Build OCI images for apk-based distributions declaratively!

When maintaining images at scale, the Dockerfile concept built into Docker is inefficient. If we have a collection of build artifacts, repositories and a keyring, we can build images directly with APK, and upload them directly to container registries.

In fact, we can do more than that: using a service like kontain.me, we can serve fresh container images on demand, with the latest package updates, using nothing but declarative configuration.

This part is very much a work in progress, but basically you need a system with apk (soon: libapk), and this apko tool. You probably also want the other Chainguard stack components as well, e.g. crane.

To build an image, use the apko build command:

# apko build config.yaml tag output.tar

This will give you a Docker-style tarball which you can use with docker load:

# docker load < output.tar

You can also publish an image using the apko publish command:

# apko publish config.yaml foo.dev/bar/baz:latest

You need root, or at least fakeroot + fakechroot to build images with apko, due to apk-tools' use of chroot(2).

Some example configurations are available in the examples directory.

By using the very fast apk package manager to manage build artifacts, we can build images very quickly. This means that developers win with a faster and more easy to reproduce build process.

Some containers are complex, with multiple tightly-coupled services running in the same container. apko understands this scenario out of the box, avoiding the need to deal with things like s6-overlay. If you define a service-bundle entrypoint, it will generate an appropriate supervision tree and ensure s6 is installed.

As a result of using apk to manage distribution and build artifacts, we will be able to generate SBOMs for containers, using the new apk-tools 3.x SBOM feature.