for developing low-to-no CVE images.
Those are the technical reasons why, but — honestly, at the time — I think we thought it would be something innovative to try, and it turned out to be an excellent idea.
Apko and Melange
The cornerstones of Chainguard's tooling are the open source projects Apko and Melange:
Melange is used to build APK packages, the same format as used in Alpine Linux. Chainguard could have used the existing Alpine build tools, but we wanted something that was more declarative and more modern. In particular, we wanted something pipeline oriented, in the same way as commontooling like GitHub Actions.
Apko is used to stitch together the packages produced by melange into container images. Apko itself is very simple compared to tooling such as Docker Build. All it will do is assemble the list of packages into a filesystem and set some metadata. There's no running arbitrary Linux commands or even adding in extra files. The upside of this is that it's fast and reproducible — run the same build twice and you will get the same result.
Chainguard Images
All these tools were built so we could create Chainguard Images – our hardened, minimal container images that are secure by default. Without Wolfi, we wouldn't be able to update images at the speed required to meet our low-CVE standards. Without apko and melange we wouldn't have complete build-time SBOMs (software bills of materials) and reproducible builds. But with these tools we have been able to create something game-changing – make sure to check out our Images and save your team hours investigating and triaging vulnerabilities.
Tell me more!
To get the full details on how and why we built a distro, check out the presentation available below. Note that this presentation was created for PackagingCon, so it's heavy on packaging details.
If you'd like to learn more about Wolfi please take a look at Chainguard Academy and our GitHub repo.
You can find me on X at @adrianmouat if you have any questions.
Share this article
Related articles
- Engineering
It’s time to rethink golden images. Chainguard can help.
Chainguard helps teams build developer-centric golden image programs with zero-CVE, purpose-built containers—balancing speed, security, and standardization.
Sam Katzen, Staff Product Marketing Manager
- Engineering
Why building from source matters
Chainguard SVP of Engineering Dustin Kirkland discusses why Chainguard builds every package, library, and image directly from source and why the approach works.
Dustin Kirkland, SVP of Engineering
- Engineering
Accelerating Platform Adoption with Developer Trust
Chainguard helps Platform teams drive adoption with zero-CVE, customizable container images that make internal development platforms secure, fast, and trusted.
Sam Katzen, Staff Product Marketing Manager, and Matt Stead, Marketing
- Engineering
A Gift for the Open Source Community: Chainguard’s CVE-Free Raspberry Pi Images (Beta)
Chainguard has created the first-ever CVE-free, vulnerability-free Raspberry Pi image. Learn more about how it works and what makes this special.
Dustin Kirkland, SVP of Engineering
- Engineering
How CTOs Can Justify Technology Investments to the Board
Learn how CTOs can tie technology investments to increasing revenue, speeding innovation, and reducing risk and cost to drive positive business outcomes.
Matt Moore, CTO and Co-founder
- Engineering
Guest Post: Resiliency by Design and the Importance of Internal Developer Platforms
Gaurav Saxena, a Director of Engineering at an automotive company, talks through how internal developer platforms are an important part of resiliency by design.
Gaurav Saxena, Director of Engineering, Automotive Company