Introducing rules_oci

Photo by Venti Views on Unsplash

Introducing rules_oci

·

4 min read

Cross-posted from the Google Security Blog

Today, we are announcing the General Availability 1.0 version of rules_oci, an open-sourced Bazel plugin (“ruleset”) that makes it simpler and more secure to build container images with Bazel. This effort was a collaboration between Aspect, the Rules Authors Special Interest Group, and Google. In this post we’ll explain how rules_oci differs from its predecessor, rules_docker, and describe the benefits it offers for both container image security and the container community.

Update August 2023: rules_oci is now the officially recommended ruleset for Docker/OCI.

See the video from my talk at Bazel Community Day SF:

Bazel and Distroless for supply chain security

Bazel is gaining fast adoption within enterprises thanks to its ability to scale to the largest codebases and handle builds in almost any language. Because Bazel manages and caches dependencies by their integrity hash, it is uniquely suited to make guarantees about the supply chain based on the Trust-on-First-Use principle. One way Google uses Bazel is to build their widely used Distroless base images for Docker.

Distroless is a series of minimal base images which improve supply-chain security. They restrict what's in your runtime container to precisely what's necessary for your app, which is a best practice employed by Google and other tech companies that have used containers in production for many years. Using minimal base images reduces the burden of managing risks associated with security vulnerabilities, licensing, and governance issues in the supply chain for building applications.

rules_oci vs rules_docker

Historically, building container images was supported by rules_docker, which is now in maintenance mode. The new ruleset, called rules_oci, is better suited for Distroless as well as most Bazel container builds for several reasons:

  • The Open Container Initiative standard has changed the playing field, and there are now multiple container runtimes and image formats. rules_oci is not tied to running a docker daemon already installed on the machine.

  • rules_docker was created before many excellent container manipulation tools existed, such as Crane, Skopeo, and Zot. rules_oci can simply rely on trusted third-party toolchains and avoid building or maintaining any Bazel-specific tools.

  • rules_oci doesn’t include any language-specific rules, which makes it much more maintainable than rules_docker. Also, it avoids the pitfalls of stale dependencies on other language rulesets.

Other benefits of rules_oci

There are other great features of rules_oci to highlight as well. For example, it uses Bazel’s downloader to fetch layers from a remote registry, improving caching and allowing transparent use of a private registry. Multi-architecture images make it more convenient to target platforms like ARM-based servers, and support Windows Containers as well. Code signing allows users to verify that a container image they use was created by the developer who signed it, and was not modified by any third-party along the way (e.g. “person-in-the-middle attack”). In combination with the work on the Bazel team’s roadmap, you’ll also get a Software Bill of Materials (SBOM) showing what went into the container you use.

Since adopting rules_oci and Bazel 6, the Distroless team has seen several improvements to their build processes, image outputs, and security metadata:

  • Native support for signing allows them to eliminate a race condition that could have left some images unsigned. They now sign on immutable digest references to images during the build instead of tags after the build.

  • Native support for oci indexes (multi platform images) allowed them to remove the dependency on docker during build. This also means more natural and debuggable failures when something goes wrong with multi platform builds.

  • Improvements to fetching and caching means their CI builds are faster and fail less when using flaky remote repositories.

  • Distroless images are now accompanied by SBOMs embedded in a signed attestation which you can view with cosign and some jq magic:

cosign download attestation gcr.io/distroless/base:latest-amd64 | jq -rcs '.[0].payload' | base64 -d | jq -r '.predicate' | jq

In the end, rules_oci allowed the Distroless team to modernize their build while also adding necessary supply chain security metadata to allow organizations to make better decisions about the images they consume.

Get started with rules_oci

Today we’re happy to announce that rules_oci is now a 1.0 version. This stability guarantee follows the semver standard, and promises that future releases won’t include breaking public API changes. Aspect provides resources for using rules_oci, such as a Migration guide from rules_docker. Aspect also provides support, training, and consulting services for effectively adopting rules_oci for building containers in all languages.

If you use rules_docker today, or are considering using Bazel to build your containers, this is a great time to give rules_oci a try. You can help us out by filing actionable issues, contributing code, or donating to the Rules Authors SIG OpenCollective. Since the project is developed and maintained entirely as community-driven open source, your support is essential to keep the project healthy and responsive to your needs.