Oct 25 – 27, 2024
The Hague, Netherlands
Europe/Amsterdam timezone

Re-inventing distroless with Chiselled Ubuntu containers

Oct 27, 2024, 10:30 AM
25m
The Hague, Netherlands

The Hague, Netherlands

Churchillplein 10, 2517 JW Den Haag, Netherlands
Talk (25 Minutes) Security

Speaker

Cristovao Cordeiro
Canonical

Description

Building Docker images is an easy and accessible practice, however, perfecting them is still an art that is challenging to master. In pursuit of the smallest, most secure and yet functional container images, developers face themselves with distroless practices that usually involve complex tooling, deep distro knowledge and error-prone trimming strategies. In fact, such practices often neglect the use of package managers, contributing to a security abyss, as most vulnerability scanners rely on package manager metadata to detect the software components within the container image.

Chisel introduces a novel pattern for building distroless-like container images from the ground up. It is a self-contained tool that cuts Ubuntu packages into a minimal filesystem, from scratch. Unlike a typical package manager, Chisel works with package “slices”, i.e. predefined subsets of existing packages that have been designed to compartmentalize functionality and leave out contents that are not required for the container application to run.

The result is a minimal, yet functional slice of an Ubuntu filesystem, with a reduced attack surface. There is no need to repackage or manipulate one’s application dependencies, meaning that whatever applications already work today with Ubuntu, will still work with Chiselled Ubuntu.

In this talk, we’ll cover the fundamentals of Chisel and demonstrate how easy it is for anyone to design and build their own minimal and secure container image.

Session author's bio

Cristovao is an Engineering Manager@Canonical, ex-CERN engineer, with experience in Cloud and Edge computing. Cristovao started his career as a Computing Engineer, integrating Cloud Computing resources into the largest computing grid in the world, the WLCG. Nowadays, Cristovao is managing a team of container experts who are responsible for the building of stellar container images, including the beloved official Ubuntu container image.

Social Media https://www.linkedin.com/in/cristovaocordeiro/
Level of Difficulty Intermediate

Presentation materials