Today, we’re asserting the General Availability 1.0 model of rules_oci, an open-sourced Bazel plugin (“ruleset”) that makes it less complicated and safer to construct container pictures with Bazel. This effort was a collaboration we had with Aspect and the Rules Authors Special Interest Group. In this submit, we’ll clarify how rules_oci differs from its predecessor, rules_docker, and describe the advantages it gives for each container picture safety and the container group.
Google’s in style construct and take a look at device, often known as Bazel, is gaining quick adoption inside enterprises due to its means to scale to the most important codebases and deal with builds in virtually any language. Because Bazel manages and caches dependencies by their integrity hash, it’s uniquely suited to make assurances concerning the provide chain based mostly on the Trust-on-First-Use precept. One means Google makes use of Bazel is to construct extensively used Distroless base pictures for Docker.
Distroless is a collection of minimal base pictures which enhance supply-chain safety. They limit what’s in your runtime container to exactly what’s obligatory on your app, which is a finest observe employed by Google and different tech corporations which have used containers in manufacturing for a few years. Using minimal base pictures reduces the burden of managing dangers related to safety vulnerabilities, licensing, and governance points within the provide chain for constructing purposes.
Historically, constructing container pictures was supported by rules_docker, which is now in upkeep mode. The new ruleset, known as rules_oci, is healthier suited to Distroless in addition to most Bazel container builds for a number of causes:
-
The Open Container Initiative normal has modified the enjoying discipline, and there at the moment are a number of container runtimes and picture codecs. rules_oci will not be tied to operating a docker daemon already put in on the machine.
-
rules_docker was created earlier than many glorious container manipulation instruments existed, reminiscent of Crane, Skopeo, and Zot. rules_oci is ready to merely depend on trusted third-party toolchains and keep away from constructing or sustaining any Bazel-specific instruments.
-
rules_oci doesn’t embody any language-specific guidelines, which makes it rather more maintainable than rules_docker. Also, it avoids the pitfalls of stale dependencies on different language rulesets.
There are different nice options of rules_oci to focus on as nicely. For instance, it makes use of Bazel’s downloader to fetch layers from a distant registry, bettering caching and permitting clear use of a personal registry. Multi-architecture pictures make it extra handy to focus on platforms like ARM-based servers, and assist Windows Containers as nicely. Code signing permits customers to confirm {that a} container picture they use was created by the developer who signed it, and was not modified by any third-party alongside the way in which (e.g. person-in-the-middle assault). In mixture with the work on Bazel workforce’s roadmap, you’ll additionally get a Software Bill of Materials (SBOM) exhibiting what went into the container you utilize.
Since adopting rules_oci and Bazel 6, the Distroless workforce has seen a variety of enhancements to our construct processes, picture outputs, and safety metadata:
-
Native assist for signing permits us to get rid of a race situation that might have left some pictures unsigned. We now signal on immutable digests references to photographs in the course of the construct as a substitute of tags after the construct.
-
Native assist for oci indexes (multi platform pictures) allowed us to take away our dependency on docker throughout construct. This additionally means extra pure and debuggable failures when one thing goes improper with multi platform builds.
-
Improvements to fetching and caching means our CI builds are quicker and extra dependable when utilizing distant repositories.
-
Distroless pictures at the moment are accompanied by SBOMs embedded in a signed attestation, which you’ll be able to view with cosign and a few jq magic:
cosign obtain attestation gcr.io/distroless/base:latest-amd64 | jq -rcs ‘.[0].payload’ | base64 -d | jq -r ‘.predicate’ | jq
In the top, rules_oci allowed us to modernize the Distroless construct whereas additionally including obligatory provide chain safety metadata to permit organizations to make higher selections concerning the pictures they eat.
Today, we’re pleased to announce that rules_oci is now a 1.0 model. This stability assure follows the semver normal, and guarantees that future releases gained’t embody breaking public API modifications. Aspect gives assets for utilizing rules_oci, reminiscent of a Migration information from rules_docker. It additionally gives assist, coaching, and consulting providers for successfully adopting rules_oci to construct containers in all languages.
If you utilize rules_docker at the moment, or are contemplating utilizing Bazel to construct your containers, it is a nice time to offer rules_oci a strive. You will help by submitting actionable points, contributing code, or donating to the Rules Authors SIG OpenCollective. Since the mission is developed and maintained totally as community-driven open supply, your assist is important to holding the mission wholesome and aware of your wants.
Special due to Sahin Yort and Alex Eagle from Aspect.