There is a virtuous cycle in expertise that pushes the boundaries of what is being constructed and the way it’s getting used. A brand new expertise improvement emerges and captures the world’s consideration. Individuals begin experimenting and uncover novel purposes, use circumstances, and approaches to maximise the innovation’s potential. These use circumstances generate important worth, fueling demand for the subsequent iteration of the innovation, and in flip, a brand new wave of innovators create the subsequent era of use circumstances, driving additional developments.
Containerization has develop into the inspiration of recent, cloud-native software program improvement, supporting new use circumstances and approaches to constructing resilient, scalable, and transportable purposes. It additionally holds the keys to the subsequent software program supply innovation, concurrently necessitating the evolution to secure-by-design, continuously-updated software program and serving because the means to get there.
Beneath, I will speak by means of a number of the improvements that led to our containerized revolution, in addition to a number of the traits of cloud-native software program improvement which have led to this inflection level – one which has primed the world to maneuver away from conventional Linux distros and in direction of a brand new strategy to open supply software program supply.
Iteration has moved us nearer to ubiquity
There have been many inventions which have paved the best way for safer, performant open supply supply. Within the curiosity of your time and my phrase depend I will name out three explicit milestones. Every step, from Linux Containers (LXC) to Docker and in the end the Open Container Initiative (OCI), constructed upon its predecessor, addressing limitations and unlocking new potentialities.
LXC laid the groundwork by harnessing the Linux kernel’s capabilities (particularly cgroups and namespaces), to create light-weight, remoted environments. For the primary time, builders may package deal purposes with their dependencies, providing a level of consistency throughout completely different methods. Nonetheless, LXC’s complexity for customers and its lack of a standardized picture distribution catalog hindered widespread adoption.
Docker emerged as a game-changer, democratizing container expertise. It simplified the method of making, working, and sharing containers, making them accessible to a broader viewers. Docker’s user-friendly interface and the creation of Docker Hub, a central repository for container photos, fostered a vibrant ecosystem. This ease of use fueled speedy adoption, but in addition raised issues about vendor lock-in and the necessity for interoperability.
Recognizing the potential for fragmentation, the OCI (Open Containers Initiative) stepped in to standardize container codecs and runtimes. By defining open specs, the OCI ensured that containers could possibly be constructed and run throughout completely different platforms, fostering a wholesome, aggressive panorama. Tasks like runC and containerd, born from the OCI, supplied a standard basis for container runtimes and enabled higher portability and interoperability.
The OCI requirements additionally enabled Kubernetes (one other vendor-neutral normal) to develop into a really transportable platform, able to working on a variety of infrastructure and permitting organizations to orchestrate their purposes constantly throughout completely different cloud suppliers and on-premises environments. This standardization and its related improvements unlocked the complete potential of containers, paving the best way for his or her ubiquitous presence in fashionable software program improvement.
[Containerized] software program is consuming the world
The developments in Linux, the speedy democratization of containers by means of Docker, and the standardization of OCI have been all propelled by necessity, with the evolution of cloud-native app use circumstances pushing orchestration and standardization ahead. These cloud-native software traits additionally spotlight why a general-purpose strategy to Linux distros not serves software program builders with essentially the most safe, up to date foundations to develop on:
Microservice-oriented structure: Cloud-native purposes are usually constructed as a group of small, unbiased providers, with every microservice performing a selected perform. Every of those microservices could be constructed, deployed, and maintained independently, which gives an amazing quantity of flexibility and resiliency. As a result of every microservice is unbiased, software program builders do not require complete software program packages to run a microservice, relying solely on the naked necessities inside a container.
Useful resource-conscious and environment friendly: Cloud-native purposes are constructed to be environment friendly and resource-conscious to reduce masses on infrastructure. This stripped down strategy naturally aligns effectively with containers and an ephemeral deployment technique, with new containers being deployed continuously and different workloads being up to date to the newest code obtainable. This cuts down safety dangers by making the most of the most recent software program packages, somewhat than ready for distro patches and backports.
Portability: Cloud-native purposes are designed to be transportable, with constant efficiency and reliability no matter the place the appliance is working. Because of containers standardizing the surroundings, builders can transfer past the age-old “it labored wonderful on my machine” complications of the previous.
The virtuous cycle of innovation driving new use circumstances and in the end new improvements is evident relating to containerization and the widespread adoption of cloud-native purposes. Critically, this inflection level of innovation and use case calls for has pushed an unimaginable fee of change inside open supply software program — we have reached some extent the place the safety, efficiency, and innovation drawbacks of conventional “frozen-in-time” Linux distros outweigh the familiarity and perceived stability of the final era of software program supply.
So what ought to the subsequent era of open supply software program supply appear to be?
Enter: Chainguard OS
To fulfill fashionable safety, efficiency, and productiveness expectations, software program builders want the newest software program within the smallest type designed for his or her use case, with none of the CVEs that result in threat for the enterprise (and an inventory of “fix-its” from the safety groups). Making good on these parameters requires extra than simply making over the previous. As an alternative, the subsequent era of open supply software program supply wants to begin from the supply of safe, up to date software program: the upstream maintainers.
That is why Chainguard constructed this new distroless strategy, repeatedly rebuilding software program packages based mostly not on downstream distros however on the upstream sources which might be eradicating vulnerabilities and including efficiency enhancements. We name it Chainguard OS.
Chainguard OS serves as the inspiration for the broad safety, effectivity, and productiveness outcomes that Chainguard merchandise ship right now, “Chainguarding” a quickly rising catalog of over 1,000 container photos.
Chainguard OS adheres to 4 key ideas to make that attainable:
- Steady Integration and Supply: Emphasizes the continual integration, testing, and launch of upstream software program packages, making certain a streamlined and environment friendly improvement pipeline by means of automation.
- Nano Updates and Rebuilds: Favors continuous incremental updates and rebuilds over main launch upgrades, making certain smoother transitions and minimizing disruptive modifications.
- Minimal, Hardened, Immutable Artifacts: Strips away pointless vendor bloat from software program artifacts, making sidecar packages and extras non-obligatory to the person whereas enhancing safety by means of hardening measures.
- Delta Minimization: Retains deviations from upstream to a minimal, incorporating additional patches solely when important and solely for so long as essential till a brand new launch is reduce from upstream.
Maybe one of the best ways to spotlight the worth of Chainguard OS’s ideas is to see the affect in Chainguard Photos.
Within the beneath screenshot (and viewable right here), you may see a side-by-side comparability between an exterior
Apart from the very clear discrepancy within the vulnerability depend, it is value inspecting the dimensions distinction between the 2 container photos. The Chainguard picture contains simply 6% of the open supply different picture.
Together with the minimized picture measurement, the Chainguard picture was final up to date simply an hour previous to the screengrab, one thing that occurs each day:
A fast scan of the provenance and SBOM information illustrates the end-to-end integrity and immutability of the artifacts — a type of full vitamin label that underscores the safety and transparency {that a} fashionable strategy to open supply software program supply can present.
Every Chainguard picture stands as a sensible instance of the worth Chainguard OS gives, providing a stark different to what has come earlier than it. Maybe the best indicator is the suggestions we have acquired from prospects, who’ve shared how Chainguard’s container photos have helped remove CVEs, safe their provide chains, obtain and keep compliance, and cut back developer toil, enabling them to re-allocate valuable developer sources.
Our perception is that Chainguard OS’s ideas and strategy could be utilized to a wide range of use circumstances, extending the advantages of repeatedly rebuilt-from-source software program packages to much more of the open supply ecosystem.
For those who discovered this convenient, make sure you try our whitepaper on this topic or contact our crew to speak to an professional on Chainguard’s distroless strategy.
Word: This text is expertly written and contributed by Dustin Kirkland — VP of Engineering at Chainguard.