Introducing apko: bringing distroless nirvana to Alpine Linux

Earlier today, Chainguard released version 0.1 of our apko tool.  This tool allows for the composition of so-called “distroless” images from APK-based software distributions, such as Alpine Linux, using a declarative configuration.  Unlike the traditional distroless tooling, apko enables the creation of minimal, small-attack-surface images without the complications of relying on Bazel.  In short, apko streamlines the process for creating declarative container images, building on our efforts to improve the security and transparency of the software supply chain.

What is Distroless?

A distroless image contains only the necessary components needed to support an application.  Distroless images benefit from significantly reduced attack surface, omitting unnecessary package management capabilities, and occasionally even a shell.  In the container space, the primary framework for creating these distroless images has been Google’s distroless project.

While Google’s distroless project has given people effective tools to make lightweight containers with minimal attack surface, these capabilities come at a significant cost in complexity.  Traditionally, distroless is built using Bazel, a complicated build system designed for building gigantic monolithic applications, which means that many users in the container ecosystem avoid distroless and build images on the official Alpine or Debian base image instead, which both have unnecessary attack surface for most applications.

What is apko?

APK is the package manager traditionally used by Alpine Linux, and the apko tool is a declarative APK-based OCI image builder.  The theory of operation behind it is that a user of apko will take code artifacts built as APK packages and combine them with distribution packages to create a container that has only the components needed to support the assembled application.  This can also be used with other ecosystem tools such as Google’s ko utility, by producing a customized base image for other tools to consume.

Apko features include:

  • OCI image builds for APK-based distributions
  • 100% declarative configuration
  • Sub-second image build times

These features combined mean apko helps developers win with a faster and more easy to reproduce build process.

Chainguard is working to enhance the distroless ecosystem with a full suite of tools to create and manage build artifacts as APK packages, which can then be used as inputs to apko in order to assemble container images.  The separation of concerns will bring new capabilities to the distroless ecosystem, such as the creation of high quality SBOMs at build time, while providing the flexibility for customers to build processes that work best for them.

In closing, the next generation of distroless technologies in development at Chainguard will enable the secure, scalable software factories of the future, and apko is the first step in building this future.  Check out the GitHub project today, leave feedback, report bugs, and contact us if you have any questions!

Show Comments