Chainguard's Wolfi: Revolutionizing Containerized Workloads with Rapid Updates and Robust Security
A Small Octopus and a Big Idea: How Wolfi Linux is Improving the Cloud’s Software Supply Chain Security.
A year ago, Chainguard introduced Wolfi, a pioneering community-driven Linux un-distribution. It was engineered for minimalism, swift updates, and accelerated Common Vulnerabilities and Exposures (CVE) remediation. An un-what you ask? Wolfi is a distroless, minimal container designed to run your containerized application, and nothing else.
Why? Because every package you add is one more potential attack surface. Wolfi aims at delivering secure, hardened, zero-known CVE containers.
Much like the small, nimble marine octopus Wolfi is named after, Wolfi, the Linux un-distribution, navigates the vast ocean of containerized computing with finesse and agility. The moniker 'Wolfi' reflects the project's essence: crafting granular, independent packages aimed at supporting minimal yet potent images,
Since its birth, Wolfi has amassed over 1,300 package configurations in its repository, with a staggering 18,000+ packages indexed. The collaborative nature of this project is evident from the 4,400+ GitHub Pull Requests merged and contributions from 60 individuals. Remarkably, the update interval, the time elapsed between upstream source code releases to new Wolfi package deployments, is now measured in mere hours, with 80% of the projects on GitHub being updated within 24 hours.
Now, that's fast!
A highlight of Wolfi's technical landscape is its embracing of an innovative rolling release cadence. This enables Wolfi-based containers to address security issues as soon as they're spotted and patched. This underscores Wolfi's fundamental principle: prioritizing update speed over stability to ensure swift vulnerability remediations.
Another new feature is the launch of 'wolfi-act. This empowers developers to utilize Wolfi packages dynamically with GitHub Actions. Additionally, the extension of support for 64-bit ARM architectures augments performance on major cloud platforms like AWS, GCP, and Azure, making the most of ARM's cost-effectiveness and energy efficiency.
Further bolstering its security posture, Wolfi integrated the Rustls TLS library in a collaborative venture with the Internet Security Research Group (ISRG), targeting memory safety. Since memory errors are a top source for critical and remotely exploitable vulnerabilities, this is a good thing.
In addition, Wolfi now has fully Bootstrapped Go and Java from source: A full-source bootstrap is one where an entire language ecosystem is bootstrapped purely from source code. Because Wolfi is built for a secure software supply chain, having a complete understanding of a language ecosystem’s provenance is extremely important. Chainguard and its open-source developers have been working on full-source bootstraps for all the languages Wolfi supports. First on the to-do list is Rust.
On top of that, the Wolfi ecosystem now supports more vulnerability scanning tools. With this, open-source developers get the real-time assistance they need to deliver secure, production-ready cloud containers. For example, Sourcegraph has adopted the Wolfi toolchain.
Looking ahead, Wolfi aims to solidify its stature as the go-to distribution for containerized workloads, envisioning broader applicabilities, including embedded computing scenarios. The practical utility of Wolfi is already manifested in projects like Chainguard Images, serving as a testament to Wolfi’s potential in fostering innovative solutions for contemporary container and cloud-native challenges.
Noteworthy Linux and open-source stories: