►
From YouTube: Container Images for the Cloud Native Era
Description
As the container ecosystem matures, there is an increased need for new standards and runtime environments that take into consideration security and provenance concerns, driving the next generation of tools and recommended practices to build container images.
Let's discuss the latest developments in distroless images and the open-source container toolkit developed by Chainguard to build Wolfi, the first Linux un-distro created specifically for the Cloud Native Era.
A
A
A
If
you
are
running
containers
in
production-
and
mostly
you
are
you
end
up
facing
issues
include
container
images
tend
to
lag
behind.
Upstream
updates,
resulting
in
user
running
images
with
known
vulnerabilities.
The
common
distribution
used
in
container
images
also
lag
behind
Upstream
versions,
resulting
in
user.
Installing
packages
manually
or
outside
of
package
managers.
Container
images
typically
contain
more
software
than
they
need
to
resulting
in
an
unnecessarily
increased
attack.
A
Surface
many
container
images
have
no
provenance
information,
making
it
difficult
to
verify
where
they
come
from,
or
if
someone
has
tampered
with
them,
they
are
typically
not
designed
to
meet
compliance
requirement
or
standard
like
slsa.
So,
let's
go
straight
to
our
guest
and
start
learning
about
some
buzzword
in
software
supply,
chain,
security,
provenance
signatures
and
software
buildup
materials.
So
thank
you
very
much.
Much
for
joining
and
I
go
to
Erica
hi
the
developer
experience
at
qian
God.
Thank
you
very
much
for
joining
the
show.
Can
you
give
a
brief
intro
of
yourself
to
our
audience.
B
Yes
sure,
hello,
everyone
thanks
for
having
me
time
and
so
I'm
Eric,
Heidi
and
I
work
as
developer
experience,
engineer
at
chain
guard,
so
I'm
involved
with
documentation
and
educational
resources
and
also
like
learning
about
the
tools
so
that
I
can
teach
how
how
to
use
them
help
developers
make
the
best
of
the
tools
that
we
develop
and
we
in
the
last
few
months,
I've
been
involved
with
the
projects
that
we
have,
that
are
that
are
related
to
container
images,
building
better
container
images.
B
So
that's
what
I'll
be
talking
here
today.
So
we
have
a
few
different
open
source
projects
that
power
our
products
and
so
yeah
I'm,
going
to
talk
a
little
bit
about
loafy
as
well,
and
then
I
will
talk
about
the
tools
to
show
a
more
technical
overview
of
how
how
the
how
wolf
is
built.
That's
kind
of
what
this
goes
where
this
goes.
B
I
actually
had
a
talk
about
apko,
specifically
and
I,
just
added
a
few
slides,
so
I'm
going
to
talk
a
little
bit
about
the
the
overview
of
how
these
tools
interact
together,
like
how
they
they
relate
to
each
other
and
how
we
use
them
to
build
vothy
and
also
I'll
show
some
some
files
how
how
the
packages
are
built,
so
I'm
gonna
give
a
little.
Maybe
we
can
try
a
demo,
let's
see
how
it
goes.
Yes,.
A
A
We
will
find
all
those
things
a
great
place
to
talk
about
containers
or
any
question
related
to
softness
and
lighting
security
and
plus.
This
is
a
cute
gun
coming
up
next
week
and
there
is
a
six
to
work
on
that
is
happening.
I
think
in
25th
of
October
there's
a
very
wonderful
list
of
talks
that
you
should
want
to
listen
to
so
go
and
try
to
get
involved
with
a
six-store
community
and
now
I'm
sharing
the
screen
on
this
for
the
everyone
and
now
Erica.
You
can
start
talking
about.
B
All
right,
so,
let's
get
started
so
I'm
going
to
talk
about
both
fee
apq
and
melange
that
are
OSS
kind
of
a
toolkit
for
putting
your
images
that
we
developed,
so
I
will
start
with
an
ecosystem
overview
and
talk
a
little
bit
how
how
the
these
projects
work
together.
B
So,
let's
start
with
volvi,
that's
like
the
everyone
is
talking
about
so
wealthy
is
nothing
less
nothing
more
than
a
tiny
Linux
distribution
and
we
call
it
an
undist
row
because,
unlike
regular
Linux
distributions,
there
is
no
kernel.
There
are
no
like
main
pages
and
there
is
no
a
lot,
not
a
lot
of
stuff,
it's
very
minimalist,
and
so
you
can
think
about
the
other,
the
other
distros
they
are
made,
for
they
are
multi-purpose
right.
So
you
can
run
on
a
desktop.
You
can
run
in
lots
of
places.
B
There
was
not
a
like
a
very
specific
two
containers,
this
row
yet
and
the
other
distros
what
they
usually
do
is
they
take
things
out
so
build
to
work
as
a
container
based
image.
But
in
the
case
of
Wolfie
like
there
is
kind
of
there
is
nothing
and
then
the
things
are
added.
Like
very
meticulously,
so
we
have
it's
very
tight.
B
It
is
based
on
APK
the
Alpine
package
manager.
So
that's
the
package
management
that
we
have
on
Wolfie,
but
one
important
thing
is
that
the
APK
tools
is
not
installed
by
the
foot,
so
it
the
the
this
relaxed
images
that
we
built
with
Wolfie.
Typically
don't
have
a
package
manager
that
you
can
run
APK
ads
and
install
new
packages
because
the
the
images
are
made
to
be
destroyless.
B
But
this
is
another
subject
that
we'll
talk
later
when
I
talk
about
apq
so
wealthy,
the
the
easiest
way
to
explain
Wolfie
I
think
is
to
compare
it
with
alpine
because
that's
the
the
distro
we
have
based
on
APK
and
but
the
difference
is
that
Alpine
uses
muzzle
and
Wolfie.
As
of
now,
we
are
using
jlib
C,
but
we
will
have
a
muzzle,
also
version,
let's
see
later
on.
So
this
is
the
the
compilers
and
stuff
I.
Don't
know
a
lot
about
that.
B
But
I
read
enough
just
to
understand
the
differences,
and
one
thing
that's
I
really
I
find
that
is
really
great,
that
you
can
go
to
the
wolfy
repository
on
GitHub
and
you
can
see
actually
all
the
packages
that
are
already
available.
They
are
defined
as
a
yml
file
and
they
are
built
with
no
lunch,
which
is
the
other,
the
the
other
two
that
I'm
going
to
talk
about.
B
So
my
lunch
is
a
basically
a
declarative,
APK
Builder
2
and
we
use
melanch
to
build
apks
and
these
apks
they
can
they.
This
is
like
similar
to
a
package
that
you
install
with
apt
right
on
Ubuntu.
We
are
I
think
most
people
might
be
more
used
to
apt
apt
gets
installed
and
then
in
the
case
of
APK,
is
the
package
manager
from
Alpine.
So
it's
it's
likely
different.
B
The
way
it
works
and
it
works
great
for
a
declarative
pipeline,
because
you
declare
how
you
want
your
system
or
how
you
want
your
package
in
this
case
and
then
the
tool
will
build
it
for
you.
B
I
have
a
few
considerations
about
why
APK
later
on
I
mean
I
talk
about
apq,
so
melange
is
part
of
the
building
toolkit
behind
bothi
and
chain
guard
images.
So
these
this
is
that
took
that
builds
the
packages
that
are
using
in
both.
But
it's
not
Wolfie
specific.
You
can
build
AP
keys
for
to
use
with
alpine
as
well.
B
It
Is
multi-architecture
by
default
uses
key
and
mu,
so
you
can
do
it
for
several
platforms
at
once
and
you
can
use
the
the
actual
there's
a
type
they
may
launch
image
with
Docker,
and
then
you
can
build
from
any
system
like
in
my
case,
I
run
Ubuntu
on
my
personal
machine
and
then
I
run
Docker
I
run
the
melange
image
with
Docker
and
I
can
build
the
packages
for
any
platform.
B
So
that
was
my
lunch
and
then
we
have
apq,
so
apq
I
think
it's
my
favorite
I,
like
both
melange
and
apq
work
together,
but
apko
is
like
it's.
The
I
would
say
it's.
The
leaf
is
the
thing
that
is
easier
to
grasp,
because
you
can,
you
are
more
user
to
work
with
Docker
files
and
build
images
than
you
are
used
to
build
packages
right
melange
is
a
bit
more
complex
because
you
want
to.
B
You
need
to
actually
run,
let's
say
the
steps
to
configure
and
build
a
package
from
source
to
build
your
APK
most
of
times,
depending
on
what
you
are
installing,
what
you
are
packaging.
So
it's
a
bit
more
complex,
but
Beauty.
The
container
image
is
something
that
we
are
more
in
user
to.
So
it's
easier
to
relate
to.
Let's
see
apko
uses
yml.
This
is
a
declarative
language
based
on
IML
to
create
images,
container
images
based
on
the
oci
formats.
B
That
is
a
standard
format
for
container
images
that
is
compatible
with
Docker
and
other
runtimes.
So
it
is
part
of
the
beauty
toolkit
behind
morphe,
so
APK
or
in
my
lunch
together.
Actually,
apq
is
not
relevant
in
the
context
of
Wolfie,
but
for
building
chain
guard
images,
because
that's
when
you
are
using
this
tool
to
to
generate
the
images
that
are
based
on
both
feet,
so
the
builds
are
fully
reproducible.
There
are
a
few
different
things
that
enable
that
yml
is.
B
It
helps
because
it's
a
kind
of
a
declarative
language
and
also
you
define
this
state
at
once.
It's
not
like
Steps,
but
it
could
be.
But
in
this
case
we
Define
a
lot
a
list
of
packages
that
you
want
to
install
on
that
on
that
image
and
then
the
build
will
only
finish
successfully
if
all
the
packages
can
be
installed.
So
this
is
one
of
the
things
that
APK
the
package
manager
has
different
from
apt,
because
when
you
install
packages
with
apt
on
a
Debian
based
this
row,
then
you
have
steps.
B
You
know
you
install
one
and
you
install
two
and
you
install
three
when
you,
when
you
talk
about
AP
key,
it
will
try
to
resolve
all
this.
The
the
packages
that
you
you
make
a
change
to
the
system
and
then
it
will
try
to
reach
that
state.
B
If
some
package
cannot
be
resolved,
then
everything
is
gonna
just
fail
and
it's
not
going
to
change
the
system
state.
So
it's
easier,
it
doesn't
need
to
any
kind
of
roll
back
uninstall
something
or
do
anything,
because
things
will
only
change
if
they
can
be
changed
kind
of
so
the
importance
the
most
important
thing
is
I.
Think
about
apko
is
that
they
are
reproducible,
the
builds
are
reproducible
and
they
generate
s-bombs.
So
what
is
an
s-bomb?
B
An
s-bomb
is
a
software
bill
of
materials,
and
it
contains
a
list
of
all
the
software
that
is
installed
in
a
project
like
in
a
library
or
wherever
it
is
that
we
are
talking
about
in
this
case
container
images,
so
the
s-bomb
will
accounts
for
all
packages.
There
are
in
that
image
and
in
this
case
it
is
very
reliable
and
it's
a
really
high
quality
as
a
bone
generated,
because
you
don't
have
like
ex
steps
like
in
Docker,
for
instance,
and
Docker
file.
B
You
build
an
image,
so
it's
mixed,
build
steps
and
also
like
composition.
So
you
install
packages
and
you
run
steps
and
you
generate
lots
of
layers.
So
apico
is
different.
It's
like
a
flat
image
is
generated.
There
are
no
layers,
so
it's
and
also
there
is
no
like
copy
file
from
one
place
and
and
add
to
the
image
you
know
clone
this
repository.
There
is
nothing
like
that
packages.
B
Content
can
only
be
added
through
AP
keys.
So
that's
why
you
have
my
lunch.
You
can
boot
your
build
your
application
as
an
AP
key.
If
you
want
and
then
install
with
Apk
on
your
container
image-
or
you
can
use
them,
Docker
multi-stage,
builds
to
includes
the
software
that
you
need.
So
that's
how
you
deal
the
images
are
kind
of
I
want
to
use
the
word
aromatic
like
they
are
kind
of
a
closer
thing,
but
it's
not
like
it's
not
very
proper,
the
word,
but
it's
something
that
you
don't
tamper
easily
with.
B
So
that's
the
that's.
The
that's
the
whole
deal
like
the
important
bits.
That's
why
this
is
for
production
run
times
not
for
developments,
but
you
can
also,
of
course
you
can
run
it
locally
with
Docker
and
to
try
it
out,
and
this
is
an
image
that
has
a
kind
of
overview,
more
visual,
how
they
relate
to
each
other.
B
B
You
know
so
I
all
the
dependencies,
for
instance
right
now,
I'm
working
on
a
PHP
image
based
on
Wolfie,
and
then
we
are
just
there's
only
one
package
that
it's
so
we
have
to
to
First
create
a
package
that
is
a
dependency
to
have
it
there
on
the
on
the
Wolfie,
OS
repo
and
then
I
can
use
directly
from
apq,
like
I'm,
installing
an
AP
key
just
with
alpine
normally
but
anyways
back
to
the
to
the
image.
B
So
apko
uses
the
the
AP
Keys
generated
by
melange,
and
then
it
creates
the
vaulty
based
images
and
with
alpine
it's
kind
of
the
same
thing,
but
we
use
melons
to
build
use
some
apks
that
we
want
and
then
we
can
still
use
the
Alpine
apks
from
the
official
open
repositories
and
then
we
will
have
at
the
Alpine
based
images.
So
this
is
how
you
can
work.
You
cannot
mix
both.
You
have
to
stick
with
either
Alpine
or
wolfine.
B
Okay.
So
okay
I
have
now
melange,
so
I'm
gonna
show
I,
don't
have
slides,
but
I'm
gonna
show
us
some
files
some
of
the
packages
and
navigate
a
little
bit
on
the
wolf
EOS
repository.
So
you
can
have
a
look
at
the
packages.
B
Yes,
okay,
so
this
is
the
vaulty
OS,
repo
and
there's
all
the
packages
are
here,
so
you
can
find,
for
instance,
I
really
like
the
python
one
I
use
that
as
a
base
for
building
my
PHP.
B
Yes,
this
one.
So
this
is
how
a.
B
Package
looks
like
how
it's
defined.
Let
me
see
if
I
can
collapse
this.
No
all
right.
So
we
have
the
the
metadata
about
the
package,
the
definitions
version.
B
Then
we
have
the
target
architectures,
so
you
can
do
it
for
all
or
you
can
limit
to
some
specific
architecture,
then
license
other
things,
and
then
we
have
the
like
where
the
the
things
happen
really
is
around
here.
So
we
have
the
the
repositories
where
you
can
find
the
packages.
In
this
case
we
are
building
for
both,
so
we
are
using
the
wolfy
repositories
and
then
the
packages
that
we
will
need
to
build
our
package.
So
this
is
like
dependencies
that
we're
gonna
need
for
building.
B
You
can
also
add
some
runtime
dependencies.
So
whenever
someone
installs
this
package,
they
will
also
need
to
bring
in
those
dependencies
the
runtime
dependencies
this
one.
So
this
is
where
the
build
starts
the
pipeline
starts.
B
So
we
can
here
we
fetch
the
the
the
source
file
and
then
we
have
already
this
implemented
to
kind
of
transparently
check
the
the
sha256
and
then
after
the
download.
Then
we
start
the
other
steps
to
build
the
package.
B
It's
been
really
a
long
time
since
I
don't
compile
things
from
source,
so
this
has
been
very
interesting
to
really
learn
and
then
we
have
all
these
configured
arguments
and
then
make
make
install
Create
a
Sim
link.
So
it's
really
like
you
mute
beautiful
Source,
but
then
you
you,
you
distribute
that
into
a
series
of
steps
in
a
pipeline
and
then
you
can
also
build
the
sub
packages.
B
This
is
something
I
still
learning
about,
but
so
these
ones
I
didn't
build
this.
So
it's
a
reference
that
I
use
it
to
build
my
PHP
image
by
no,
not
mine,
but
from
everybody.
It's
gonna,
be
yes.
So
this
is
how
I,
uiml
and
melons
uyml
file
looks
like
and
then
once
you
have
these,
let
me
I'm
gonna
have
to
share
my
terminal
now.
Let
me
see
I
know
I
can
bring
it
to
no
worries.
B
You
can
bring
it
here,
I
think
yes,
okay,
so
I
have
here
my
terminal,
there's
a
bunch
of
files,
but
basically
the
melange
Wolfie
I
have
a
melange
Buffy
and
a
melanchol
vine.
B
Okay,
so
similar
to
what
we
saw
with
the
python
one,
then
I
changed
the
license
for
the
PHP
license.
This
is
a
work
in
progress,
but
it
already
compiles
and
the
image
has
been
the
package
builds.
The
image
builds
also,
so
we
have
the
repositories
and
the
packages
that
are
required
for
building
PHP
and
then
the
fetch
configure
make
make
install.
So
I
still
have
some
work
to
do
here
to
figure
out.
If
there
is
something
extra
that
I
can
remove
and
things
like
that,
but
to
run
this.
B
Very
common,
so
yes,
so
this
is
the
the
comment
I'm
using
to
build
the
package,
and
so
it's
a
Docker
run
sharing
the
current
directory
with
slash
work
inside
the
my
lunch
container,
because
that's
where
there's
a
predefined
directory
where
things
are
outputs
and
and
then
I
use
the
oops,
the
melange
image
and
with
the
common
builds
and
then
I
press,
my
yml
I
want
to
build
only
for
X8
664
and
then
I
also
provide
the
melanch
RSA
key
that
I
generated
here.
B
B
This
might
take
a
little
bit
because
it's
going
to
compile
run,
configure
everything
you
can
see
here
is
building
for
only
X8,
664.
B
Authorize,
what
do
you
mean
exactly?
They
are
signets.
B
B
B
Okay,
okay,
actually
there
was
an
error.
Oh
I,
I
know
because
I
you
need
to
run
with
standard
privileges
for
this
to
work
with
Joker
sorry,
I
forgot
I
was
just
making
some
tests
here.
So
that's
why.
B
Yes,
this
you
need
to
appends
minus
minus
privileged
to
Docker
run.
This
is
specific
to
melange
I
think
it
has
to
do
with
kmu,
but
I'm,
not
quite
sure,
I'm.
Just
gonna
fix
something
of
my
headphones
really
quickly.
B
Because
when
I
talk,
it
stops.
Yes,
it
should
be
fixed
now,
all
right,
okay,
so
it's
building
and
yeah
installing
dependencies
I
think
we.
B
A
B
Okay,
so
these
tools,
they
are
built
primarily
for
automated
pipelines
and
in
this
context,
it's
very
important
that
we
can
make
sure
that
if
we
run
things
twice,
the
result
is
the
same.
If
there
was
no
change
to
any
version
or
anything
so
the
the
builds
are
reproducible.
It's
kind
of
like
that,
when
you
have
the
regular
Docker
files
you
don't
have,
reproducible
builds
because
the
the
build
is
based
on
steps
that
are
executed
and,
and
things
we're
gonna
change
in
this
system.
B
It's
not
gonna,
it's
not
gonna,
be
the
same
image
exactly
and
then,
when
you
run
even
the
timestamps
and
the
things,
but
with
apq,
for
instance,
if
we're
talking
about
specifically
about
container
images,
then
the
builds
are
fully
reproducible
because
and
they
even
generate
the
same
hash
like
the
the
same
I
think
it's
actually
I
yeah
blank
four
words
now
so
the
time
step
doesn't
that
there
was
even
an
issue
that
we
had
to
kind
of
submit
up.
B
Someone
from
the
team
submit
up
a
request
to
Docker
because
the
images
show
up
as
like
built
50
years
ago,
but
that's
because
there
is
no.
The
time
step
is
zeroed
so
that
it's
so
the
hashes
are
the
same
and
the
the
when
the
image
is
the
same.
You
know
like
because
we
have
nightly
builds
for
the
APO
images
and
then
every
night
it
builds.
B
So
if
the
the
timestamp
changed
with
the
last
view,
then
it
would
look
like
the
image
is
different,
but
we
need
to
be
able
to
attest
that
the
image
is
the
same.
No
package
was
changed,
nothing
was
changed,
but
that
with
Docker
file
with
photographer,
that
would
not
be
possible
because
every
build
will
generate
a
different
image.
Is
that
a
does
that
make
sense
for
the
reproducible
thing.
A
B
A
In
the
docker
World,
they
actually
create
a
temporary
images
for
the
sum
of
the
steps,
and
then
it's
shut
down
the
container
and
I
pull
out
the
ID
of
that
container
and
every
time
it's
create
a
new
ID.
The
hash
is
changes,
and
it's
letting
me
know
that
there
are
some
changes
in
the
images,
but
this
is
no
images
in
the
images
or
packages,
but
it's
actually
the
time
spent
templates
time
stamps
so
I
think.
B
Yes,
okay,
so
debut
finish
it
successfully.
So
what
do
we
have
here
right?
So
we
had
the
the
configure
make
making
style.
That's
basically,
what
debut
did
this
part
of
the
end
is
making?
Is
the
make
install
part
where
it
installs,
the
yes
I,
think
installing
the
commons?
B
Yes,
so
you
can
see
where
the
the
stuff
is
and
like
what
is
generated
the
index.
Let
me
show
so
inside
of
packages.
It
will
have
the
architecture
and
then.
B
A
few
bit
for
multiple
architectures,
then
you
have
multiple
folders
here,
each
with
an
architecture
and
then
inside
of
it
you
have
the
packages.
We
have
multiple
ones
because
there
is
I
had
to
build
the
lib
xml2
as
a
custom
package
as
well.
But
this
lip
is
going
to
go
to
both
the
OS
repo.
B
The
the
package
is
Ripple,
so
I
don't
need
to
build
manually,
so
this
is
being
built
as
well,
and
then
the
sub
packages
Dev
and
dock
for
X,
sleep,
XML
and
then
PHP
A1.
So
this
naming
is
still
I'm.
We
don't
didn't
settle
for
a
name
yet
because
the
PHP
on
Alpine
is
PHP
H1
the
package,
so
I'm
not
sure.
Yet,
if
we're
gonna
use
just
PHP.
B
But
let's
see
this
is
something
that
we
are
still
figuring
out:
the
tags
and
the
names
for
the
packages
it
should
replicate
out,
buying
or
not,
and
then
the
APK
index
is
very
important
also
because
without
the
index,
APK
is
not
able
to
to
to
locate
let's
say
to
resolve
the
packages.
So
the
APK
index
is
automatically
generated
by
melanch
when
new
builds
it
wasn't
before
and
it
had
to
build
manually.
But
it's
something
is
a
feature
that
people
that
people
in
the
team
implemented.
B
B
B
B
So
apq
this
is
the
original
talk
that
I
had
prepared.
So
this
is
an
example
of
an
apqo.
B
That's
why
ml
file
and
like
if
I,
would
say
an
entry
point
for
you
to
try
any
of
these
stuff
that
it
would
be
through
apko,
because,
as
I
mentioned
before
is
the
thing
that
is
more
relatable
you're
gonna
build
a
container
image
that
you
can
test
locally
and
it's
you
I,
like
in
practice,
you'll
be
using
more
you've,
been
doing
more
apko
files
or
even
Docker
files
that
base
that
are
based
on
an
apq
generated
image
because
the
melanch
packages
we
eventually
will
have
enough
dependencies
and
packages
on
the
volphia
repository
that
you
won't
need
to
be
manually,
compiling
stuff
but
yeah.
B
So
apq,
you
have
a
similar
structure
in
the
yml
file,
the
repositories
that
you
want
to
pull
from
and
the
packages
that
you
want
in
your
image.
This
is
a
very
simple
example
of
an
Alpine
based
image.
It's
gonna
only
give
you
a
like
log,
you
in
a
little
shell,
that
you
can
run
some
commands
with
the
Alpine
base
package
that
this
is
gonna,
have
basic
commands.
Ls
things
like
that,
so
you
can
navigate
a
little
bit
on
the
image
and
yes,
so
there
is
an
environment
section
where
you
can
define
environment
variables.
B
There
is
also
entry
point,
and
this
is
how
you
build
the
image
with
docker,
so
you
can
like
the
melange
demo,
that
I
run,
you
can
run
use
the
distross,
APK
or
image
to
run
apq
and
then
generate
your
image.
B
And
yes,
so
you've
passed
the
the
command
builds
and
then
you
give
the
yml
file
and
you
give
a
tag,
a
name
of
the
image
and
a
tag
and
then
in
also
a
tar
file,
a
name
for
the
tar
file.
The
image
is
going
to
be
generated
as
a
tar
file,
and
then
you
load
it
into
Docker
to
test
it.
So
this
is
how
this
is
how
the
local
testing
works.
B
Yes,
so,
as
I
mentioned
before
these
two
that
they
are
more
for
production
runtimes,
but
you
will
have
to
test
the
images
locally
right.
If
you
are
going
to
build
them
to
some
images,
then
you
you
need
to
try
and
test
them,
but
then
you
can
set
them
up
for
Auto
Buttes
like
we
do
in
GitHub
actions
we
use
GitHub
actions
to
do
nightly
builds.
B
B
Okay,
so
this
was
the
slide
I
had
about
why
APK
so
I
talk
a
little
bit
about
this
before,
but
it
uses
a
different
methodology
to
handle
package
management
and
that's
why
it's
ideal
for
declarative
and
reproducible
pipelines.
So
I,
don't
know
if
you
use
it.
Maybe
ansible
before,
like
it's
I,
remember
sometimes
I
compare
a
little
bit
because
with
ansible
you
had
a
system.
B
It
you
run
every
time
you
run.
Is
it
declarative
and
then
you
try
to
reach
a
certain
State
System
state?
That's
how
also
it
works
in
the
in
with
Apk
kind
of
it
will
you
have
a
file
that
has
all
the
packages
that
the
system
must
have
the
roads
and
then,
when
you
make
changes
you
either
add
or
remove
packages.
This
roads
is
going
to
change,
so
it's
gonna
try
to
to
reach
that
desired.
State
and
if
it
cannot
reach
a
package,
cannot
resolve
a
package.
B
B
B
You
can
use
generate
Alpine
based
with
all
the
regular
Alpine
packages
or
you
can
look
at
the
packages
that
we
have
at
Wolfie
and
you
can
already
use
you
can
already
compile
a
bunch
of
stuff,
but
there
is
a
little
some
dependencies
libraries
here
and
there
that
we
are
still
building
like
that.
Leave
xml2
for
PHP
and
other
other
stuff
also
uses
it.
B
And
yes,
so
you
can
also
build
your
own
AP
keys
with
melange.
If
you
want,
then
it's
it's,
it
will
depend
on
your
system
what
you're
gonna
do?
What's
your
purpose
I
worry
about
why
this
rules
also,
so
this
relax
some
people
when
you
say
the
word,
this
realizing,
you
think
about
the
Google
disturbless
Images
were
the
first
ones
like
these,
but
it's
more
like
when
we
say
this
or
less.
Now,
it's
more
like
a
philosophy
or
a
style.
B
That's
that
talks
about
images
that
are
very
minimalist
and
there
they
have
only
what's
absolutely
necessary
to
build
or
to
execute
your
application
on
production
environments
mostly
builds
and
production,
runtime
environments,
so
popular
based
images
are
full
of
software
that
only
make
sense
on
bare
metal
servers,
because
you
think
of
a
full
distribution
like
Ubuntu
and
there's
lots
of
packages,
even
though
a
bunch
is
taken
out
for
the
container
based
images,
even
in
that
case
there
are
still
lots
of
things
that
don't
need
to
be
there,
like.
B
You,
don't
need
a
package
manager
for
your
production
image.
You
shouldn't
make
it
so
easy
to
install
additional
stuff
there.
It
should
be
really
tight
to
run
your
application.
Only
that
that's
the
ideal
scenario
right-
and
this
is
not
because
of
size,
but
it's
because
of
the
attack
surface.
So
the
smaller
it's
the
attacker's
surface,
the
more
safe
the
image
will
be.
There
is
no
way
to
go
away
from
this,
the
more
dependencies
you
have,
the
more
the
attack
surface.
There
is
more
entry
points
for
having
malicious,
cold
infections.
B
Anything
and
also
regular
severe
is
like
bugs
that
are
found
and
whatnot,
so
the
less
the
better
and
that's
that
is
difficult
for
development
purposes,
of
course.
So
that's
why
these
are
more
for
production.
If
you
are
debugging
and
you
don't
have
an
LS
or
a
cat
or
anything
like
that,
it's
it
can
be
really
hard.
So
you
can
like,
in
my
case,
I
build
a
few
PHP
destroyless
images
and
I
made
a
companion,
slash,
Dev
that
has
more
stuff
for
debugging
and
that
helps
composer
other
package
management
stuff.
B
So
you
can
work
with
a
Dev
image
for
building,
and
then
you
compose
a
final
image
that
is
smaller
with
only
the
artifacts
that
you
from
the
builds
something
like
that
you
can
play
around
and
also
with
Docker
files,
but
basing
your
Docker
file
on
a
digitalis
image.
As
long
as
you
find
a
way
to
get
your
stuff
there,
like
your
custom
files
there,
because
normally
you
cannot
install
extra,
but
you
can
create
a
composite
image
with
a
document
stage
built.
B
And
this
is
a
well
easy
way
to
see
the
difference
nginx
latest
and
the
chain
guard
nginx
latest.
So
this
is,
you
can
run
3v
locally
on
your
command
line.
You
can
go
to
their
web
online
also
to
and
run
yourself
and
you're.
Gonna
see
that
doesn't
mean
we.
We
aren't
always
zero
CVS
our
images,
because
CVS
will
always
show
up
eventually
in
here
or
there.
B
But
if
you
have
small
area
for
attack
as
most
surface,
then
there
will
be
less
a
lot
less,
and
if
the
images
are
built
every
night,
then
the
fix
are
coming
also
quicker.
So
there's
the
that's
the
beauty
of
it
with
all
the
things
when
all
the
things
come
together.
It
requires
a
little
bit
of
automation,
of
course,
also
to
update
the
images.
But
then
you
have
something
like
that's
a
lot
safer.
B
And
he,
this
is
more
of
a
case
study.
I
will
briefly.
So
you
have
some
time
so
I'm
gonna
show
what
I
did
in
my
specific
use
case.
So
I
have
an
application
called
a
dyna
cover.
That
is
a
the
app
that
creates
Dynamic
header
images
for
Twitter
and
it
runs
on
command
line.
It
was
built
with
PHP
and
there's
just
a
few
dependencies
but
uses
GD
to
generate
the
images
scroll
to
make
requests
to
the
Twitter
API
and
the
GitHub
API.
B
So
it
shows
my
latest
followers
and
we
have
sponsors-
and
this
is
updated
like
every
five
or
ten
minutes,
so
you
can
actually
see
my
new
latest
followers
there
and
it
runs
on
GitHub
actions.
I
mentioned
that
already.
So
it's
a
container
I
had
this
container
image
on
Docker
Hub
on
my
accounts
that
I
was
using
and
yes,
it
runs
on
schedule.
B
So
I
was
using
the
official
php7
for
CLI
image.
It's
been
a
while
that
I
viewed
this
so
I
I
hadn't
migrated
for
php8s
I
migrated
recently,
and
this
is
how
it
was
before
so.
I
had
a
official
image
that
you
think
well.
I'm
gonna
use
the
official
image
right
HP,
and
but
the
thing
is
that
those
images
at
least
the
PHP
ones
they
are
based
on
Debian
or
Ubuntu
I,
don't
know
for
sure
now.
B
But
it's
really
huge,
like
almost
600
megabytes
and
the
cve
is
detected
by
tree
viewer
like
on
the
300s
hundreds
of
cvas
and
yeah.
That's
a
lot.
So
what's
the
the
steps
like
let's
migrate
right,
so
the
first
step
actually
was
updating
my
app
through
Page
V8,
but
yeah
once
I
had
the
app
running
on
php8,
then
I
also
had
it
with
a
Docker
file
based
on
Debian.
B
B
So
first
I
collected
all
the
dependencies
I
had
and
look
at
at
this
finding
search
it
for
these
dependencies
on
the
alpining
repositories.
So
first
I
this
case
is
specific.
I
is
on
Alpine.
Yet
this
image
at
the
end
that
I'm
going
to
generate
is
Alpine
based.
It's
not
Wolfie,
based
because
I'm
still
working
this
final
things
for
Wolfie
PHP
image,
so
we're
talking
about
Alpine
here
so
I
searched
for
other
dependencies
here
and
I
found
the
equivalents.
B
So
I
created
the
apq.yml
file
and
I
need
packages
from
the
main
and
the
community
repos
on
Alpine,
and
these
are
all
the
packages
already,
if
they're,
equivalent
Alpine
versions,
everything
that
I
would
need
and
then
I
had
the
entry
points,
also
the
PHP,
the
regular
PHP
open
Package
in
Southwest
php81
in
the
case,
because
it's
the
H1
version,
8.1.
B
Yeah
so
I
added
the
entry
points
set
the
environment
and
it's
also
set
some
accounts.
Actually
one
accounts,
if
a
regular
user,
but
then
I
set
it
to
run
as
root,
because
when
you
import,
when
you
create
a
Docker
file
from
this,
you
still
might
want
to
install
things.
That's
that
was
my
thinking
like
copy.
B
Do
some
extra
stuff,
so
it's
easier
for
you
on
the
docker
file,
so
just
change
to
the
other
user,
then
to
set
it
to
run
as
the
regular
user
already
from
the
base
image
so
and
then
run
as
root
yet
run
as
root
is
true
by
default
run
this
route-
and
there
is
one
typo
here
this
this
PHP
H1
pcngl-
should
be
a
dependency
on
the
other
screen
so
anyways.
B
So
when
I
got
that
apqml
file
ready,
then
I
run
this
command
to
build
it
and
the
same
way
I
showed
before
and
then
I
posted
it
to
Docker
as
well.
To
my
accounts,
okay,
so
step
five
from
the
migration
I
did
was
to
update
the
GitHub
action
Docker
file
before
it
was
from
Ubuntu,
not
from
Montana
from
php71,
and
now
it's
from
Erica
Heidi
mini
clay.
That's
the
where
I
put
this
image
and
what
I
do
here,
I
copy
composer
from
the
official
composer
image.
B
This
is
something
you
can
do
because
you
are
using
a
Docker
file
now
to
compose
based
on
the
distressed
image
and
I'm,
not
using
AP
key
here.
I
could
not
do
like
APK
install
composer,
or
this
will
not
work
here,
but
I
can
still
copy
artifacts
from
other
images.
This
is
fine
for
for
using
with
Docker
files
and
distortless
images,
so
I
run
git
and
then
I
set
up
entry
points
and
the
commands.
B
So
this
was
the
docker
file
and
now
I
have
it's
hard
to
see,
but
the
the
steps,
the
boxes
they
show
in
the
top
the
smaller
box
is
the
step.
That's
actually
comes
from
the
distross
image
and
then
this
step
two
is
the
step
to
copy
from
the
composer
image.
So
if
it
pulls
a
bunch
of
layers,
you
can
really
see
the
many
layers
that
the
simple
action
of
copying,
the
composer
filed
to
my
image.
B
It
brings
out
a
lot
of
layers,
but
that's
fine
I,
don't
don't
mind
that
much,
but
you
could
also
optimize
that
if
you
put
composer
already
on
the
distress
image,
but
that
was
not
the
the
what
I
wanted
to
do
all
right.
So
this
is
the
most
important
slide
of
all
the
presentation
before
and
after
so
before,
the
image
was
589
megabytes
with
331
cves
detected
by
trivi
and
at
the
end
the
result
was
a
48
megabytes
image
and
zero
CVS
detected
mm-hmm.
B
So
this
was
one
a
example.
One
use
case
for
a
personal
project
that
I
have
a
side
project
and
worked
very
well
and
I
can
can
even
begin
to
imagine
the
many
projects
out
there.
That
could
benefit
from
an
update
like
this
and
also
like
I
know.
There
are
probably
not
many
PSV
developers
glistening
now
right
now,
here,
I
don't
know
because
I
am
a
PHP
developer
for
before
I
started
working
for
develops
and
documentation.
I
work
as
PHP
engineer.
B
For
many
years-
and
there
are
lots
of
security
concerns
in
the
PHP
lines,
of
course,
with
WordPress
and
especially
and
other
things
that
bring
in
lots
of
code
from
external
unverified
sources,
so
it's
this
is
one
thing
that
we
can
do
to
improve,
that
there
are
other
things
also
in
software
supply
chain,
Securities,
that
we
can
do,
of
course,
but
dealing
with
your
images
like
making
sure
your
images
are
safer.
It's
one
also
one
thing
important
that
you
can
do
already
it
doesn't.
B
So
here
are
some
links,
then
I'll
share
the
slides
later
so
links
on
Twitter
and
I
was
also
going
to
say
that
if
you
think
that's
too
complicated
to
build
that
also
look
into
Shankar
images,
because
we
already
have
a
collection
of
curated
images
that
you
can
see.
If
you
can
find
some
something
that
works
for
you,
so
you
don't
have
to
build
everything
from
scratch.
B
A
Absolutely
absolutely
that's
super
interesting.
That's
the
last
slide
actually
depict
the
story
because
we
are
approaching
the
container
it's
really
differently
before
the
arrival
of
chain
guard,
because
what
we
do
is
we're
making
sure
we're
spending
time
on
multi-step
Docker
fire
to
making
sure
that
the
size
of
the
image
that
we've
built
from
is
mb's
inside.
But
actually
the
problem
is
not
with
the
container
images,
but
the
base
images
as
well,
because
they
are
giant
inside
like
600,
MBS
or
800
MPS.
A
Whatever
logic
and
whatever
engineering
you
can
build
into
the
docker
file,
you
end
up
having
600
MBS,
plus
200
MD
scored
and
that's
800
MBS,
and
then
then
it's
passive
through
the
container
scanner
is
detect.
313
vulnerabilities.
So
we
see
in
that
time
a
lot
of
the
vulnerability
scanners
come
into
the
market
to
tell
people
you
are
doing
wrong
in
your
container
images.
Let's
try
to
fix
that,
but
other
the
chain
guard
is
really
the
company
behind
and
the
folks
behind
the
wonderful
engineering
think
about
don't
think
about
container
scanners.
A
How
to
eventually
make
sure
the
size
of
the
image
is
getting
smaller
and
smaller.
I
have
10
MBS
of
images
on
the
change
Garden
in
his
side
and
when
the
last
time
passed
through
the
scan
and
the
zero
vulnerabilities
and
so
on,
because
this
is
very,
very
minute
container
in
there.
So
I
think
the
way
the
team
is
approaching.
This
container
ecosystem
is
really
really
inspiring
for
all
of
the
folks
they
think
about.
A
And
the
startup
companies
they
migrate
into
the
wolfy
Container
images
because
they
might
see
a
learning
curve
involved
in
here,
not
a
much,
but
they
need
to
think
about
how
the
Linux
work
behind
the
scene
in
a
neighborhood
to
be
more
productive
in
it.
So
what
should
your
strategy?
Because
yours
tells
your
migration
Journey
so
for
how
you
take
your
app
and
convert
it
into
the
chain?
A
B
Yes,
so
as
much
as
we'd
like
to
have
a
like,
like
upload
your
Docker
file
and
then
just
convert
it
to
it's,
not
as
simple,
because
the
the
the
philosophies,
let's
say
are
based
fundamentally
different,
so
depending
on
everything,
depends
I
hate
to
say
that.
But
it
depends
on
your
stack
and
what
what's
your
use
case?
B
In
my
case,
it's
PHP,
so
PHP
runs
I,
have
to
install
the
the
PHP
and
a
bunch
of
extensions,
so
I
already
have
I
have
to
know
already,
which
extensions
I'm
Gonna
Bake
into
the
digitalized
image,
because
I
won't
be
able
to
add
more
extensions
later,
because
these
are
installed
as
system
dependencies.
However,
the
composer
the
user
independencies
are
installed
as
a
at
user
land
with
composer
is
not
system-wide,
so
I
can
still
copy
from
another
B
cop
from
another
image
and
throw
them
into
a
composed
image.
So
there
are
a
few
different
strategies.
B
Migrating
will
really
depends
on
your
specific
case,
but
if
for
a
pitch
for
like,
if
you
are
looking
for
how
to
pitch
that
to
your
managers
to
your
company,
it's
really
nice
to
have
a
look
at
the
scan
comparisons,
because
then
you
can
show.
B
You
can
really
show
trivia,
has
an
online
version
of
the
scanner
and
you
can
just
put
their
one
of
the
shin
guard
images
and
compare
with
an
equivalent
and
then
you
see,
and
you
can
show
the
people
who
are
in
charge
if,
if
that's
the
case,
but
it
requires
a
bit
of
thinking
on
how
you're
gonna
build
that
there
is,
there
will
be
a
learning
curve
and
figuring
it
out,
because
what
happens
is
that
when
it
comes
down
to
really
knowing
nobody
knows
exactly
what
dependencies
they
are
depending
on?
B
Like
you,
you
have
an
idea
right.
You
have
an
idea
that
you
depend
on
a
few
extensions,
but
it's
always
more
than
you
think,
because
those
extensions
those
dependencies
depend
on
other
dependencies
and
then
and
there's
also
stuff
there
that
you
don't
even
know.
That's
there,
you
install
it
once
it
comes
back
to
the
issue.
B
Now,
okay
and
the
things
work
differently.
So
there
is
also
always
a
learning
curve
and
when
migrating
to,
if
you
are
from
Debian
I,
would
suggest
migrating
to
Alpine.
First
in
a
Docker
file,
then
you,
when
you
have
your
stuff
all
building
on
Alpine,
it's
gonna
be
easier
to
migrate
to
volvi,
because
at
the
end
of
the
day
it's
a
bit
similar
I
would
say
that
the
closest
to
both
is
Alpine.
It's
still
different,
but
you
should
make
refers
to
Alpine.
Then
you
stats,
building
your
version,
both
version
of
it.
A
B
A
A
The
attack
surface
area
and
then
giving
you
the
opportunity
to
just
install
more
things
in
a
day,
because
previously
there
is
a
critical
debate
within
the
community
like
if
we
remove,
let's
say
terminal
from
the
images.
How
do
we
troubleshoot
that
container?
How
do
we
able
to
find
like
what
actually
happened
when
something
wrong
in
the
production
or
the
local
development
environment
I?
Don't
able
to
understand
what
is
happening,
why?
A
My
container
is
not
running
because
some
of
the
processes
are
running
on
the
system
based
services
or
some
other
services
that
need
to
be
in
that
image
there,
but
right
now,
I
think
the
kubernetes
is
moving
to
the
ephemeral
containers.
The
debugging
containers
can
attach
it
to
it.
This
is
actually
solved
and
now
I
think
more
and
more
Focus
towards
the
distross.
The
images
from
the
scratch
is
that's
another
whole
lot
of
feel
now.
How
you
make
sure
your
containers
are
popping
out,
but.
B
A
It's
all
all
the
pitch
behind
this.
Is
you
look
at
your
images
as
of
today,
there
are
not
10
MDS
in
size;
it
might
be
200
MBS
in
size.
Why
do
I
care
about
it?
You
have
to
care
about
it
because
it
is
adding
the
more
stuff
into
it.
That
eventually
need
you
to
pass
through
the
scanners
and
the
scanner
detects
some
of
the
availabilities
and
for
the
some
people
they
might
be
frustrating
because
they
think
oh
I
have
done
my
job.
Why
do
I
go
still
be
still
late
here
and
thinks
it
don't
vulnerability?
A
Does
it
not
mine
that
are
for
the
some
package
manager
and
whom
should
I
blame
to
so
I
think
moving
this
conversation
like
if
you
go
to
the
chain,
God
images,
there
are
10
empties
in
size,
you
can
add
stuff
into
there.
Now
we
have
ephemeral
containers
to
debug
the
troubleshooting
issues,
so
I
think
everything
is
in
place
and
also
they
give
you
some
S,
Bar
and
plus.
There
are
tools
in
the
six
door
Community
to
sign
and
verify
those
containers.
So.
B
A
Afraid,
because
if
you
look
at
the
container
ecosystem,
there
are
17
different
tools
for
the
networking,
so
many
different
tools
for
the
container,
runtime
and
I'm
thinking
like
if
something
pop
up
in
the
image
scanning
word.
This
image
verification
there
might
be
17
different
tools
who
should
I
choose
and
which
one
is
fit
for
me
and
now
I'm
really
happy
cosine
is
the
only
place
for
the
people
to
sign
the
images.
So
I
think
the
picture
is
quite
clear
at
at
this
moment
of
time,
like
what
is
happening
in
the
ecosystem
and
also
I.
A
Think
the
six
store
Community
is
the
best
place
for
to
ask
question
about
these
kind
of
concept
and
the
Twitter
handle
is
Twitter
is
a
place
to
talk
with
Erica
and
all
these
kind
of
things.
So
before
I,
let
you
go.
We
have
two
more
months
remaining
for
this
year
so
like
what
is
your
road
map
for
the.
B
B
Like
me
personally
or
chain
guard
well,
I
can
talk
about
my
personal,
my
personal
goals
inside
this
context.
I
have
some
doc
more
documentation
lined
up
for
for
my
lunch
and
I
I
didn't
updates
recently
I
question
updates
through
apq
last
week,
and
I
should
have
some
updates
for
my
lunch
as
well.
B
Soon,
and
I
also
want
to
write
a
little
bit
about
how
to
automate
building
images,
something
that
I
also
managed
to
do
in
this
personal
in
a
personal
side
project
and
yeah.
So
more
more
content.
We
are
also
trying
to
think
of
a
recurrence
kind
of
Meetup
or
office
hours,
where
you
can
connect
with
the
audience
with
the
community
about
different
open
source
projects
that
we
have
at
chain
guard.
B
So
we
are
thinking
how
to
make
this
happen,
but
we
are
excited
to
start
getting
more
involved
with
the
community
and,
yes
like
doing
a
few
more
educational
events
or
like
resources,
building
something
different
videos.
Maybe
things
like
that.
A
Yes,
absolutely
absolutely
and
I
I
would
definitely
encourage
people
to
look
at
your
Twitter
handle
because
more
education
content
you
put
on
on
average
weight.
It's
been
a
very
informative
one,
so
I
will
encourage
people
to
follow
about
chain
guard
and
Erica
on
the
internet.
So
before
we
let
you
go
here
are
some
quick
resources
for
you.
You
could
go
to
the
sixstore.dev
to
learn
about
all
the
supply
chain:
security,
wonderful,
community
and
they've.
Helped
you
a
lot
in
your
journey.
There
is
a
official
announcement
from
chain
guard.
A
So
please
join
that
hit
the
chain
guard
website
in
our
chain
guard
images
that
are
very
very
much
and
these
inside
and
you
don't
need
a
scanner
for
that
and
also
the
Twitter
handle
for
the
chain
guard,
and
this
is
I,
think
the
Morocco,
the
YouTube
channel,
one
of
the
chain
guard
member
I
forgot
about
his
name
and
he's
introducing
apq
and
a
large
live
stream.
You
can
check
out.
Definitely
me
launch
go
packages
is
the
link
for
that
main
package.
A
Repository
for
production
will
film
Wolfie
images,
and
this
is
a
wonderful
blog
post
on
chain
guard
securing
your
software
Factory
with
my
launch
and
Epicure,
and
all
these
links
are
available
on
the
on
this
YouTube
chat,
and
this
is
the
last
place
where
you
see
cosine
record
feels
your
full
seal
and
cosine
is
one
of
my
favorite
too.
So
thank
you
very
much.
A
Everyone
for
tuning
in
to
this
podcast
I
really
enjoy
the
time
talking
to
Erica
and
learned
a
lot
about
apical,
melanch
and
Wolfie,
and
we
will
get
in
touch
with
you
in
future
as
well
and
hope
to
get
you
again
on
back
on
this
video
and
talk
about
more
things.
Thank
you.
Everyone
stay
safe,
stay,
healthy,
bye,
bye,.