As we speak, we’re asserting the Normal Availability 1.0 model of rules_oci, an open-sourced Bazel plugin (“ruleset”) that makes it easier and safer to construct container photographs with Bazel. This effort was a collaboration we had with Facet and the Guidelines Authors Particular Curiosity Group. On this publish, we’ll clarify how rules_oci differs from its predecessor, rules_docker, and describe the advantages it affords for each container picture safety and the container neighborhood.

Google’s fashionable construct and take a look at device, often known as Bazel, is gaining quick adoption inside enterprises because of its capability to scale to the biggest codebases and deal with builds in nearly any language. As a result of Bazel manages and caches dependencies by their integrity hash, it’s uniquely suited to make assurances concerning the provide chain primarily based on the Belief-on-First-Use precept. A technique Google makes use of Bazel is to construct broadly used Distroless base photographs for Docker. 

Distroless is a collection of minimal base photographs which enhance supply-chain safety. They prohibit what’s in your runtime container to exactly what’s mandatory in your app, which is a finest apply employed by Google and different tech corporations which have used containers in manufacturing for a few years. Utilizing minimal base photographs reduces the burden of managing dangers related to safety vulnerabilities, licensing, and governance points within the provide chain for constructing functions.

Traditionally, constructing container photographs was supported by rules_docker, which is now in upkeep mode. The brand new ruleset, referred to as rules_oci, is best fitted to Distroless in addition to most Bazel container builds for a number of causes:

• The Open Container Initiative commonplace has modified the taking part in discipline, and there are actually a number of container runtimes and picture codecs. rules_oci is just not tied to operating a docker daemon already put in on the machine.

• rules_docker was created earlier than many wonderful container manipulation instruments existed, comparable to Crane, Skopeo, and Zot. rules_oci is ready to merely depend on trusted third-party toolchains and keep away from constructing or sustaining any Bazel-specific instruments.

• rules_oci doesn’t embrace any language-specific guidelines, which makes it way more maintainable than rules_docker. Additionally, it avoids the pitfalls of stale dependencies on different language rulesets.

There are different nice options of rules_oci to focus on as effectively. For instance, it makes use of Bazel’s downloader to fetch layers from a distant registry, enhancing caching and permitting clear use of a non-public registry. Multi-architecture photographs make it extra handy to focus on platforms like ARM-based servers, and help Home windows Containers as effectively. Code signing permits customers to confirm {that a} container picture they use was created by the developer who signed it, and was not modified by any third-party alongside the way in which (e.g. person-in-the-middle assault). Together with the work on Bazel group’s roadmap, you’ll additionally get a Software program Invoice of Supplies (SBOM) exhibiting what went into the container you utilize.

Since adopting rules_oci and Bazel 6, the Distroless group has seen quite a few enhancements to our construct processes, picture outputs, and safety metadata:

• Native help for signing permits us to get rid of a race situation that might have left some photographs unsigned. We now signal on immutable digests references to pictures in the course of the construct as an alternative of tags after the construct.

• Native help for oci indexes (multi platform photographs) allowed us to take away our dependency on docker throughout construct. This additionally means extra pure and debuggable failures when one thing goes improper with multi platform builds.

• Enhancements to fetching and caching means our CI builds are quicker and extra dependable when utilizing distant repositories.

• Distroless photographs are actually accompanied by SBOMs embedded in a signed attestation, which you’ll be able to view with cosign and a few jq magic:

cosign obtain attestation gcr.io/distroless/base:latest-amd64 | jq -rcs ‘.[0].payload’ | base64 -d | jq -r ‘.predicate’ | jq

Ultimately, rules_oci allowed us to modernize the Distroless construct whereas additionally including mandatory provide chain safety metadata to permit organizations to make higher selections concerning the photographs they devour.

As we speak, we’re blissful to announce that rules_oci is now a 1.0 model. This stability assure follows the semver commonplace, and guarantees that future releases received’t embrace breaking public API modifications. Facet offers sources for utilizing rules_oci, comparable to a Migration information from rules_docker. It additionally offers help, coaching, and consulting providers for successfully adopting rules_oci to construct containers in all languages.

For those who use rules_docker in the present day, or are contemplating utilizing Bazel to construct your containers, it is a nice time to present rules_oci a attempt. You’ll be able to assist by submitting actionable points, contributing code, or donating to the Guidelines Authors SIG OpenCollective. Because the venture is developed and maintained fully as community-driven open supply, your help is crucial to retaining the venture wholesome and attentive to your wants.

Particular because of Sahin Yort and Alex Eagle from Facet.