Alpine Linux is a distro that has become popular for Docker images. Why do we need another distro? Why does Alpine matter? How does it differ from other distros?
In this talk, we'll answer all these questions – and a few more.
6. musl libc
● MIT license
● Clean, modern codebase
● Correct in corner-cases
● Lightweight
7. What is missing?
● Some GNU extensions
● Lots of Localization
data
● Lots of GNU bloat
● Name Service Switch
(NSS)
● Network Services
Library (libnsl)
● 80+ CVEs
musl libc
13. apk-tools - what makes it fast
Traditionally package managers:
● read from network (1 read)
● save to local cache (1 write)
● verify signature (1 read)
● extract (1 read, 1 write)
Minimum 3 reads and 2 writes
Apk is designed to read once and
write once:
● checksum calculation while
waiting for I/O
● write directly to final
filesystem (as .apk-new)
● rename once signature is
verified
● delete .apk-new on signature
mismatch
15. Hardened toolchain
● link with relro, bind now (improves ASLR and PaX
memory protections)
● Position Independent Executables (PIE) - Even for
static binaries(!)
● Stack Smash Protector (-fstack-protector-strong)
● -DFORTIFY_SOURCE=2
16. Secure
● Use secure defaults
● Smaller attack surface
● Use more secure components (musl, libressl…)
● Hardened kernel (unofficial fork of grsecurity)
17. When to not use Alpine Linux
When you depend on
● precompiled closed source binaries (which
are linked against glibc)
● good localization
● commercial support
● glibc/GNU behavior
18. How to get involved
https://alpinelinux.org
https://wiki.alpinelinux.org
IRC Freenode #alpine-linux