Getting Started with Chainguard Containers on

Getting Started with the C/C++ Chainguard Containers

Tue, 30 Jul 2024 15:54:33 +0000

Chainguard provides security-hardened container images for C and C++ development, offering minimal runtime environments with significantly reduced vulnerabilities compared to traditional base images. Built on Chainguard’s own OS, these containers enable more secure deployment of compiled programs through purpose-built images for different linking scenarios. This guide demonstrates three approaches to compiling and running C/C++ applications using Chainguard’s specialized containers.

The container image with which you choose to run your compiled program depends on the nature of your binaries. Static binaries can be executed in the minimal static Chainguard Container, while dynamically linked binaries can be run in the glibc-dynamic Container. For this demonstration, you will first compile a C binary using the gcc-glibc Chainguard Container, and then learn how to use a multi-stage build to run the resulting binary in the glibc-dynamic image. You’ll also cover an example showing the multi-stage build process for the C++ programming language. To learn more about the differences between these container images, read our article on Choosing an Container for your Compiled Programs.

Getting Started with the Cilium Chainguard Containers

Thu, 14 Dec 2023 00:00:00 +0000

Chainguard’s Cilium container images provide a security-hardened foundation for Kubernetes networking with significantly reduced vulnerabilities compared to standard Cilium deployments. Cilium leverages eBPF technology to transparently secure network connectivity between services, enabling powerful security policies without application changes. Built on Wolfi OS, Chainguard’s minimal Cilium images enhance your cluster’s security posture while maintaining full compatibility with Cilium’s advanced networking features.

We will demonstrate how to get started with the Chainguard Cilium container images on an example K3s cluster. To get started, you’ll need Docker, k3d (a CLI tool to install k3s), kubectl, and the cilium CLI installed.

Getting Started with the Go Chainguard Container

Tue, 28 Feb 2023 11:07:52 +0200

Chainguard’s Go container image provides a secure foundation for building Go applications with significantly fewer vulnerabilities than traditional Go images. The distroless latest variant contains only the Go compiler and runtime, while the latest-dev variant includes additional build tools and package management capabilities for development workflows.

In this guide, we’ll demonstrate how to build and execute Go applications using Chainguard Containers, using three examples from our demos repository. In the first example, we’ll build a CLI application using a Docker multi-stage build. In the second example, we’ll build an application that’s accessible by HTTP server, also using a Docker multi-stage build to obtain an optimized runtime. The third example shows how to build an image using ko, a tool that enables you to build container images from Go programs and push them to container registries without requiring a Dockerfile.

Getting Started with the Chainguard Istio Containers

Thu, 14 Dec 2023 00:00:00 +0000

Chainguard’s Istio container images provide a security-hardened foundation for service mesh deployments with significantly reduced vulnerabilities compared to standard Istio images. Istio extends Kubernetes to establish a programmable, application-aware network using the Envoy service proxy, bringing traffic management, telemetry, and security to complex deployments. Built on Wolfi OS, Chainguard’s minimal Istio images maintain full compatibility while enhancing security posture.

We will demonstrate how to get started with the Chainguard Istio container images on an example kind cluster. To get started, you’ll need Docker, kind, kubectl, and istioctl installed. If you are missing any, you can follow the relevant link to get started.

Getting Started with the Laravel Chainguard Container

Fri, 17 May 2024 11:07:52 +0200

Chainguard’s Laravel container image provides a secure foundation for Laravel applications with minimal vulnerabilities compared to traditional PHP images. This specialized image includes all necessary PHP extensions and tooling for Laravel development while maintaining Chainguard’s security-first approach, enabling developers to build complex applications without compromising on security.

In this guide, we’ll set up a demo and demonstrate how you can use Chainguard Containers to develop, build, and run Laravel applications.

This tutorial requires Docker to be installed on your local machine. If you don’t have Docker installed, you can download and install it from the official Docker website.

Getting Started with the MariaDB Chainguard Container

Fri, 28 Jul 2023 11:07:52 +0200

Chainguard’s MariaDB container image provides a security-hardened foundation for database workloads with significantly fewer vulnerabilities than traditional MariaDB images. Built on Wolfi with a distroless design, this container removes unnecessary components while maintaining full MariaDB functionality.

Through daily rebuilds with the latest patches and minimal dependencies, Chainguard’s MariaDB image dramatically reduces your database’s attack surface. This enables you to run production MariaDB databases with enhanced security posture and a smaller container footprint.

Getting Started with the NeMo Chainguard Container

Thu, 16 May 2024 08:00:00 +0200

Chainguard’s NeMo container image provides a security-hardened environment for NVIDIA’s NeMo deep learning framework with minimal vulnerabilities compared to traditional AI/ML containers. NeMo enables building conversational AI models through module collections for Automatic Speech Recognition (ASR), Natural Language Processing (NLP), and Text-to-Speech (TTS) tasks. Built for CUDA 12 GPU acceleration, this lightweight container maintains full NeMo functionality while significantly reducing security risks for both training and production inference workloads.

What is Deep Learning?

Deep learning is a subset of machine learning that leverages a flexible computational architecture, the neural network, to address a wide variety of tasks. Neural networks emulate the structure of the brain and consist of interconnected nodes (neurons) that each contain an associated weight and threshold. In concert with an activation function, these values determine whether data is propagated within the network, producing an output layer corresponding to a classification, regression, or other result.

Getting Started with the nginx Chainguard Container

Mon, 09 Jan 2023 11:07:52 +0200

Chainguard’s nginx container images provide a security-hardened foundation for web server deployments with significantly fewer vulnerabilities than traditional nginx images. Available in both development (:latest-dev) and production (:latest) variants, these containers maintain full nginx functionality while dramatically reducing attack surface. The production variant uses a distroless approach, removing shells and package managers to enhance security for production workloads.

In this tutorial, we will create a local demo website using nginx to serve static HTML content to a local port on your machine. Then we will use the nginx Chainguard Container to build and execute the demo in a lightweight containerized environment.

Getting Started with the Node Chainguard Container

Wed, 01 Feb 2023 11:07:52 +0200

Chainguard’s Node container image provides a secure runtime for Node.js applications with significantly fewer vulnerabilities than traditional Node images. This distroless image includes Node.js and npm while maintaining a minimal attack surface for production deployments.

In this guide, we’ll set up a demo application and create a Dockerfile to build and execute the demo using the Node Chainguard Containers as base.

This tutorial requires Docker, Node, and Npm to be installed on your local machine.

Getting Started with the PHP Chainguard Container

Mon, 09 Jan 2023 11:07:52 +0200

Chainguard’s PHP container images provide secure foundations for PHP applications with minimal vulnerabilities compared to traditional PHP images. These images come in multiple variants: the latest-fpm variant for serving web applications via FastCGI, the latest variant for CLI applications, and development variants that include additional tools for building and debugging PHP workloads.

In this guide, we’ll set up a demo and demonstrate how you can use Chainguard Containers to develop, build, and run PHP applications.

Getting Started with the PostgreSQL Chainguard Container

Thu, 10 Aug 2023 11:07:52 +0200

Chainguard’s PostgreSQL container image provides a security-hardened foundation for running Postgres databases with significantly fewer vulnerabilities than traditional PostgreSQL images. Built on Wolfi with a distroless design, this container maintains full PostgreSQL functionality while dramatically reducing attack surface.

Through daily rebuilds with the latest patches and minimal dependencies, Chainguard’s PostgreSQL image enhances database security posture. This enables you to run production Postgres workloads in containerized environments with both a smaller footprint and improved protection against supply chain attacks.

Getting Started with the Python Chainguard Container

Tue, 28 Feb 2023 11:07:52 +0200

Chainguard’s Python container images provide a more secure foundation for Python applications through distroless design, containing significantly fewer CVEs compared to traditional Python images. These production-ready images are optimized for building and running Python workloads.

Two variants of Chainguard Python images are available: a minimal runtime image containing only Python and its standard library, and a -dev variant that includes pip and a shell for development purposes. Since most Python applications require third-party packages, the recommended approach is using a multi-stage Docker build with the -dev image for dependency installation and the minimal image for runtime.

Getting Started with the PyTorch Chainguard Container

Thu, 25 Apr 2024 08:00:00 +0200

Chainguard’s PyTorch container image provides a security-hardened foundation for deep learning workloads with significantly fewer vulnerabilities than traditional PyTorch containers. Built with PyTorch and CUDA support for GPU acceleration, this minimal image maintains full deep learning capabilities while dramatically reducing attack surface. This guide demonstrates fine-tuning models, secure inference deployment, and compares the enhanced security posture to official PyTorch images.

What is Deep Learning?

Getting Started with the MinIO Chainguard Container

Mon, 27 Oct 2025 11:07:52 +0200

MinIO is a high-performance, S3-compatible object storage system that has become widely adopted across the cloud-native ecosystem, with over 1 billion pulls on Docker Hub. It’s used for testing, local development, and production deployments across on-premises and cloud environments. MinIO’s solid S3 compatibility has made it a common choice for developers who need S3-compatible storage without AWS dependencies, and it’s integrated into popular open source projects like Trino and Apache Spark for backup and archival, AI/ML workloads, data lakes, and application data storage.

Getting Started with the Ruby Chainguard Container

Wed, 10 May 2023 11:07:52 +0200

Chainguard’s Ruby container images provide secure foundations for Ruby applications with minimal vulnerabilities through both development and production-ready distroless variants. These images significantly reduce attack surface compared to traditional Ruby base images while maintaining full compatibility with Ruby applications and the Rubygems ecosystem.

Because Ruby applications typically require the installation of third-party dependencies via Rubygems, using a pure distroless image for building your application would not work. In cases like this, you’ll need to implement a multi-stage Docker build that uses one of the -dev images to set up the application.

Getting started with the Chainguard Spark FIPS container

Thu, 04 Jun 2026 00:00:00 +0000

Apache Spark is a distributed computing engine for batch processing, stream processing, and machine learning at scale. Organizations subject to federal compliance requirements—including FedRAMP, FISMA, and Department of Defense frameworks—must use FIPS 140-3 validated cryptography for all cryptographic operations in Spark.

Chainguard’s Spark FIPS container packages Apache Spark with the Bouncy Castle FIPS cryptographic provider, replacing the standard JVM cryptographic modules with NIST-validated equivalents. In FIPS mode, TLS connections require BCFKS-format keystores rather than the standard PKCS12 or JKS formats, and only FIPS-approved cipher suites are permitted.

Getting Started with the WordPress Chainguard Container

Fri, 19 Jul 2024 11:07:52 +0200

Chainguard’s WordPress container image is a drop-in replacement for the official WordPress FPM-Alpine image, with significantly fewer vulnerabilities than the standard image. It includes a distroless variant for production use that removes shells, package managers, and other unnecessary components. The image ships with the latest PHP and WordPress versions and all required PHP extensions.

This guide covers three ways to use the WordPress Chainguard Container to build and run WordPress projects.

What is distroless?

Distroless container images are minimal container images containing only essential software required to build or execute an application. That means no package manager, no shell, and no bloat from software that only makes sense on bare metal servers.

What is Wolfi?

Wolfi is a community Linux undistro created specifically for containers. This brings distroless to a new level, including additional features targeted at securing the software supply chain of your application environment: comprehensive SBOMs, signatures, daily updates, and timely CVE fixes.

What are multi-stage builds?

Multi-stage builds are a Docker feature that allow you to use multiple FROM statements in a single Dockerfile, where each statement begins a new build stage. In a typical pattern, an early stage uses a full-featured builder image to compile code or generate artifacts, while a later stage uses a minimal runtime image and copies in only what's needed to run the application. Only what you explicitly copy from one stage carries forward — everything else is discarded when that stage completes.

Setting Up a Minecraft Server with the JRE Chainguard Container

Wed, 26 Mar 2025 11:07:52 +0200

Introduction

Chainguard’s JRE container image provides an ideal foundation for running Minecraft Java servers with enhanced security and minimal vulnerabilities. Minecraft, the best-selling video game of all time with 170 million monthly players as of 2024, often requires dedicated servers for multiplayer gameplay where players can build and explore together.