Choosing a Container Image for your Compiled Programs

An overview comparing various Chainguard Images for compiled programs

When selecting the right base image for your application, there are a variety of factors to take into consideration. For starters, it is critical that your application has all of the dependencies it needs to run. The ideal base image will contain the essential packages you need, while leaving out the ones you don’t. However, in practice, you will need to build upon your images so they meet your specific needs, making it all the more important that you have a strong foundation.

In this guide, we will explore a variety of Chainguard Images which are suitable for different compiled applications. We will take a look at their availability and use-case differences so you can move closer to settling on the best base image for your specific needs.

Available Images

wolfi-base

The wolfi-base Chainguard Image is a minimal container image based on the Wolfi un-distro, a community-oriented Linux distribution created by Chainguard to facilitate image builds. The wolfi-base image contains busybox and apk-tools so that you can build your own packages for a custom image. It also supports glibc.

What is Wolfi? Wolfi is a community Linux undistro created specifically for containers. This brings distroless to a new level, including additional features targeted at securing the software supply chain of your application environment: comprehensive SBOMs, signatures, daily updates, and timely CVE fixes.

The following packages are included in the wolfi-base:latest Chainguard Image:

  • apk-tools
  • busybox
  • ca-certificates-bundle
  • chainguard-baselayout
  • glibc
  • glibc-locale-posix
  • ld-linux

chainguard-base

Paid Image
In addition to the functionality of the wolfi-base Chainguard Image, chainguard-base reports as being a Chainguard Image, which scanners use to determine what security feeds to reference for vulnerabilities. Additionally, the chainguard-base image provides access to vulnerability remediation SLAs to ensure your containers are always up-to-date with the latest releases and patches.

The following packages are included in the chainguard-base:latest Chainguard Image:

  • apk-tools
  • busybox
  • ca-certificates-bundle
  • chainguard-baselayout
  • glibc
  • glibc-locale-posix
  • ld-linux

You can find the complete inventory of packages for the chainguard-base Chainguard Image at its listing on the Chainguard Registry.

static

The Chainguard static base image is a Wolfi-based image available in one variant with the :latest tag. The static image is extremely minimal and is not intended to be run directly. It is used to host stand-alone, static binaries, like those produced by compilers such as gcc, go, and rust. It does not contain any programs you can run out-of-the-box. You must add your own static binaries to the image, for example using a Dockerfile multi-stage build.

The following packages are included in the static:latest Chainguard Image:

  • ca-certificates-bundle
  • chainguard-baselayout
  • glibc-locale-posix
  • tzdata
  • wolfi-baselayout

You can find more information about the static Chainguard Image at its listing on the Chainguard Registry.

glibc-dynamic

The glibc-dynamic Chainguard Image is best suited for when you need to host dynamically linked binaries that depend on the C standard library. Like the static image, glibc-dynamic is intended to be used as a base image only, and you must add your own binaries to the image.

The glibc-dynamic image is freely available in two variants: :latest and :latest-dev. The :latest-dev image adds additional packages which are not present in :latest to help facilitate application development. It is suggested to use the :latest image for production-facing purposes because of its smaller footprint.

The following packages are included in the glibc-dynamic:latest Chainguard Image:

  • ca-certificates-bundle
  • chainguard-baselayout
  • glibc
  • glibc-locale-posix
  • ld-linux
  • libgcc
  • libstdc++
  • wolfi-baselayout

You can find more information about the glibc-dynamic Chainguard Image at its listing on the Chainguard Registry.

cc-dynamic

The cc-dynamic Chainguard Image is deprecated. It is suggested that you use the glibc-dynamic image instead, as it is designed to replace cc-dynamic. You can find more information about the cc-dynamic image, such as its packages and licensing information, on the Chainguard Registry.

gcc-glibc

The gcc-glibc Chainguard Image is best suited for building C applications which depend on glibc. There are two freely available variants of this image, :latest and :latest-dev. :latest-dev is a developer variant of the image which adds additional packages such as bash to facilitate the development process.

In comparison to the static and glibc-dynamic Chainguard Images, gcc-glibc is intended to be used to develop programs based on the C standard library, instead of simply hosting binaries. Because of this, it contains additional packages such as make, busybox, as well as gcc to compile programs.

The following packages are included in the gcc-glibc:latest Chainguard Image:

  • binutils
  • build-base
  • busybox
  • ca-certificates-bundle
  • gcc
  • glibc

You can find the complete inventory of packages for the gcc-glibc Chainguard Image at its listing on the Chainguard Registry.

glibc-openssl

Paid Image
The glibc-openssl Chainguard Image is designed for C applications which depend on OpenSSL. It contains the openssl and openssl-provider-legacy packages to support this use-case. It comes in two variants,latest and latest-dev. As in the aforementioned images, latest is designed for deployment, while latest-dev contains additional packages to assist in program development such as a shell and package manager.

The following packages are included in the glibc-openssl:latest Chainguard Image:

  • ca-certificates-bundle
  • chainguard-baselayout
  • glibc
  • glibc-locale-posix
  • ld-linux
  • openssl
  • openssl-provider-legacy

You can find the complete inventory of packages for the glibc-openssl Chainguard Image at its listing on the Chainguard Registry.

What About musl?

At the time of this writing, no Chainguard Images come packaged with musl. Chainguard builds glibc-based images because glibc is commonly used, which makes it easier for most developers to start consuming Chainguard Images in their environments. Additionally, glibc is widely tested, making it a dependable choice for a C standard library implementation. As glibc is a well-established option, choosing to use glibc ensures more applications will be compatible with new images.

Though musl is sometimes chosen because of its minimal footprint, Chainguard’s distroless approach based on Wolfi often results in a container image of comparable (or smaller) size than official musl based images. For more information, please refer to our glibc vs. musl article.

Next Steps

Understanding the differences between various Chainguard Images allows you to make informed decisions about what images to choose for your compiled applications. You can check out our complete suite of Chainguard Images at the Chainguard Registry. To learn more about using Chainguard Images, head to the Chainguard Academy, where you can find documentation to help you start incorporating them into your workflow.

Interested in learning more about adopting Chainguard Images for your organization? Let’s get in touch!

Last updated: 2024-08-26 18:42