Creating Wolfi Images with Dockerfiles

Introduction

Wolfi is a minimal open source Linux distribution created specifically for cloud workloads, with an emphasis on software supply chain security. Using apk for package management, Wolfi differs from Alpine in a few important aspects, most notably the use of glibc instead of musl and the fact that Wolfi doesn’t have a kernel as it is intended to be used with a container runtime. This minimal footprint makes Wolfi an ideal base for both distroless images and fully-featured builder images.

A distroless image is a minimal container image that typically doesn’t include a shell or package manager. The extra tightness improves security in several aspects, but it requires a more sophisticated strategy for image composition since you can’t install packages so easily. Wolfi-based builder images are still a better and more secure option to use as base images in your Dockerfile than using a full-fledged Linux distribution, as they are smaller and have fewer CVEs. You can learn more about distroless in our Going Distroless guide.

The wolfi-base image, which we’ll be using in this tutorial, is not distroless because it includes apk-tools and bash. In some cases, it can still be used to build a final distroless image, when combined with a distroless runtime in a Docker multi-stage build. That depends on the complexity of the image, the number of dependencies required, and whether these dependencies are system libraries or language ecosystem packages, for example.

In this article, we’ll learn how to leverage Wolfi to create safer runtime environments based on containers. To demonstrate Wolfi usage in a Dockerfile workflow (using a Dockerfile to build your image), we’ll create an image based on the wolfi-base image maintained by Chainguard. The goal is to have a final runtime image able to execute a Python application. Step 4 of this guide, which is optional, demonstrates how to turn that into a distroless image by combining it with a Python distroless image, also provided by Chainguard.

Requirements

You’ll need Docker to build and run the application.

Step 1: Obtaining the Demo Application

We’ll use the same demo application from the Getting Started with the Python Chainguard Image tutorial to demonstrate how to build a Wolfi Python image with a Dockerfile. The application files are available in the edu-images-demos repository. We’ll start by cloning that repository in a temporary folder so that we can obtain the relevant application files to run the second demo from that tutorial.

The following command will clone the demos repository in your /tmp folder:

mkdir /tmp/images-demos &&  \
  git clone https://github.com/chainguard-dev/edu-images-demos.git \
  /tmp/images-demos

We’ll now copy the demo application to a location inside your home folder.

mkdir ~/inky && cp -R /tmp/images-demos/python/inky/* ~/inky/

You can now enter the newly created directory in your home folder and inspect its contents:

cd ~/inky && ls -la

This application will take in an image (inky.png) file and convert it to ANSI escape sequences to render it on the CLI. The code is on the inky.py file, while the requirements.txt file has the dependencies required by the application: setuptools and climage.

For your reference, here is the complete inky.py script:

'''import climage module to display images on terminal'''
from climage import convert


def main():
    '''Take in PNG and output as ANSI to terminal'''
    output = convert('inky.png', is_unicode=True)
    print(output)

if __name__ == "__main__":
    main()

You’ll notice that there’s already a Dockerfile in that directory, but it uses the Python Chainguard image in a multi-stage build. In the next step, we’ll replace that with a new Dockerfile that uses the Wolfi-base image to build a Python image from scratch, using Wolfi apks.

Step 2: Creating the Dockerfile

Now we’ll create the Dockerfile to run the application. This Dockerfile will set up a new user and WORKDIR, copy relevant files, and install dependencies with Pip. It will also define the entry point that will be executed when we run this image with docker run.

You can rename the old Dockerfile if you want to keep it for tests later.

mv Dockerfile _DockerfileBkp

Then, create a new Dockerfile:

nano Dockerfile

Copy the following content to it:

FROM cgr.dev/chainguard/wolfi-base

ARG version=3.12
WORKDIR /app

RUN apk add python-${version} py${version}-pip && \
	chown -R nonroot.nonroot /app/

USER nonroot
COPY requirements.txt inky.png inky.py /app/
RUN  pip install -r requirements.txt --user

ENTRYPOINT [ "python", "/app/inky.py" ]

This Dockerfile uses a variable called version to define which Python version is going to be installed in the resulting image. You can change this to one of the Python versions available in Wolfi. To find out which versions are available, please refer to the Searching for Packages section of our migration guide.

Save the file when you’re done. In the next step, we’ll build and run the image with docker.

Step 3: Building and Running the Image

With the Dockerfile ready, you can now build your application runtime. If you’re on macOS, make sure Docker is running.

Build your image with:

docker build . -t inky-demo

If you run into issues, try using sudo.

Finally, run the image with:

docker run --rm inky-demo

You’ll receive a representation of the Chainguard Inky logo on the command line.

Step 4 (Optional): Composing Distroless Images in a Docker Multi-Stage Build

As discussed in the introduction, in some cases it is possible to combine your fully-featured image with a distroless runtime in a Docker multistage build, and this will give you a final image that is also distroless. Keep in mind that this technique for building distroless images is only viable when there aren’t additional system dependencies that require installation via apk.

The Getting Started with Python tutorial shows in detail how to accomplish that using a -dev variant as builder, and the distroless Chainguard Python image as production image. You can also accomplish the same results by using your newly-built image based on wolfi-base in place of the -dev variant of the Python image. We’ll change the build to use a virtual environment to package the dependencies and add an extra step to create the final image.

The following Dockerfile uses a multi-stage build to obtain a final distroless image that contains everything the application needs to run. The build requires additional software that is not carried along to the final image.

Open a new file and call it DockerfileDistroless:

nano DockerfileDistroless

Copy the following code into your new file:

FROM cgr.dev/chainguard/wolfi-base as builder

ARG version=3.12

ENV LANG=C.UTF-8
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
ENV PATH="/app/venv/bin:$PATH"

WORKDIR /app

RUN apk update && apk add python-$version py${version}-pip && \
	chown -R nonroot.nonroot /app/
USER nonroot
RUN python -m venv /app/venv

COPY requirements.txt /app/
RUN  pip install --no-cache-dir -r requirements.txt

FROM cgr.dev/chainguard/python:latest

ENV PYTHONUNBUFFERED=1
ENV PATH="/app/bin:$PATH"

WORKDIR /app

COPY --from=builder /app/venv /app

COPY inky.py inky.png /app/

ENTRYPOINT [ "python", "/app/inky.py" ]

Save and close the file when you’re finished.

Now, build this image using a custom tag so that you can compare the previously built inky-demo image with its distroless version:

docker build . -f DockerfileDistroless -t inky-demo:distroless

If you run the new image, it should give you the same result as before.

docker run --rm inky-demo:distroless

But these images are not the same. The following command will give you a glimpse of their differences:

docker images inky-demo

REPOSITORY   TAG          IMAGE ID       CREATED         SIZE
inky-demo    distroless   619ef9b6c52d   6 seconds ago   90.3MB
inky-demo    latest       4832e9093348   4 minutes ago   110MB

You’ll notice that the :distroless version is significantly smaller, because it doesn’t carry along all the software necessary to build the application. More important than size, however, is the smaller attack surface that results in fewer CVEs.

Final Considerations

In this tutorial, we’ve demonstrated how to build a Python image from scratch using the wolfi-base image. We’ve also shown how to compose a distroless image using a multi-stage build. This technique is useful when you need to reduce the attack surface of your application runtime, which is especially important in security-sensitive environments.

If your application runtime requires system dependencies that are not already included within a distroless variant available in our images directory, you can still use a builder image (identified by the -dev suffix) or the wolfi-base image in a standard Dockerfile to build a suitable runtime. These images come with apk and a shell, allowing for further customization based on your application’s requirements.

If you can’t find an image that is a good match for your use case, or if your build has dependencies that cannot be met with the regular catalog, get in touch with us for alternative options.