Although the act of building container images is an easy and accessible practice, perfecting them is still an art that is challenging to master. In pursuit of the smallest, most secure and yet functional container images, developers face themselves with distroless practices that usually involve complex tooling, deep distro knowledge and error-prone trimming strategies. In fact, such practices often neglect the use of package managers, contributing to a security abyss, as most vulnerability scanners rely on package manager metadata to detect the software components within the container image. Chisel introduces a novel pattern for building distroless-like container images from the ground up. It is a self-contained tool that cuts Ubuntu packages into a minimal filesystem, from scratch. Unlike a typical package manager, Chisel works with package “slices”, i.e. predefined subsets of existing packages that have been designed to compartmentalize functionality and leave out contents that are not required for the container application to run. The result is a minimal, yet functional slice of an Ubuntu filesystem, with a reduced attack surface. There is no need to repackage or manipulate one’s application dependencies, meaning that whatever applications already work today with Ubuntu, will still work with Chiselled Ubuntu. In this talk, we'll cover the fundamentals of Chisel and demonstrate how easy it is for anyone to build their own minimal and secure container image. Attendees should be comfortable with Linux systems (especially packaging) and container technologies. Some advanced topics, like distroless containers, will be used for reference and as such, will also be introduced for those who are less familiar with the concept. By the end of the session, even the less technical attendees should be able to generate an ultra-small Ubuntu-based container image, with a reduced attack surface and default compliance with security standards like CIS and STIG.
