There is a virtuous cycle in know-how that pushes the boundaries of what is being constructed and the way it’s getting used. A brand new know-how growth emerges and captures the world’s consideration. Folks begin experimenting and uncover novel functions, use circumstances, and approaches to maximise the innovation’s potential. These use circumstances generate important worth, fueling demand for the following iteration of the innovation, and in flip, a brand new wave of innovators create the following era of use circumstances, driving additional developments.
Containerization has grow to be the muse of recent, cloud-native software program growth, supporting new use circumstances and approaches to constructing resilient, scalable, and moveable functions. It additionally holds the keys to the following software program supply innovation, concurrently necessitating the evolution to secure-by-design, continuously-updated software program and serving because the means to get there.
Under, I am going to discuss by means of a number of the improvements that led to our containerized revolution, in addition to a number of the traits of cloud-native software program growth which have led to this inflection level – one which has primed the world to maneuver away from conventional Linux distros and in the direction of a brand new method to open supply software program supply.
Iteration has moved us nearer to ubiquity
There have been many inventions which have paved the best way for safer, performant open supply supply. Within the curiosity of your time and my phrase depend I am going to name out three specific milestones. Every step, from Linux Containers (LXC) to Docker and finally the Open Container Initiative (OCI), constructed upon its predecessor, addressing limitations and unlocking new potentialities.
LXC laid the groundwork by harnessing the Linux kernel’s capabilities (specifically cgroups and namespaces), to create light-weight, remoted environments. For the primary time, builders may bundle functions with their dependencies, providing a level of consistency throughout completely different methods. Nonetheless, LXC’s complexity for customers and its lack of a standardized picture distribution catalog hindered widespread adoption.
Docker emerged as a game-changer, democratizing container know-how. It simplified the method of making, working, and sharing containers, making them accessible to a broader viewers. Docker’s user-friendly interface and the creation of Docker Hub, a central repository for container photos, fostered a vibrant ecosystem. This ease of use fueled speedy adoption, but additionally raised issues about vendor lock-in and the necessity for interoperability.
Recognizing the potential for fragmentation, the OCI (Open Containers Initiative) stepped in to standardize container codecs and runtimes. By defining open specs, the OCI ensured that containers could possibly be constructed and run throughout completely different platforms, fostering a wholesome, aggressive panorama. Tasks like runC and containerd, born from the OCI, offered a typical basis for container runtimes and enabled higher portability and interoperability.
The OCI requirements additionally enabled Kubernetes (one other vendor-neutral commonplace) to grow to be a really moveable platform, able to working on a variety of infrastructure and permitting organizations to orchestrate their functions persistently throughout completely different cloud suppliers and on-premises environments. This standardization and its related improvements unlocked the total potential of containers, paving the best way for his or her ubiquitous presence in trendy software program growth.
[Containerized] software program is consuming the world
The developments in Linux, the speedy democratization of containers by means of Docker, and the standardization of OCI have been all propelled by necessity, with the evolution of cloud-native app use circumstances pushing orchestration and standardization ahead. These cloud-native utility traits additionally spotlight why a general-purpose method to Linux distros not serves software program builders with essentially the most safe, up to date foundations to develop on:
Microservice-oriented structure: Cloud-native functions are usually constructed as a set of small, unbiased providers, with every microservice performing a selected perform. Every of those microservices may be constructed, deployed, and maintained independently, which gives an amazing quantity of flexibility and resiliency. As a result of every microservice is unbiased, software program builders do not require complete software program packages to run a microservice, relying solely on the naked necessities inside a container.
Useful resource-conscious and environment friendly: Cloud-native functions are constructed to be environment friendly and resource-conscious to reduce masses on infrastructure. This stripped down method naturally aligns nicely with containers and an ephemeral deployment technique, with new containers being deployed consistently and different workloads being up to date to the most recent code out there. This cuts down safety dangers by making the most of the most recent software program packages, relatively than ready for distro patches and backports.
Portability: Cloud-native functions are designed to be moveable, with constant efficiency and reliability no matter the place the appliance is working. On account of containers standardizing the surroundings, builders can transfer past the age-old “it labored positive on my machine” complications of the previous.
The virtuous cycle of innovation driving new use circumstances and finally new improvements is evident relating to containerization and the widespread adoption of cloud-native functions. Critically, this inflection level of innovation and use case calls for has pushed an unimaginable fee of change inside open supply software program — we have reached a degree the place the safety, efficiency, and innovation drawbacks of conventional “frozen-in-time” Linux distros outweigh the familiarity and perceived stability of the final era of software program supply.
So what ought to the following era of open supply software program supply appear like?
Enter: Chainguard OS
To fulfill trendy safety, efficiency, and productiveness expectations, software program builders want the most recent software program within the smallest kind designed for his or her use case, with none of the CVEs that result in threat for the enterprise (and an inventory of “fix-its” from the safety groups). Making good on these parameters requires extra than simply making over the previous. As a substitute, the following era of open supply software program supply wants to start out from the supply of safe, up to date software program: the upstream maintainers.
That is why Chainguard constructed this new distroless method, repeatedly rebuilding software program packages based mostly not on downstream distros however on the upstream sources which are eradicating vulnerabilities and including efficiency enhancements. We name it Chainguard OS.
Chainguard OS serves as the muse for the broad safety, effectivity, and productiveness outcomes that Chainguard merchandise ship at present, “Chainguarding” a quickly rising catalog of over 1,000 container photos.
Chainguard OS adheres to 4 key ideas to make that attainable:
- Steady Integration and Supply: Emphasizes the continual integration, testing, and launch of upstream software program packages, making certain a streamlined and environment friendly growth pipeline by means of automation.
- Nano Updates and Rebuilds: Favors continuous incremental updates and rebuilds over main launch upgrades, making certain smoother transitions and minimizing disruptive adjustments.
- Minimal, Hardened, Immutable Artifacts: Strips away pointless vendor bloat from software program artifacts, making sidecar packages and extras non-compulsory to the consumer whereas enhancing safety by means of hardening measures.
- Delta Minimization: Retains deviations from upstream to a minimal, incorporating additional patches solely when important and solely for so long as essential till a brand new launch is minimize from upstream.
Maybe one of the simplest ways to focus on the worth of Chainguard OS’s ideas is to see the impression in Chainguard Photographs.
Within the under screenshot (and viewable right here), you possibly can see a side-by-side comparability between an exterior <python:newest> and <cgr.dev/chainguard/python:newest> Chainguard Picture.
Except for the very clear discrepancy within the vulnerability depend, it is value inspecting the dimensions distinction between the 2 container photos. The Chainguard picture includes simply 6% of the open supply different picture.
Together with the minimized picture measurement, the Chainguard picture was final up to date simply an hour previous to the screengrab, one thing that occurs each day:
A fast scan of the provenance and SBOM information illustrates the end-to-end integrity and immutability of the artifacts — a type of full vitamin label that underscores the safety and transparency {that a} trendy method to open supply software program supply can present.
Every Chainguard picture stands as a sensible instance of the worth Chainguard OS gives, providing a stark different to what has come earlier than it. Maybe the best indicator is the suggestions we have obtained from clients, who’ve shared how Chainguard’s container photos have helped get rid of CVEs, safe their provide chains, obtain and keep compliance, and cut back developer toil, enabling them to re-allocate treasured developer sources.
Our perception is that Chainguard OS’s ideas and method may be utilized to a wide range of use circumstances, extending the advantages of repeatedly rebuilt-from-source software program packages to much more of the open supply ecosystem.
In case you discovered this handy, you’ll want to try our whitepaper on this topic or contact our crew to speak to an skilled on Chainguard’s distroless method.
Notice: This text is expertly written and contributed by Dustin Kirkland — VP of Engineering at Chainguard.
