Docker, Inc., profile picture
Uploaded byDocker, Inc.
PDF, PPTX3,937 views

Small, Simple, and Secure: Alpine Linux under the Microscope

The document discusses Alpine Linux, highlighting its small, simple, and secure attributes as a Docker image. Key components include musl libc, busybox, and apk-tools, with a focus on security features such as position-independent executables and a hardened toolchain. It also outlines the scenarios in which Alpine Linux may not be suitable, particularly concerning dependencies on glibc or precompiled closed-source binaries.

Embed presentation

Download as PDF, PPTX
Small, simple, and secure: Alpine Linux under the microscope Natanael Copa Docker Twitter: @n_copa
Small Simple Secure
Docker image size
Core Components ● musl libc ● busybox ● apk-tools ● toolchain
musl libc
musl libc ● MIT license ● Clean, modern codebase ● Correct in corner-cases ● Lightweight
What is missing? ● Some GNU extensions ● Lots of Localization data ● Lots of GNU bloat ● Name Service Switch (NSS) ● Network Services Library (libnsl) ● 80+ CVEs musl libc
busybox
busybox ● ~800 kb ● Includes most of POSIX’s shell & utilities ● Corresponds to GNU coreutils, iproute2, grep, sed, awk, utils-linux, findutils, procps, wget... Bash alone is 668 kb (1280kb inclusive readline and ncurses)
Busybox tools [ [[ acpid add-shell addgroup adduser adjtimex arp arping ash awk base64 basename bbconfig beep blkdiscard blkid blockdev brctl bunzip2bzcat bzip2cal cat chgrp chmod chown chpasswd chroot chvt cksum clear cmp comm conspy cp cpio crond crontab cryptpw cut date dc dd deallocvt delgroup deluser depmod df diff dirname dmesg dnsdomainname dos2unix du dumpkmap dumpleases echo ed egrep eject env ether-wake expand expr factor fallocate false fatattr fbset fbsplash fdflush fdformat fdisk fgrep find findfs flock fold free fsck fstrim fsync fuser getopt getty grep groups gunzip gzip halt hd hdparm head hexdump hostid hostname hwclock id ifconfig ifdown ifenslave ifup init inotifyd insmod install ionice iostat ip ipaddr ipcalc ipcrm ipcs iplink ipneigh iproute iprule iptunnel kbd_mode kill killall killall5 klogd lesslink linux32 linux64 ln loadfont loadkmap logger login logread losetup ls lsmod lsof lspci lsusb lzcat lzmalzop lzopcat makemime md5sum mdev mesg microcom mkdir mkdosfs mkfifo mkfs.vfat mknod mkpasswd mkswap mktemp modinfo modprobe more mount mountpoint mpstat mv nameif nanddump nandwrite nbd-client nc netstat nice nl nmeter nohup nologin nproc nsenter nslookupntpd od openvt partprobe passwd paste patchpgrep pidof ping ping6 pipe_progress pkill pmap poweroff powertop printenv printf ps pscan pstree pwd pwdx raidautorun rdate rdev readahead readlink readprofile realpath reboot reformime remove-shell renice reset resize rev rfkill rm rmdir rmmod route run-parts sed sendmail seq setconsole setfont setkeycodes setlogcons setpriv setserial setsid sh sha1sum sha256sum sha3sum sha512sum showkey shred shuf slattach sleep smemcap sort split ssl_client stat strings stty su sum swapoff swapon switch_root sync sysctl syslogd tac tail tar tee test time timeout top touch tr traceroute traceroute6 true truncate tty ttysize tunctl udhcpc udhcpc6 udhcpd umount uname unexpand uniq unix2dos unlink unlzmaunlzop unshare unxzunzipuptime usleep uudecode uuencode vconfig vi vlock volname watch watchdog wc wgetwhich whoami whois xargs xxd xzcat yes zcat
apk-tools
Demo apt-get update -y && apt-get install -y python3 && python3 --version apk add --no-cache python3 && python3 --version
apk-tools - what makes it fast Traditionally package managers: ● read from network (1 read) ● save to local cache (1 write) ● verify signature (1 read) ● extract (1 read, 1 write) Minimum 3 reads and 2 writes Apk is designed to read once and write once: ● checksum calculation while waiting for I/O ● write directly to final filesystem (as .apk-new) ● rename once signature is verified ● delete .apk-new on signature mismatch
Toolchain and security
Hardened toolchain ● link with relro, bind now (improves ASLR and PaX memory protections) ● Position Independent Executables (PIE) - Even for static binaries(!) ● Stack Smash Protector (-fstack-protector-strong) ● -DFORTIFY_SOURCE=2
Secure ● Use secure defaults ● Smaller attack surface ● Use more secure components (musl, libressl…) ● Hardened kernel (unofficial fork of grsecurity)
When to not use Alpine Linux When you depend on ● precompiled closed source binaries (which are linked against glibc) ● good localization ● commercial support ● glibc/GNU behavior
How to get involved https://alpinelinux.org https://wiki.alpinelinux.org IRC Freenode #alpine-linux
Thanks! Questions?

More Related Content

PDF
Matthew Hause Building Bridges between Systems and Software with SysML and UML
byINCOSE Colorado Front Range Chapter
 
PPTX
Database Migration Assistant for Unicode (DMU)
byLudovico Caldara
 
PDF
cisco csr1000v
byMing914298
 
PDF
Openstack live migration
byymtech
 
DOCX
Move spfile from asm to file system
byraviranchi02
 
PDF
Capitulo VIII Concentracion y Purificacion de Soluciones con Oro I.pdf
byARLENSCOLY
 
PPTX
VM Job Queues in CloudStack
byShapeBlue
 
PDF
Molienda (Parte II)2.pdf
byvictorlopez859699
 
Matthew Hause Building Bridges between Systems and Software with SysML and UML
byINCOSE Colorado Front Range Chapter
 
Database Migration Assistant for Unicode (DMU)
byLudovico Caldara
 
cisco csr1000v
byMing914298
 
Openstack live migration
byymtech
 
Move spfile from asm to file system
byraviranchi02
 
Capitulo VIII Concentracion y Purificacion de Soluciones con Oro I.pdf
byARLENSCOLY
 
VM Job Queues in CloudStack
byShapeBlue
 
Molienda (Parte II)2.pdf
byvictorlopez859699
 

Similar to Small, Simple, and Secure: Alpine Linux under the Microscope

PDF
Docker on a Diet
byKuan Yen Heng
 
PDF
Be a better developer with Docker (revision 3)
byNicola Paolucci
 
PDF
Docker Introduction + what is new in 0.9
byJérôme Petazzoni
 
PDF
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
byJérôme Petazzoni
 
PPTX
Docker and the Container Ecosystem
bypsconnolly
 
PDF
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
byJérôme Petazzoni
 
PDF
A "Box" Full of Tools and Distros
byDario Faggioli
 
PDF
Docker Intro at the Google Developer Group and Google Cloud Platform Meet Up
byJérôme Petazzoni
 
PPTX
Effective images remix
by🎥 Brent Langston
 
PDF
All Things Open 2015: DOCKER: EVERYTHING YOU SHOULD KNOW
byDocker, Inc
 
PDF
Présentation de Docker
byProto204
 
PDF
Work shop - an introduction to the docker ecosystem
byJoão Pedro Harbs
 
PDF
What is this "docker"
byJean-Marc Meessen
 
PDF
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
byYandex
 
PPTX
Duke Docker Day 2014: Research Applications with Docker
byDarin London
 
PDF
Docker primer and tips
bySamuel Chow
 
PDF
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
byIT Event
 
PDF
Agile Brown Bag - Vagrant & Docker: Introduction
byAgile Partner S.A.
 
PDF
Docker 0.11 at MaxCDN meetup in Los Angeles
byJérôme Petazzoni
 
PPTX
Introduction to containers
byNitish Jadia
 
Docker on a Diet
byKuan Yen Heng
 
Be a better developer with Docker (revision 3)
byNicola Paolucci
 
Docker Introduction + what is new in 0.9
byJérôme Petazzoni
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
byJérôme Petazzoni
 
Docker and the Container Ecosystem
bypsconnolly
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
byJérôme Petazzoni
 
A "Box" Full of Tools and Distros
byDario Faggioli
 
Docker Intro at the Google Developer Group and Google Cloud Platform Meet Up
byJérôme Petazzoni
 
Effective images remix
by🎥 Brent Langston
 
All Things Open 2015: DOCKER: EVERYTHING YOU SHOULD KNOW
byDocker, Inc
 
Présentation de Docker
byProto204
 
Work shop - an introduction to the docker ecosystem
byJoão Pedro Harbs
 
What is this "docker"
byJean-Marc Meessen
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
byYandex
 
Duke Docker Day 2014: Research Applications with Docker
byDarin London
 
Docker primer and tips
bySamuel Chow
 
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
byIT Event
 
Agile Brown Bag - Vagrant & Docker: Introduction
byAgile Partner S.A.
 
Docker 0.11 at MaxCDN meetup in Los Angeles
byJérôme Petazzoni
 
Introduction to containers
byNitish Jadia
 

More from Docker, Inc.

PDF
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
PDF
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
PDF
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
PDF
Hands-on Helm
byDocker, Inc.
 
PDF
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
PDF
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
PDF
Monitoring in a Microservices World
byDocker, Inc.
 
PDF
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
PDF
Predicting Space Weather with Docker
byDocker, Inc.
 
PDF
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
PDF
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
PDF
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
PDF
Kubernetes at Datadog Scale
byDocker, Inc.
 
PDF
Labels, Labels, Labels
byDocker, Inc.
 
PDF
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
PDF
Developing with Docker for the Arm Architecture
byDocker, Inc.
 
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
Hands-on Helm
byDocker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
Monitoring in a Microservices World
byDocker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
Predicting Space Weather with Docker
byDocker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
Kubernetes at Datadog Scale
byDocker, Inc.
 
Labels, Labels, Labels
byDocker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
Developing with Docker for the Arm Architecture
byDocker, Inc.
 

Recently uploaded

PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 

Small, Simple, and Secure: Alpine Linux under the Microscope

  • 1.
    Small, simple, andsecure: Alpine Linux under the microscope Natanael Copa Docker Twitter: @n_copa
  • 2.
  • 3.
  • 4.
    Core Components ● musllibc ● busybox ● apk-tools ● toolchain
  • 5.
  • 6.
    musl libc ● MITlicense ● Clean, modern codebase ● Correct in corner-cases ● Lightweight
  • 7.
    What is missing? ●Some GNU extensions ● Lots of Localization data ● Lots of GNU bloat ● Name Service Switch (NSS) ● Network Services Library (libnsl) ● 80+ CVEs musl libc
  • 8.
  • 9.
    busybox ● ~800 kb ●Includes most of POSIX’s shell & utilities ● Corresponds to GNU coreutils, iproute2, grep, sed, awk, utils-linux, findutils, procps, wget... Bash alone is 668 kb (1280kb inclusive readline and ncurses)
  • 10.
    Busybox tools [ [[acpid add-shell addgroup adduser adjtimex arp arping ash awk base64 basename bbconfig beep blkdiscard blkid blockdev brctl bunzip2bzcat bzip2cal cat chgrp chmod chown chpasswd chroot chvt cksum clear cmp comm conspy cp cpio crond crontab cryptpw cut date dc dd deallocvt delgroup deluser depmod df diff dirname dmesg dnsdomainname dos2unix du dumpkmap dumpleases echo ed egrep eject env ether-wake expand expr factor fallocate false fatattr fbset fbsplash fdflush fdformat fdisk fgrep find findfs flock fold free fsck fstrim fsync fuser getopt getty grep groups gunzip gzip halt hd hdparm head hexdump hostid hostname hwclock id ifconfig ifdown ifenslave ifup init inotifyd insmod install ionice iostat ip ipaddr ipcalc ipcrm ipcs iplink ipneigh iproute iprule iptunnel kbd_mode kill killall killall5 klogd lesslink linux32 linux64 ln loadfont loadkmap logger login logread losetup ls lsmod lsof lspci lsusb lzcat lzmalzop lzopcat makemime md5sum mdev mesg microcom mkdir mkdosfs mkfifo mkfs.vfat mknod mkpasswd mkswap mktemp modinfo modprobe more mount mountpoint mpstat mv nameif nanddump nandwrite nbd-client nc netstat nice nl nmeter nohup nologin nproc nsenter nslookupntpd od openvt partprobe passwd paste patchpgrep pidof ping ping6 pipe_progress pkill pmap poweroff powertop printenv printf ps pscan pstree pwd pwdx raidautorun rdate rdev readahead readlink readprofile realpath reboot reformime remove-shell renice reset resize rev rfkill rm rmdir rmmod route run-parts sed sendmail seq setconsole setfont setkeycodes setlogcons setpriv setserial setsid sh sha1sum sha256sum sha3sum sha512sum showkey shred shuf slattach sleep smemcap sort split ssl_client stat strings stty su sum swapoff swapon switch_root sync sysctl syslogd tac tail tar tee test time timeout top touch tr traceroute traceroute6 true truncate tty ttysize tunctl udhcpc udhcpc6 udhcpd umount uname unexpand uniq unix2dos unlink unlzmaunlzop unshare unxzunzipuptime usleep uudecode uuencode vconfig vi vlock volname watch watchdog wc wgetwhich whoami whois xargs xxd xzcat yes zcat
  • 11.
  • 12.
    Demo apt-get update -y&& apt-get install -y python3 && python3 --version apk add --no-cache python3 && python3 --version
  • 13.
    apk-tools - whatmakes it fast Traditionally package managers: ● read from network (1 read) ● save to local cache (1 write) ● verify signature (1 read) ● extract (1 read, 1 write) Minimum 3 reads and 2 writes Apk is designed to read once and write once: ● checksum calculation while waiting for I/O ● write directly to final filesystem (as .apk-new) ● rename once signature is verified ● delete .apk-new on signature mismatch
  • 14.
  • 15.
    Hardened toolchain ● linkwith relro, bind now (improves ASLR and PaX memory protections) ● Position Independent Executables (PIE) - Even for static binaries(!) ● Stack Smash Protector (-fstack-protector-strong) ● -DFORTIFY_SOURCE=2
  • 16.
    Secure ● Use securedefaults ● Smaller attack surface ● Use more secure components (musl, libressl…) ● Hardened kernel (unofficial fork of grsecurity)
  • 17.
    When to notuse Alpine Linux When you depend on ● precompiled closed source binaries (which are linked against glibc) ● good localization ● commercial support ● glibc/GNU behavior
  • 18.
    How to getinvolved https://alpinelinux.org https://wiki.alpinelinux.org IRC Freenode #alpine-linux
  • 19.