Tuan-Anh Tran
June 28, 2024

On adopting Chainguard Images

Posted on June 28, 2024  •  4 minutes  • 826 words

In this post, I’ll discuss my experience transitioning to Chainguard Images and the rationale behind this decision.

The challanges

The conventional vulnerability management process often proves cumbersome and inefficient. Here’s a typical scenario from my past experience:

Back in 2021, I aimed to solve this problem once and for all.

So basically, we have 2 kinds of workload: one on virtual machines (VM) and the other one is container workload (EKS, RedHat OCP, etc…). I decided to target containerized workloads for initial improvement due to their inherent manageability.

Evaluating Container Image Solutions

Distroless

I like GoogleContainerTools/distroless . It’s really good when it works for you but customization presents a significant hurdle 1.

The beta-status rules_distroless might offer some future relief, but the underlying reliance on Bazel remains a barrier.

Another issue is that distroless is based on Debian. And while Debian offers a stable and well-tested foundation, its release cycle might not align perfectly with the need for rapid vulnerability patching. Debian adheres to a scheduled release cadence, which may not prioritize fixing specific CVEs (Common Vulnerabilities and Exposures) as quickly as we require. For scenarios demanding more immediate vulnerability mitigation, a rolling release operating system might be a more suitable choice.

Alpine-based

Another popular option is using Alpine OS. But the problem is software support & compatibility due to its use of musl libc instead of glibc.

For applications offering Alpine-based images (e.g., Redis), utilizing them is ideal. However, building applications on top of Alpine can be troublesome

Chainguard Images

Traditional container image solutions presented limitations, prompting me to explore Chainguard Images. Their key benefits include:

A powerful blend

When you see this closely, Chainguard Images combines the strengths of Distroless and Alpine with additional benefits.

The people

One of few things I love about Chainguard is its people. They are packed with talents.

And this give me confidence that they are poised for success.

In corporate environments, adopting new technologies often prioritizes long-term viability and a proven track record of success. This ensures a stable foundation for critical applications and minimizes the risk of disruption from short-lived solutions.

And I want to be a small part of its success by being an early contributor to Wolfi OS and advocate for them here in Vietnam (I gave a talk about Wolfi OS at FOSSASIA Summit earlier this year)

Last words

If you’re looking for a secure and efficient way to manage containerized workloads, Chainguard Images are definitely worth exploring. Their commitment to security and their impressive team inspire confidence in their ability to provide a long-term solution for the evolving container landscape.


  1. https://github.com/GoogleContainerTools/distroless/issues/1321  ↩︎

Follow me

Here's where I hang out in social media