Video: Learning Labs: Python | Duration: 2856s | Summary: Learning Labs: Python | Chapters: Introduction and Welcome (0s), Introducing CVEs (66.258032789768s), CVE Risk Management (234.508032789768s), Shango's Security Features (481.518032789768s), CLI Demo Setup (541.447992789768s), Multistage Docker Build (624.598032789768s), Multi-Stage Docker Builds (1020.718032789768s), Debugging Distroless Images (2260.993032789768s), Conclusion and Feedback (2754.403032789768s), Concluding Remarks (2845.6529327897683s)

Transcript for "Learning Labs: Python": yeah. So I just want to introduce myself. I'm Lisa Taliaferi. I lead the developer enablement team at Chainguard, and I'm gonna be going through a cool demo about our Python image. And I will share my screen. Awesome. So if you're here for the learning about Python, you're in the right place. We're gonna be talking about the chain guard, container image on Python. This is our fearless mascot, Linky, and Linky will be part of this demonstration. So I hope you enjoy auspices. This is a little bit about me. As I mentioned, I lead the developer enablement team at Chingard. I my previous startup experience, if you're interested, is at Sourcegraph and DigitalOcean. I'm also a recovering academic if you care about academic c CVs. And then you could find me on Blue Sky today. And this is this is not actually a picture of me, although I feel a lot of affinity with Lisa Simpson. This is me. So the agenda today is we're gonna talk a little bit about CVEs. We're gonna talk a little bit about Chainguard images. We're gonna do, we're actually gonna do two Python apps, and we're gonna migrate to Chainguard, and we're gonna talk about, multistage builds, and a little bit about minimal containers. So prerequisites, we're gonna use this is all gonna be a command line demonstration. So you could use, you could use Versus Code or whatever you would like. I'm going to demo with Nano because I think that one is easy to keep it all in the command line, and it's it's easy for me. Hope it's easy enough for you too if you'd like to follow along. We also have a recording of this, and I'm also we also have a full written tutorial of this. So if you don't wanna follow along right now, you could go through this tutorial later on, and I will put a link in the chat right here. So this is, this link that I shared in the chat is very similar to what we're gonna be going through today. I think I need to update one of the items and the requirements, that TXT file of that, tutorial, but otherwise, we're good. And then, pulling, something from my colleague, Patrick Smith. He has a real hatred of CVEs, so, I also hope that everybody here hates CVEs too. So CVEs, it stands for common vulnerabilities and errors. They're they're known they're known vulnerabilities. We have a whole list of CVEs that are available, available to look at on our Chingor images security advisories. So, basically, CVEs are here to kind of hurt your app. We don't wanna have them common vulnerabilities and exposures, not errors, I think. So these are going to these have the potential to create an attack surface for bad actors to kind of get into your app, to expose your app to problems, and we we just really don't like CVEs very much at Shengard. We want to make your app have as few CVEs as possible. We wanna lower the potential attack surface, so that you're not kind of setting your own software and and setting your users up for that kind of risk. So the issue with that we see is that, you know, you're you're coding. Your team is coding. You could do, like, everything. Right? But as you know, like, you're gonna be pulling probably, from open source. And, like, you know, I I consider myself to be an open source person. Love open source, but there's going to be some CVEs in open source, and it's just something that happens. A lot of CVEs are are not necessarily bad, but the issue is that the more CVs you have, the the harder it's going to be to, like, kind of determine which CVs are actually bad and which are not. So what, you know, what happens is, like, you're looking at CVs, you see a lot of CVs in, like, a container image, for example, and you don't know which ones are actually going to impact you, which are actually gonna impact your users. Like, it could be bad for business. It could be bad for, like, identity. It could be bad for lots of different things. So you're just taking this risk when you're, when you have this large potential, like, attack surface. So what Chainguard hopes to do is to guard you from CVEs by decreasing that attack service as much as possible. So Chainguard, what we're trying to do is be the safe source for open source. We're trying to start left and to raise the waterline. These are some of the open source projects that people at Chainguard, work with. Shout out to the sig store team. So Chainguard images, what what do we kind of provide here? We provide low or zero CVEs. We build our container images daily for extra freshness. These are minimal container images. So this come they come from, like, the kind of thinking behind, distroless, if you're familiar with that. So, like, trying to we we built our own into our own operating system that's container, OS, which is the Wolfie OS. And this really minimizes the the container images, so that you only have in your container image what you want. They also come with SFAM, Salsa, and Provenance. So if you look and this this is yesterday. If you look at some of our, CVE visualizations, which we have both on Chingert Academy right now and on the, images.shingert.dev, you could find the, the CVE visualizations. If you look at the Python upstream image, in this in this case, this is the one that we're pulling from the Docker, the Docker Python image. We see that there's quite a lot of CVEs there. So as of yesterday, there were a 70 total CVEs. The issue is that there's, like, six critical CVEs in there. And this this is nothing you know, you know, I love Python. This is not a something that's, next we're not testing expirions against Python, but this is just something that happens when you have a lot of software and, you know, you're working through lots of CVs and all and trying to mitigate them. Yeah. And as of yesterday, the Chang Guard Python latest image, had zero CVs. This is this is has a little bit of, but, one of the memes that I built that I built that I designed early on at Chainguard is this software security is hard, changed my mind. Our our hope is that software security is not hard. Whether or not that's true, you know, you know, there's some there's some things that we have to keep in mind, and that's why we're here to talk about that today. Right. So what what Shango does, we wanna strip dependencies. You wanna keep it fresh. We wanna patch. We wanna issue advisories, and we want you to have zero CVEs. Of course, sometimes there's gonna be a little a minimal amount of CVEs, and we'll talk about that too. So this is actually I do not update this slide, but you could follow this also, Grace's slide. We're going to follow this, this tutorial and I have a repo which I'll share with you too. So the tutorial again is this, but I'm going to, stop this share and I'm going to move to, the command line in one moment. How does that look? I can hang a little bit bigger. Maybe the text doesn't get bigger. Okay. So I hope I hope that's okay to read. So I'm in this Learning Labs directory. I recommend that do you wanna follow along to choose a direct like, choose you know, choose a temp directory, whichever whatever kind of directory you use to do, demos and kind of test things. Let me just pull my windows up a little bit so I don't see myself so much. Okay. So the first what I'm going to do first is make so we're gonna do two quick, CLI demos. I'm gonna do one demo that is, minimal, kind of your single, your single build Docker file. We're going to do it first with the Python, the upstream Python, the Docker Python, and then second with the Chingar image, we're gonna do some gripe scanning, and, that will be the first one. And then the second demo, I will take you through a multistage build. Okay. So first, I want to create a a it's our own directory for this. So this this little app is of it generates octopus facts. And I wanna say that if you would like to contribute octopus facts to this app, I will share the GitHub repo with you because it could use some more octopus facts, if you know what I mean. So we enjoy octopuses here at Chainguard, and that is because of our mascot, Linky. And I wanna tell you a little story about Linky. So the reason why the octopus is the mascot of Chainguard is because there was this story of an octopus going from the from one aquarium tank to another to eat the other fish. So this this octopus is like a CVE, but we actually love lanky, but it's just you never know. You never know where these attacks are gonna come from. So this is the, text file that I curled just now just, so you don't have to copy that. And I also certainly did not copy that did not write that out. So we're just gonna take a look at this real quick. So this is this fax dot TXT file. So the first few lines, right, is the oldest known octopus fossil belongs to an animal that lived 296,000,000 years ago. Octopuses have three hearts, and the plural of octopus is octopuses. And I am willing to fight grammatical nerds about this, because octopus is not a Latin word, so it wouldn't be octopi. It is actually Greek, so it'd be octopodes. But since it's in English, it uses the English standard. So you came for the you came for the container images and you get octopus facts. So I just made a little, Python programming environment, and you could do that or since this is a demo, it's not totally necessary, but I like to I like to do that. So we're gonna make a little, main dot py Python file. So in the tutorial, we have lots of docstrings for you that explains everything that's happening, but I'll just try to explain it in real time. So we are importing the random dependency here. So def random line text. We're going to open this file. We're going to read it and I'm probably gonna make a typo. And we're gonna read the lines. So we wanna so right there's that text file, and we want to have Python kind of read this text file line by line. We wanted to randomly choose a line, and we are going to want we wanted to print out that random line for us. Certain names. Alright. Let's see if that works. And then we run Python. Oops. I highly expect there to be a typo. Oh, it worked, though. Okay. So octopus is around 90% muscle. Very impressive. You don't wanna compete with an octopus in the gym. So deactivate. We could deactivate this, because now we're gonna move to our Docker file. So so right now, just to take a look. Right? We have in this file, we have we have our programming environment. In this directory, we have our programming environment. We have main. Py, and we have fax dot TXT. So now we're gonna create our Dockerfile. So we'll pull in this syntax line to make sure everything is looking good, and then we're gonna pull from Python three, which will be which we'll be pulling from Docker. We want our working directory to be the active fax. We wanna copy main dot p y and fax dot txt. And then we're gonna pull from Python. Oops. Typing live is hard. Okay. So we're covering the main dot p y, fax dot t x t, and hope for the best here. And then we're gonna do a docker build. Let me see. I noticed that it's not the whole line isn't showing up for y'all. So I could also copy the commands into the chat if that was helpful. So we're going to pull down we're gonna build and pull down and oh, yeah. This we're gonna call it basic OctoFacts to because this one is the upstream Python, and then we're gonna show it with the Chingart Python. Okay. Oh, gosh. I don't know how to copy this. Alright. So now we have it. And if I am running on a Mac as you probably noticed. So if you are running on a Mac, just make sure you have your Docker running. And then we're going to run this to just see that it's working. Alright. So robotic engineering has benefited from imitating the soft, flexible, strong arms of octopuses. Very exciting. Very exciting octopus fact. So here's here's that command if you need it. And then so what we're going to do now is we have this it's, like, obviously, a pretty small app. Right? It's a we're taking in a text file. It's printing out something on the command line. It's very, very minimal kind of app. Right? And we're going to use Gripe to scan for CVEs. So for Gripe is something that we use internally. We Chingart also will work with other scanners, and, we have a lot of that information documented on Chingard Academy if you would like to learn more about scanners. I think, you know, this is this is kind of how a lot of like, we have it baked into our CICD so that we could we could check our oil and stuff. But we we like to use Grita in particular. I think it's, like, a pretty lightweight and nice scanner. But you see it's taking quite a bit of time. And then when after everything gets spit out, we see that there is and I've I apologize about this. It being, like, text and, not the biggest text size for you, font size. But as you see, there's quite a lot of CVEs. We see some of them are are negligible. We have some high, some medium. Gosh. It takes a long time to scroll all the way up to the top here. Okay. So if we go back as to the top, then we see, right, that scan for vulnerabilities. There's a lot of vulnerability matches. By severity, there are seven critical, a 16 high, three fourteen medium, 51 low, six twelve negligible. 75 have been fixed. So how long have been not fixed, and some have been ignored? Cool. Okay. Thanks thanks, Brian, for letting me know about those texts. It's hard for it's hard for me to see from my view, but, hopefully, it's good for all of you. Alright. So this is our, the Python three just pulling Python three and not, like, specifying. So, so if we go back to that Dockerfile, I'm gonna just go through and change this line. So instead of from Python three, we're gonna take it down from, Chingard. And I I could copy this into the chat too. So this is the only thing I'm changing, and then we will go through this again with the stalker bills. And then we're gonna call this c g opto fax instead just to, have you know, so we know it's different. Right. And then if we want, we could run it again and make sure everything's working right. See, there is a problem here. I will just make sure this is right. Yes. Okay. Sorry. I changed this. Yes. This is what I missed. I missed the entry point. Sorry about that. So this is the full thing, and it's because I tried to just type it live. So I built it again. So let's run it now. Okay. So octopuses have strong eyesight and are suspected of being able to see color in a very different way than humans. I think, something like the the mantis shrimp also has lots of calls on their eyes. Cool. So now we know that it's working. So just to show you that Jira file again, sorry about that. So we changed this line, the from c g r dev, and then we changed this line. So let me copy and paste that into here too. Cool. So now let's run the grape on this. Cool. Alright. So here we see that there is one c v. So this, this gives us a chance to look at this. So this is, this is one CVE. So as I showed you yet like, as of yesterday, there were zero CVEs. Today, we see there's one CVE. And as I mentioned, we we build nightly. So this it's actually it's actually an interesting thing. So let me show you a different window. So here so here, if you go to images.shingar.dev, this is the page I'm showing you now. And if we search for Python, we can take a look. So right. What I'm showing you right now is this chain guard Python latest, image, and these are yeah. This is our wonderful directory, which shows you a lot of information about shin guard images. So this is the advisories, and this will give you real time information about the advisories. So if you compare, like, these CVEs to those CVEs that we got from the initial Greg report for the other Python image where we just pulled down Python, three, you'll see that, like, these these CVEs are that were in the other image are, like, how they're being mitigated in real time, by Chingar. So this CV twenty twenty four three two two o is under investigation as of ten hours ago. So, like, you know, give them twenty four hours and and take another look at this. So Jengar has detected a potential vulnerability match for this package and is investigating to determine remediation. So there's also and I'll at the when I'm done talking, I'll try to share one of the blog posts that we have where sometimes we'll catch CVEs before they even, before they're even noticed by other, by upstream software. It's just something, like because we really, really hate CVEs here, so we wanna make sure that we get rid of CVEs. But as you know, this is, like, an ongoing process. And we will continue to to combat CVEs. But this is I mean, this just kind of shows you a little bit about how how things are made. And let's go back to another screen. Okay. Cool. So I just, since I messed up that Docker file, let me just show it to you one more time. So right. So we have c g r Dev chain guard, item latest. The working directory is OctoFacts. We copied main dot py fax dot t x t and then, our entry point. And I will share this with you, the tutorial again at the end. Awesome. So we so we do have one CV in this image, but compared to the other, it's like a quite a big difference, and we will remediate the CV. I I promise. So our next our next little demo is going to be a a multistage build. And, like, in the interest of time, I won't show you the the difference between upstream. So this one was very nice where we didn't have to, like, do a PIP install and everything. So this next one where you are going to do a PIP install, and that's why we're going to use a multistage build. Okay. So we're gonna make another directory. So I'm in this learning labs directory, but, you know, make this wherever you want. And, this one we're calling linky. Again, so, you know, the octopus name is very important. And then we're going to do our programming environment, and then we're gonna activate that. And then we're gonna create our requirements dot t h c file. Okay. So before this session, I learned that the version of setup tools that is on the tutorial I shared with you has a CV unit. So I am updating it now, and I will update it. I will open up a pull request against that tutorial, but when I'm done with this session, but this is hopefully, I copied and pasted this correctly. But this is, we're using set up tool 70 and Climate, and this is this is not a robust app, but I think it's a fun app. So we're going to create linky.py and then climate, which will show and I'm not sure if I'm pronouncing it correctly, but, this will let us show a graphic on the command line, which is very cool. And there I was inspired to make this little demo, based on the chain CTL, which is our tool for accessing change Chinguard, our CLI tool. So just skip this. Okay. So linky I probably should have curled this down first. But where should I'll curl the PNG in a second. So we are gonna use this link it up PNG, and we're gonna convert it. And hopefully, I'll change this one image. Okay. And then we're gonna I should've done this first because the order of operations, but this is the file. And I will paste this into our chat. And then we will, yes. The next step is we have to install those requirements. Right? You know, I keep updating to this. Okay. Okay. And then Python, like, eight dot py. Oh, gosh. See there's a yeah. I will here. I will copy my little program with the the beautiful dog strings that I care very much about. So I don't know. I think I did something wrong in the if statement at the bottom. Sorry. So this is, this is available on that tutorial that I mentioned. The setup tools, will need to be updated so you don't have a CV. But if you run it, like, as we're in today, you will get, an error with okay. Here we go. You'll get an error you'll get a CV with us set up tools. So here is our wonderful linky octopus. It is very large. If you if you're if you care about doing something like this with a CLI project that you're working on, you may wanna, play with this tool a little bit more. But, for our purposes, we wanna we wanna large thank you today. Okay. So let's let's just, yeah, create this. We're done with the programming environment. So okay. We're gonna make a Dockerfile. Okay. So this is gonna be a multistage Dockerfile. And this is important because we have if you if we look back if you look back to what I showed you before the Python sorry. The Windows, I know you all understand about the pain of Windows. Not well, those windows too. But if we go back to this, Python director this Python image in the directory. Right? So I showed you the advisories quickly, but this is this is Python in the chamber images directory, and we have these two, versions which are available in the free tier for you to use today. And I showed you so far the latest, but now I'm gonna show you the latest.gov. So as you if you toggle over this, a very helpful tool tip, this image contains additional software to help in developing and developing applications such as a shell and a package manager. So this latest does not have those things, and that is important for us because we don't want to have like, we wanna minimize your potential attack surface. Right? So the what we get with the multistage build, which I think is really cool, is that we we will pull in this latest dev so that we could do that pip install, bring in the packages. Right? So random, which I showed before, is is part of, like, is native in Python. Right? Is it was incorporated in. But this other thing, climate, CLI image, I guess, is what you would call it, that one is something that you have to PIP install in. So in order to avail ourselves of pip install, we need to do late we need to use the latest add the latest hyphen dev tagged image, and that will let us bring that in. And if you're interested in learning more, like, for each image, we have this overview that gives you information about the, the image at hand. You could also go on to Chaingard Academy to learn more, and that is the this is the link that I shared with you, which is the getting started with the Python Chingart image. And then there's information about debugging just your list images, which the the dev variant can help you with debugging as well. So let's go back to the HTML. Alright. We are in this blank Docker file today. And alright. So what we are going to do is we are going to start a new build stage based on the Python latest dev image, and we're gonna call it builder. And then we're gonna create a new virtual environment that will cleanly hold, the application dependencies. Right? So we only want to bring in the dependencies that we need. Of course, with something like a CLI graphic, It is, you know, dip you know, decide for yourself if if, like, and if including this package is, like, important for your work. We're gonna copy the requirements dot TXT into from the current directory to the linky location in the container. We're gonna run pip install so that we could get those requirements in to install dependencies. We're gonna start a new build stage based on that Python latest without that dev, tag, and then we will copy those dependencies over and then set up the application as the entry point for this image. Okay. Alright. So let's go let's get to it here. So, hopefully, we don't make typos, but it's very possible. Okay. So this is this builder, which I mentioned. So we're bringing in this latest dev as the builder, and the dev, again, will let us do pip install at the very least. I'm going to I will actually copy these because, right, so we're doing the link even. The work directory is linky. Gonna run Python m. Then and then we're gonna copy with barnels. Okay. And then we're gonna run pip install. Okay. So that's our that's our builder part. So that's the dough. Right. So this allows us to do the PIP install. And then we're gonna do, we're gonna do Python latest. Okay. This is our Python.pmg.has okay. So from that builder, we are going to bring this in and then enter. Alright. Copy. Can I spell it? That's right. Oops. Yes. Okay. So copy your requirements dot TXT. Yes. Thank you for pointing that out, and hopefully, there's no other errors. But, yes, kind of walking through it again. Like, we're taking that latest dev as builder. We want to PIP install those requirements, that requirements text file, then we wanna bring that over into the latest, the just latest tag. So this will be a multistage build. Alright. Hopefully, it works. So Docker build linky. Alright. Docker run. Oh, gosh. There we go. So here is our linky. So I I know it's like a, you know, big Docker file for this little, this little demo, but, I I think that these, like, multistage builds are really cool. And I think that a lot of the time like, a lot of the time, like, right, the dev the latest dev will kind of get you most of the way there to, like, your no CVEs, even when you're PIP installing these things. But I think that this is just nice to kind of do this multi stage build. And I think it kind of shows, like, what is what is the value proposition for having Chingart images. So here, we get you know, I just run gripe again. You know, it takes a it doesn't take very long with the Chingart images, and we see again that there's that, CD that I mentioned before. Awesome. I I am all set here. I was wondering Docker images linking to show size. Okay. Cool. So this is yeah. Just to show the size of the little slinky, which I guess we could I could've talked about that a little bit more. But, the size, if we go back, what's the factor counts? If you go back and look at those two, was it basic after that? So yes. I want to do a surgery. So anyway, yeah. I mean, I think so this one, right, has 98.1 megabytes. It does have that image in there, although who knows how big that images, off end. I don't know. And then this if we look at that Python, the one that we just pulled, we have a one point o two gigabyte image, versus a 60.9 megabyte image. So you see, like, the other the other thing that's cool about this is about Chingart images is that it but not only are we reducing attack surface, we're reducing the size by quite a lot, which could be be cool for everybody. Awesome. I could go back to the slide deck. Alright. So what did we what did we do? We we did the first, we did the latest, then we did latest dev, and latest with a multistage build. And then for debugging distroless, I could share with you a tutorial, but here are some some pointers to start with. Like, there's latest dev variants where you that you could use to debug. There is Docker debug, c d c debug, and ephemeral containers, and we do have some guidance about this. So we have a troubleshooting section of Shengard Academy, but here's a quick tutorial if you're interested. And that's all for me. If anybody has any questions, Ching, our team will be here for a few more minutes, but thanks so much for coming. Yeah. So I have not actually tested. So the question is, I need to some data science libraries with TIP installing with TIP utilizing the Chingar Python image. So I think I mean, I would actually like to, play with this, but I haven't personally yet. But I wanted to share with you. We do have the AI images, and we did do a learning lab about it. So let me just grab that for you. So the we do have some AI images, which is probably more than potentially more than what you need, for yeah. If you wanna do, like, pandas or something. But I will share with you the AI one because I think it's quite good. And my colleague, Patrick led this, which I he was very used for he was great at doing that, I would say. So this is the this is the video about the AI images. I think yeah. For NumPy and Pandas, I I I think the AI images may be overkill, but, like, that will have what you need in there. But in but otherwise I'll stop sharing this GIF. But otherwise, yeah, I I will get back to you, and we'll I think we should do a tutorial or something about, pandas because pandas is something that that I also want. Yes. I think I think we we will have some more interesting things about, build dependencies too soon. And let me see. I think we do we do have a PyTorch tutorial as well for so these are, like, yeah, testing access. It it is not a it is a I showed you very, like, kind of minimal demo, but this, the PyTorch demo is is, more more serious, I will say. Like, as some that's somebody who has gone through this tutorial. It will it takes more time for sure. But the but the learning lab is very good. Thanks, Adrian. Thank you, Brian. Thanks, Erica. If there's no other questions, I think we could, close it off. If you have, if you have any final thoughts or concerns, we do you could open an issue against, the Chingard Chingard Academy repo. And, if you have I mean, feel free to open a blank issue if you just wanna kinda chat. I'm happy to talk with you there. Awesome. Thanks, everybody.