Hopping into spring with Chainguard’s RabbitMQ Image

Today we're announcing a Chainguard Image for RabbitMQ. RabbitMQ is an open-source message broker that’s commonly used as part of cloud-native applications. It has over 10k stars on GitHub and we even use it as part of our Chainguard Enforce platform.

‍

The Chainguard build of RabbitMQ is based on the Wolfi undistro – meaning we bootstrap the entire toolchain ourselves. If you know much about RabbitMQ, you’ll quickly realize this means that we also had to build our own versions of Erlang and OTP, which form the memory-safe, high-performance backend that powers the RabbitMQ server. These are built using Wolfi’s best-in-class compiler hardening features and performance optimizations, providing a solid foundation for RabbitMQ itself.

‍

As always, the Chainguard RabbitMQ Image is continuously patched to ensure it has minimal CVEs, instead of hundreds like some of the others.

To get started, you can run the image with:

docker run -p 5672:5672 --rm cgr.dev/chainguard/rabbitmq
2023-01-02 00:11:37.199274+00:00 [notice] <0.44.0> Application syslog exited with reason: stopped
2023-01-02 00:11:37.206489+00:00 [notice] <0.229.0> Logging: switching to configured handler(s); following messages may not be visible in this log output

  ##  ##      RabbitMQ 3.11.5
  ##  ##
  ##########  Copyright (c) 2007-2022 VMware, Inc. or its affiliates.
  ######  ##
  ##########  Licensed under the MPL 2.0. Website: https://rabbitmq.com

  Erlang:      25.2 [jit]
  TLS Library: OpenSSL - OpenSSL 3.0.7 1 Nov 2022
  Release series support status: supported

  Doc guides:  https://rabbitmq.com/documentation.html
  Support:     https://rabbitmq.com/contact.html
  Tutorials:   https://rabbitmq.com/getstarted.html
  Monitoring:  https://rabbitmq.com/monitoring.html

  Logs: /var/log/rabbitmq/rabbit@02bee2143fb7.log
        /var/log/rabbitmq/rabbit@02bee2143fb7_upgrade.log

  Config file(s): (none)

  Starting broker... completed with 0 plugins.
  

The image also supports the standard configuration files and environment variables:

RABBITMQ_CONFIG_FILE=/etc/rabbitmq/rabbitmq.conf
RABBITMQ_ADVANCED_CONFIG_FILE=/etc/rabbitmq/advanced.config
RABBITMQ_CONF_ENV_FILE=/etc/rabbitmq/rabbitmq-env.conf

As always, the binaries in our Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

$ % cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/rabbitmq

Found SBOM of media type: spdx+json
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "sbom-sha256:a5d9e5df5ea7c280157dbcd81b1d5b1a6334fea4366fee3494a2a77b901bc187",
  "spdxVersion": "SPDX-2.3",
  "creationInfo": {
    "created": "2023-02-21T00:11:14Z",
    "creators": [
      "Tool: apko (canary)",
      "Organization: Chainguard, Inc"
    ],
    "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://spdx.org/spdxdocs/apko/",
  "documentDescribes": [
    "SPDXRef-Package-sha256-fba7c2f1c16bcb3206b63eac453fd793236f19a41d095855b6cfd3414f895c21"
  ],
  "files": [
    {
      "SPDXID": "SPDXRef-File--usr-lib-locale-C.utf8-LCC95ADDRESS",
      "fileName": "/usr/lib/locale/C.utf8/LC_ADDRESS",
      "licenseConcluded": "NOASSERTION",
      "checksums": [
        {
          "algorithm": "SHA1",
          "checksumValue": "12d0e0600557e0dcb3c64e56894b81230e2eaa72"
        },
        {
          "algorithm": "SHA256",
          "checksumValue": "26e2800affab801cb36d4ff9625a95c3abceeda2b6553a7aecd0cfcf34c98099"
        },
        {
          "algorithm": "SHA512",
          "checksumValue": "d38b225e8204e1e85e6c631481f46d0b8fca8cf8d8dfc290f00adb15b605959f91f0d55dc830fdd82c22f916140090928e44f1b5123facac135705cc81df00b0"
        }
      ]
    },
    {
      "SPDXID": "SPDXRef-File--usr-lib-locale-C.utf8-LCC95COLLATE",
      "fileName": "/usr/lib/locale/C.utf8/LC_COLLATE",
      "licenseConcluded": "NOASSERTION",
      "checksums": [
        {
          "algorithm": "SHA1",
          "checksumValue": "f245e3207984879d0b736c9aa42f4268e27221b9"
        },
        {
          "algorithm": "SHA256",
          "checksumValue": "47a5f5359a8f324abc39d69a7f6241a2ac0e2fbbeae5b9c3a756e682b75d087b"
        },

Get started using Chainguard’s RabbitMQ Image today at github.com/chainguard-images, or get started with our RabbitMQ image using documentation in Chainguard Academy. All Chainguard Images minimize the software components included, helping shrink your image size by 80% on average, reducing your attack surface. Chainguard Images are now available for Bazel, curl, Git, Go, Jenkins, Postgres, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

‍

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

‍

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.