(Originally published on the Chainguard blog) If you’re anything like me, you probably have horrendously long docker build commands that you manage via shell history. If you’re more organised, you might have shell scripts or even Makefiles to manage your Docker build workflows. That is a better solution, but adds in an extra dependency that isn’t always portable (and isn’t the point of Docker to be portable?). Fortunately, there is a better solution, and it doesn’t require any tooling beyond the Docker CLI: meet Bake.

(Originally published on the Chainguard blog) Until relatively recently, if you were running containers in the cloud, it was a pretty safe bet that they were running on the x86-64 architecture. In recent years, this has been rapidly changing, with ARM64 architectures starting to command a significant percentage. This has been driven primarily by the energy (and hence cost) savings typically associated with ARM processors. Cloud providers have also been developing custom chips such as Google Axion and AWS Graviton, further pushing uptake.

(Originally published on the Chainguard blog) One of the most critical actions to keep systems secure is to apply updates. In modern, containerized infrastructures that will often mean updating containers. A casual observer might expect such a standard and important task to have agreed-on best practices and standardized tooling, but they will likely be shocked by the multitude of different solutions and opinions on this problem. This post will delve into some of the options and try to steer the reader towards a path that works for them and keeps their systems both stable and secure.

(Originally published on the Chainguard blog) At Chainguard, we’re always looking for ways to help communities improve their security practices, especially in conjunction with Chainguard Images. This time, we take a look at Java. In this blog, we’ll walk through how users can port an existing Java application to use Chainguard Images and demonstrate the resultant improvement in size and security. All the Chainguard Images in this blog post are available in the free Developer tier of Chainguard Images.

(Originally published on the Chainguard blog) The first wave of containerization was a revelation. You could download third-party applications like Redis or nginx and have them running in seconds with no configuration. You could put your application on top of a base image like Debian or Ubuntu, ship it to people and be confident that it would work exactly the same for them as it did for you. We had something with the isolation and portability of a virtual machine (VM), but at a fraction of the size.

A deep-dive into OCI Annotations and Labels and what the difference is.

(Originally published on the Chainguard blog) During CloudNativeSecurityCon in Detroit, I gave a presentation on how the industry can do a better job of building secure container images. For those that were unable to attend the conference or join the session, the slides and full recording are now available. Here’s a quick look at the major takeaways from the presentation: Start signing your images if you haven’t already. Sigstore and tools like cosign make this really simple, so it’s an easy win that everyone should be doing.

An incomplete list of some of my recent talks.

As you may have noticed, I’m in the middle of revamping my blog. It’s now a static site, run via Hugo and Cloudflare Pages. I was planning to use Disqus for comments, but changed my mind when I realised it meant ads and tracking. This led to a search for alternatives which ended in choosing Webmention.

My predictions for how the industry will change over the next decade or so.