DEV Community: Henrique Santos The latest articles on DEV Community by Henrique Santos (@henriquencmt). https://dev.to/henriquencmt https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1239354%2F13ffdb27-d65d-4418-8da1-d2c5b2820a72.jpeg DEV Community: Henrique Santos https://dev.to/henriquencmt en Distroless images using melange and apko Henrique Santos Fri, 22 Dec 2023 17:16:17 +0000 https://dev.to/henriquencmt/distroless-images-using-melange-and-apko-2k3i https://dev.to/henriquencmt/distroless-images-using-melange-and-apko-2k3i <p>TL;DR - Beyond <em>size</em>, which can save time and resources, distroless images* have their <em>complexity</em> and <em>attack surface</em> reduced**. In this post, we are going to use <em>melange</em> and <em>apko,</em> from Chainguard, to build an apk package with a small Rust program, build an OCI image from it and then load it with Docker.</p> <p>* “Distroless” doesn’t mean that the image has no distro at all. The idea is to work with minimal images, so we should bring into it only the essentials for our apps to run, leaving out shells, package managers, etc.</p> <p>** <a href="https://www.chainguard.dev/unchained/image-sizes-miss-the-point" rel="noopener noreferrer">Image sizes miss the point</a></p> <p>** ”<em>standardization and quality of the software in your direct execution path lowers your attack surface more than distroless does</em>” - <a href="https://www.redhat.com/en/blog/why-distroless-containers-arent-security-solution-you-think-they-are" rel="noopener noreferrer">Why distroless containers aren't the security solution you think they are</a></p> <p>** <a href="https://www.chainguard.dev/unchained/understanding-attacker-techniques-for-distroless-containers" rel="noopener noreferrer">Understanding attacker techniques in distroless containers</a> </p> <h3> Table Of Contents </h3> <ul> <li>Sample Rust program</li> <li>Building apks with melange</li> <li>Building OCI images with apko</li> <li>Scanning for vulnerabilities</li> <li>Source code</li> <li>References</li> </ul> <h3> Sample Rust program <a></a> </h3> <p>We are going to build a small Rust program that prints a random value every time we run it.</p> <p>Create a new Rust project:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> cargo new random <span class="o">&amp;&amp;</span> <span class="nb">cd </span>random </code></pre> </div> <p>Add <code>rand</code> crate to your project:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> cargo add rand </code></pre> </div> <p>or manually add this to your <code>Cargo.toml</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code> <span class="nn">[dependencies]</span> <span class="py">rand</span> <span class="p">=</span> <span class="s">"0.8.5"</span> </code></pre> </div> <p>Add this code to <code>main.rs</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="k">use</span> <span class="nn">rand</span><span class="p">::</span><span class="n">Rng</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">rng</span> <span class="o">=</span> <span class="nn">rand</span><span class="p">::</span><span class="nf">thread_rng</span><span class="p">();</span> <span class="k">let</span> <span class="n">number</span><span class="p">:</span> <span class="nb">u8</span> <span class="o">=</span> <span class="n">rng</span><span class="nf">.gen</span><span class="p">();</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"{}"</span><span class="p">,</span> <span class="n">number</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Run it:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> cargo run </code></pre> </div> <h3> Building apks with melange <a></a> </h3> <p><a href="https://github.com/chainguard-dev/melange" rel="noopener noreferrer"><strong>melange</strong></a> allows us to build .apk packages (compatible with <a href="https://wiki.alpinelinux.org/wiki/Package_management" rel="noopener noreferrer">apk</a>, the package manager used by Alpine Linux distro) using declarative YAML pipelines.</p> <p>First, create a file <code>melange.yaml</code> and add the following instructions to it:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">package</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">random</span> <span class="na">version</span><span class="pi">:</span> <span class="s">0.1.0</span> <span class="na">description</span><span class="pi">:</span> <span class="s">random number generator</span> <span class="na">target-architecture</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">all</span> <span class="na">copyright</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">license</span><span class="pi">:</span> <span class="s">Apache-2.0</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="na">repositories</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://dl-cdn.alpinelinux.org/alpine/edge/main</span> <span class="pi">-</span> <span class="s">https://dl-cdn.alpinelinux.org/alpine/edge/community</span> <span class="na">packages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">alpine-baselayout-data</span> <span class="pi">-</span> <span class="s">ca-certificates-bundle</span> <span class="pi">-</span> <span class="s">busybox</span> <span class="pi">-</span> <span class="s">cargo</span> <span class="na">pipeline</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Rust application</span> <span class="na">runs</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">TARGETDIR="$(mktemp -d)"</span> <span class="s">cargo build --release --target-dir "${TARGETDIR}"</span> <span class="s">mkdir -p "${{targets.destdir}}/usr/bin"</span> <span class="s">mv "${TARGETDIR}/release/random" "${{targets.destdir}}/usr/bin"</span> </code></pre> </div> <p><a href="https://github.com/chainguard-dev/melange/blob/main/docs/BUILD-FILE.md" rel="noopener noreferrer">You can get more info about these fields here</a></p> <p>We are going to use two Docker images to generate a temporary keypair and to build the apk package, so we have to pull them:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker pull ghcr.io/wolfi-dev/sdk docker pull cgr.dev/chainguard/sdk </code></pre> </div> <p>Generate a temporary keypair to sign your melange packages:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker run <span class="nt">--rm</span> <span class="nt">-v</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PWD</span><span class="k">}</span><span class="s2">"</span>:/work <span class="nt">--entrypoint</span><span class="o">=</span>melange <span class="nt">--workdir</span><span class="o">=</span>/work ghcr.io/wolfi-dev/sdk keygen </code></pre> </div> <p>Build an apk for your host architecture:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker run <span class="nt">--rm</span> <span class="nt">--privileged</span> <span class="nt">-v</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PWD</span><span class="k">}</span><span class="s2">"</span>:/work <span class="se">\</span> <span class="nt">--entrypoint</span><span class="o">=</span>melange <span class="nt">--workdir</span><span class="o">=</span>/work <span class="se">\</span> cgr.dev/chainguard/sdk build melange.yaml <span class="se">\</span> <span class="nt">--arch</span> host <span class="se">\</span> <span class="nt">--signing-key</span> melange.rsa </code></pre> </div> <p>A folder named <code>packages</code> should be created with the generated apks.</p> <p>Now, we can to build an image and install our apk package on it. We’ll do this with apko.</p> <h3> Building OCI images with apko <a></a> </h3> <p><a href="https://github.com/chainguard-dev/apko" rel="noopener noreferrer">apko</a> allows us to build <a href="https://opencontainers.org/" rel="noopener noreferrer">OCI container</a> images from .apk packages.</p> <p>Create a file <code>apko.yaml</code> and add the following content to it:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">contents</span><span class="pi">:</span> <span class="na">repositories</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://dl-cdn.alpinelinux.org/alpine/edge/main</span> <span class="pi">-</span> <span class="s">/work/packages</span> <span class="na">packages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">alpine-baselayout-data</span> <span class="pi">-</span> <span class="s">random</span> <span class="na">accounts</span><span class="pi">:</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">groupname</span><span class="pi">:</span> <span class="s">nonroot</span> <span class="na">gid</span><span class="pi">:</span> <span class="m">65532</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">username</span><span class="pi">:</span> <span class="s">nonroot</span> <span class="na">uid</span><span class="pi">:</span> <span class="m">65532</span> <span class="na">run-as</span><span class="pi">:</span> <span class="m">65532</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="s">/usr/bin/random</span> </code></pre> </div> <p><a href="https://github.com/chainguard-dev/apko/blob/main/docs/apko_file.md" rel="noopener noreferrer">You can get more info about these fields here</a></p> <p>Build the image (we are using <a href="http://ghcr.io/wolfi-dev/sdk" rel="noopener noreferrer">ghcr.io/wolfi-dev/sdk</a> here):</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker run <span class="nt">--rm</span> <span class="nt">-v</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PWD</span><span class="k">}</span><span class="s2">"</span>:/work <span class="se">\</span> <span class="nt">--entrypoint</span><span class="o">=</span>apko <span class="nt">--workdir</span><span class="o">=</span>/work ghcr.io/wolfi-dev/sdk build <span class="nt">--debug</span> apko.yaml <span class="se">\</span> distroless/random random.tar <span class="nt">-k</span> melange.rsa.pub <span class="se">\</span> <span class="nt">--arch</span> host </code></pre> </div> <p>Run it:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">ARCH_REF</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>docker load &lt; random.tar | <span class="nb">grep</span> <span class="s2">"Loaded image"</span> | <span class="nb">sed</span> <span class="s1">'s/^Loaded image: //'</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span><span class="s2">"</span> docker run <span class="s2">"</span><span class="k">${</span><span class="nv">ARCH_REF</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <p>You can call <code>echo $ARCH_REF</code> or <code>docker images</code> to get your image repository and tag. It should be like this: <code>distroless/random:latest-&lt;host-arch-here&gt;</code>.</p> <h3> <strong>Scanning for vulnerabilities</strong> <a></a> </h3> <p>Let’s scan our image and see if we detect any vulnerabilities.</p> <p>Using <a href="https://github.com/docker/scout-cli" rel="noopener noreferrer">Docker Scout</a>:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker scout cves <span class="s2">"</span><span class="k">${</span><span class="nv">ARCH_REF</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo29p6u3wveyz5tyg2vyn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo29p6u3wveyz5tyg2vyn.png" alt="Scan results using Docker Scout"></a></p> <p>Using <a href="https://aquasecurity.github.io/trivy" rel="noopener noreferrer">Trivy</a>:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> trivy image <span class="s2">"</span><span class="k">${</span><span class="nv">ARCH_REF</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvjslcpmusqt357mombu6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvjslcpmusqt357mombu6.png" alt="Scan results using Trivy"></a></p> <p>Using <a href="https://github.com/anchore/grype" rel="noopener noreferrer">Grype</a>:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> grype <span class="s2">"</span><span class="k">${</span><span class="nv">ARCH_REF</span><span class="k">}</span><span class="s2">"</span> <span class="nt">--scope</span> all-layers </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F727eivj4r6hq8fuqwstb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F727eivj4r6hq8fuqwstb.png" alt="Scan results using Grype"></a></p> <h3> <strong>Source code</strong> <a></a> </h3> <p>Get the code for this lab here: <a href="https://github.com/henriquencmt/distroless-melange-apko" rel="noopener noreferrer">https://github.com/henriquencmt/distroless-melange-apko</a></p> <h3> <strong>References</strong> <a></a> </h3> <ul> <li><a href="https://www.chainguard.dev/unchained/minimal-container-images-towards-a-more-secure-future" rel="noopener noreferrer">Minimal container images: Towards a more secure future</a></li> <li><a href="https://github.com/chainguard-dev/hello-melange-apko" rel="noopener noreferrer">hello-melange-apko</a></li> <li><a href="https://github.com/chainguard-dev/melange/tree/main/docs" rel="noopener noreferrer">melange docs</a></li> <li><a href="https://github.com/chainguard-dev/apko/tree/main/docs" rel="noopener noreferrer">apko docs</a></li> <li><a href="https://www.rust-lang.org/learn/get-started" rel="noopener noreferrer">Rust</a></li> <li><a href="https://crates.io/crates/rand" rel="noopener noreferrer">rand crate</a></li> </ul> distroless docker melange apko