There is a positive cycle of technology that pushes the boundaries between what is being built and how it is being used. New technology developments are emerging and attracting global attention. People begin experimenting and discovering new applications, use cases, and approaches to maximize the potential for innovation. These use cases create great value and drive demand for the next iteration of innovation, resulting in a new wave of innovators creating next generation use cases and driving further advancement.
Containerization is the foundation of modern cloud-native software development, supporting new use cases and approaches to building resilience, scalable and portable applications. It also retains the key to innovation in software delivery, and at the same time requires evolution to ensure that software is continuously set up for each design and act as a way to get there.
Below we discuss some of the innovations that led to our containerized revolution, and some of the features of cloud-native software development that led to this inflection point.
With iteration we have approached ubiquitousness
There are many innovations that paved the way for safer, more performant open source delivery. For your time and the number of my words, I will call three specific milestones. From Linux Containers (LXC) to Docker and ultimately the Open Container Initiative (OCI), each step is built on its predecessor, addressing restrictions and unlocking new possibilities.
LXC lays the foundations by leveraging the capabilities of the Linux kernel (i.e. cgroups and namespaces) to create lightweight, isolated environments. For the first time, developers can package their applications with dependencies, providing some consistency across different systems. However, the complexity of LXC for users and the lack of standardized image distribution catalogues have hindered widespread adoption.
Docker emerged as a game changer as a democratizing container technology. We simplified the process of creating, running and sharing containers, making them accessible to a larger audience. The Docker’s user-friendly interface and the creation of Docker Hub, a central repository of container images, nurtured a vibrant ecosystem. This ease of use has encouraged rapid adoption, but also raised concerns about vendor lock-in and interoperability needs.
Recognizing the possibility of fragmentation, the OCI (Open Container Nissan Initiative) intervened to standardize container formats and runtimes. By defining open specifications, OCI has ensured that containers can be built and run through a variety of platforms, promoting a healthy, competitive landscape. Projects like Runc and Containerd, born from OCI, provided a common foundation for container runtimes, allowing for greater portability and interoperability.
Additionally, the OCI standard has made Kubernetes (another vendor neutral standard) a true portable platform that runs a wide range of infrastructure and allows organizations to consistently coordinate applications across a variety of cloud providers and on-premises environments. This standardization and associated innovation have unlocked the full potential of containers and paved the way for a ubiquitous presence in modern software development.
[Containerized] Software eats the world
Advances in Linux, rapid democratization of containers via Docker, and standardization of OCI were all inevitably driven by cloud-native app use cases advancing orchestration and standardization. The characteristics of these cloud-native applications also highlight why a generic approach to Linux distributions highlights the following for software developers with the latest updated foundation:
Microservice Oriented Architecture: Cloud-native applications are typically built as small, independent collections of services, each microservice performs a specific function. Each of these microservices can be built, deployed and maintained independently. This provides an enormous amount of flexibility and resilience. Because each microservice is independent, software builders need a comprehensive software package to run microservices and rely solely on bare essentials in containers.
Resource-conscious and efficient: Cloud-native applications are built to be efficient and resource-conscious to minimize infrastructure load. This stripped-up approach naturally coordinates well with containers and ephemeral deployment strategies, with new containers constantly deployed and other workloads updated to the latest code available. This reduces security risks by utilizing the latest software packages rather than waiting for distribution patches or backports.
Portability: Cloud-native applications are designed to be portable with consistent performance and reliability, regardless of where your application is running. As a result of standardizing the environment, developers can move beyond the old past headaches of “good on my machine.”
The positive cycle of innovation that drives new use cases and ultimately new innovations is evident regarding containerization and widespread adoption of cloud-native applications. Critical, this inflection point in innovation and use case demands has led to an incredible rate of change within open source software. This has reached a point where the security, performance and innovation drawbacks of traditional “frozen-in” Linux distributions outweigh the familiarity and perceived stability of the final generation of software delivery.
So, what should next-generation open source software distribution look like?
Input: Chainguard OS
To meet the latest security, performance and productivity expectations, software builders need the latest software in the smallest format designed for use cases, without using CVEs that lead to business risks (and the list of “Fix-IT” in security teams). To get better at these parameters, you don’t just make them in the past. Instead, next-generation open source software distribution should start with a source of secure, updated software: upstream maintainers.
So Chainguard will build this new distribution approach and continually rebuild its software packages based on upstream sources that remove vulnerabilities and add performance improvements, rather than downstream distributions. It’s called Chainguard OS.
Chainguard OS serves as the foundation for the broad security, efficiency and productivity outcomes that Chainguard products offer today, and “Chainguarding” a rapidly growing catalog of over 1,000 container images.
Chainguard OS adheres to four key principles to make it possible.
Continuous Integration and Delivery: Emphasises the continuous integration, testing and release of upstream software packages to ensure a streamlined, efficient development pipeline through automation. Nano Updates and Rebuilds: Better Nonstop Incremental Updates and Rebuilds over major release upgrades, ensuring smoother transitions and minimizing disruptive changes. Minimal, Hardened, Unchanging Artifacts: Remove unnecessary vendor bulges from software artifacts, create sidecar packages, and enhance security through hardening countermeasures while making extras an option for users. Minimize Delta: Minimize deviations from upstream, additional patches are included only when essential, and only until new releases are cut from upstream if necessary.
Perhaps the best way to highlight the value of Chainguard OS principles is to look at the effects of Chainguard images.
The screenshot below (and you can see here) allows you to compare external and Chainguard images side-by-side.
Aside from a very clear inconsistency in vulnerability counts, it is worth examining the difference in size of the two container images. Chainguard images consist of only 6% of the open source alternative images.
In addition to the minimized image size, Chainguard’s images were last updated just an hour before the screen grab.
A quick scan of source and SBOM data shows the end-to-end integrity and invariance of the artifact. This is a kind of complete nutrition label that emphasizes the security and transparency that modern approaches to open source software delivery can provide.
Each Chainguard image stands as a practical example of the value Chainguard OS offers, offering alternatives to what came before. Perhaps the biggest metric is the feedback received from customers who shared how Chainguard container images can help eliminate CVE, secure supply chains, achieve compliance, reduce developer hardships, and enable them to reassign valuable developer resources.
Our belief is that Chainguard OS principles and approaches can be applied to a variety of use cases, extending the benefits of continuous reconstructed software packages from sources to an open source ecosystem.
If you find this useful, check out the white paper on this subject or contact our team to speak to Chainguard’s Distristress approach experts.
Note: This article is cleverly written and contributed by Dustin Kirkland, Chainguard’s Vice President of Engineering.
Source link
