Is your container security strategy keeping pace with your container adoption? If you're looking to bolster the integrity of your container images, Chainguard's new migration guides might be the answer.
Why migrate to Chainguard Images?
There are several reasons to migrate your container images to Chainguard:
- Minimal: Drastically reduced size with only essential components.
- Low-to-no CVEs: Significantly fewer vulnerabilities due to reduced attack surface.
- Continuous maintenance: Daily updates to address security concerns and vulnerabilities.
Five tips for migrating to Chainguard Images
1. Use -dev Images when you need a shell
Chainguard Images have no shell or package manager by default. This is great for security, but sometimes you need these things, especially for build stages in mutli-stage Dockerfiles and for debugging. For these cases there are -dev image variants which do include a shell and package manager.
2. You can install a different shell
The -dev images and wolfi-base images use the ash shell from BusyBox by default. This is nice from a minimalist perspective, but it's not so great if you need to port a bash-and-Debian-centric entrypoint script to Chainguard Images.
In these cases you have a choice — you can persevere and update your scripts to work in ash, or you can simply install the shell that works with your scripts. There's no reason to be stuck on the ash shell if you really need bash or zsh.
For example:
3. Use apk search
Following on from the last point, you'll often need to install extra utilities to provide required dependencies for applications and scripts. These dependencies are likely to have different package names compared to other Linux distributions, so the apk search command can be very useful for finding the package you need.
4. Watch out for entrypoint differences
The entrypoint on Chainguard images is often different to other common images. This is due to the lack of a shell in our images, but it can be confusing.
For example, if I run Docker Hub's official Python image, it opens the Python interpreter by default:
And the Chainguard Image works in the same way:
But if I pass a Linux command to the Docker Hub image, it will be run from a shell:
This is made possible by a clever entrypoint script in the Docker Hub image. As we don't have a shell in the Chainguard Image, it instead tries to parse the command as an argument to the Python interpreter:
5. Wolfi is not the same as Alpine Linux
Chainguard Images use the Wolfi Linux Distribution. This distribution uses the apk packaging format pioneered by Alpine, but it is a completely separate distribution to Alpine.
A particularly important difference is that Wolfi packages are all compiled against glibc, which is the most common standard C library, unlike Alpine which uses musl. Chainguard chose glibc for compatibility reasons — glibc is the standard C library used by most of the industry.
Because our toolchains and dependencies are different, it's not possible to mix Wolfi packages with Alpine packages in the same image.
Migration guides for smooth transition
To facilitate a smooth and successful migration, Chainguard has developed a series of comprehensive image migration guides. These guides cover the following platforms:
Each of these reference docs provide a compatibility overview between Chainguard Images and the third-party images of their respective platform. Each includes a table highlighting what binaries and scripts are contained in Chainguard's Wolfi BusyBox and coreutils packages versus their counterparts. This will support developers in being able to quickly understand what utils are available and how they may need to transition their current applications effectively.
Additionally, we've published a general migration guide that outlines the changes one would need to make to an existing Dockerfile — whether it currently uses Debian, Red Hat UBI, or Alpine — to instead use Chainguard Images.
The goal for these guides is to help you migrate your existing container images to Chainguard with minimal disruption. If there is a migration guide you don’t see here but would find helpful, reach out to our team.
Secure your container images with Chainguard
By migrating your container images to Chainguard, you can significantly fortify the security and compliance of your container-based applications. With Chainguard's image migration guides, you can transition your existing images to secure Chainguard Images and enjoy the benefits of improved security, simplified compliance, and increased efficiency.
Get started with Chainguard Image migration
To get started with Chainguard image migration, visit our website and find the relevant guide for your platform. If you have any questions you can reach out or join one of our live Learning Labs.