Show HN: Minimal – Open-Source Community driven Hardened Container Images (github.com)

120 points by ritvikarya98 ↗ HN
I would like to share Minimal - Its a open source collection of hardened container images build using Apko, Melange and Wolfi packages. The images are build daily, checked for updates and resolved as soon as fix is available in upstream source and Wolfi package. It utilizes the power of available open source solutions and contains commercially available images for free. Minimal demonstrates that it is possible to build and maintain hardened container images by ourselves. Minimal will add more images support, and goal is to be community driven to add images as required and fully customizable.

16 comments

[ 3.8 ms ] story [ 37.1 ms ] thread
(comment deleted)
This is great. I have been talking to quite some vendors in the space. I have looked in docker hardened images too. They have made it free too.

I think the problem in general is hardened image market is keeping up with CVEs and making sure the catalog is vast so that it covers all the images and nuances.

Responding and patchibg CVEs with an SLA is the KPI of the vendors. As much as I would like cheer for you, doing it as an opensource initiate with a guaranteed SLA is going to be painful for you as maintainer without profit as a motive.

(comment deleted)
Thanks for looking into this! I agree with you and hence I'm also relying on Wolfi packages, which will ensure they are updated as soon as upstream is available so I'm piggy backing on that. Github Actions run daily/weekly based on the cadence and once the pipeline is setup do not require a significant effort imo. And I want it to be community driven so we can add images as and when people want it and build it accordingly. Chainguard tools surely help with this! I aim to show that companies can try and build internal pipelines like this for all images in their repository
Looks very useful, we should definitely build up on this!!!
Dumb question but how would these work in practice? I use kamal to deploy containerized applications. Would I on a regular basis update the versions of the underlying images to match the latest hardened container and then redeploy? I assume this is automatable?
Need more information on how I can integrate this in my pipeline but this looks promising
Why does this not use chisel? I assume you at least drop the bin dir? Although the presence of ncurses is super weird

I don't understand why one would go halfway and leave packages which are unneeded for services. The only executable in a hardened container image should be your application.

I'm not sure what problem this is solving. This seems like chainguard but being built in "your ci" (github) vs "their ci". Images may be a bit smaller, but this is already a feature set that wolfi already allows for. Besides that chainguard is not full-source bootstrapped.
I have been curious on secure base images for the AI ecosystem, where we need to ship with cuda 11.8/12.8/13.1 for stability reasons, and in our case, a bit of the torch ecosystem and Nvidia rapids ecosystem. That ends up being... A lot. Extra fun: going all the way to FIPS..
What is the process to trust the usage of this?

How can we learn the identity of the contributors? How are the contributors vetted? How are we notified if a significant change in leadership happens?

It's just a general problem when relying on GitHub accounts for important code.

For some reason I trust the big vendors to have better safe-guards against things like the questions above. Such as aws linux containers etc..

Would love to hear how other people think around this.

Fewer CVEs do not necessarily mean safety.
As those are built on Wolfi by Chainguard I would not use them in production. They restricted already their own images for only paid customers and also recently limited OSS entirely on Wolfi. So there is no guarantee how long the packages may be available for non paying customers.
are these images based on debian? seems unclear as they are all framework specific..
I am pushing myself to learn nix and get rid of base images altogether.

The syntax is hard without a functional background but I strongly believe this is the next logical step to harden containers and have reproducible builds.

This is pretty useful in my opinion - atleast now I know a way to build hardened images on my own1