Build Wolfi images with Bazel: Introducing rules_apko

Build Wolfi images with Bazel: Introducing rules_apko

Co-author: Adam Dawson, Principal Product Manager at Chainguard
Cross-posted with Chainguard: https://www.chainguard.dev/unchained/announcing-bazel-rules-for-extending-chainguard-images

Yesterday during BazelCon 2023, in partnership with Chainguard, I announced the general availability of rules_apko, an open source plugin for Bazel, which makes it possible to build secure, minimal Wolfi-based container images using the popular Bazel build system. This plugin allows Bazel users to build OCI container images with the open source community un-distro, Wolfi, using their existing pipelines and workflows in Bazel.

Apko is for more secure, distroless container images based on the Wolfi un-distro

Apko is an open-source project developed by Chainguard for producing minimal, low-CVE, distroless container images using the Wolfi un-distro. Apko is used to assemble distroless base images and Wolfi's extensive library of APK packages (or packages you create) into an OCI-compliant container image that is fully reproducible and has a complete software bill of materials (SBOM).

Bazel is for fast, reproducible builds

Bazel is the open-sourced version of Google’s internal build tool, commonly used in multi-language monorepos to get faster and more reproducible builds. Bazel relies on plugins, called “rulesets,” to understand how to build images. Since Bazel can understand most languages, it’s a single tool that can produce images containing any application code. It also provides hermeticity and determinism guarantees, allowing a secure software supply chain to propagate from the package manager all the way to your production images.

Introducing rules_apko

rules_apko is a new Bazel ruleset for building OCI images using Wolfi-base images and APKs within existing Bazel workflows.

Previously under Bazel, users had to build base images outside of Bazel and manually update them in the Bazel configuration, or use the non-performant and now deprecated container_run_and_* APIs in rules_docker.

rules_apko generates a fully locked and verifiable description of all transitive dependencies. Bazel then downloads individual APK packages needed for the requested build targets, and creates an OCI-format base image containing the installed packages. This base image can then be further extended by rules_oci to append artifacts built from sources in the repository.

Benefits of using apko and Wolfi-base images with Bazel include:

  • Supply chain security assurances in Bazel that the APK packages fetched have the same integrity hashes as the lock file.

  • Bazel can build any application code in any language and add to the image.

  • Bazel coordinates test runners where container images are required as inputs.

  • Bazel can enable fully-offline (“air gapped”) builds with rules_apko.

  • Assurances that the resulting image is fully reproducible and has a complete SBOM.

Getting Started with rules_apko

rules_apko is available today and it's easy to get started building secure, minimal container images in Bazel:

  • Run the apko resolve command to produce the apko.resolved.json file. Note: the resolve command is undocumented and is available in the newest release of apko.

  • Follow the install instructions to add rules_apko to your Bazel project.

  • Call the translate_apko_lock Bazel API to import the apko.lock.json file so that Bazel can download and verify the integrity of remote assets.

  • Add apko_image targets to your BUILD files to create base images.

Take a look at the https://github.com/chainguard-dev/rules_apko/tree/main/examples for more ideas of how to use rules_apko to create secure, reproducible container images for your enterprise applications.

Resources

To learn more about using rules_apko for distroless container images, check out the following additional resources:

You can try Chainguard Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our free and public Images are available on the :latest and :latest-dev versions only. If you're interested in learning more or have additional questions regarding our Chainguard Images Enterprise features and capabilities, please reach out to our team for more information.

Aspect would like to extend our special thanks to the team at Chainguard for sponsoring the work of developing rules_apko!