top of page
Search

Faster, Leaner, Smarter: Chainguard Reimagines Container Efficiency With Multi-Layered Intelligence

In the world of cloud-native infrastructure, containers are the invisible workhorses of modern applications. But as developers build bigger, more complex services—especially those driven by AI and machine learning—the inefficiencies in how containers are built and distributed start to show.

Chainguard, the cybersecurity-focused container startup known for its stripped-down, secure Linux images, has just launched a major update that aims to fix a longstanding pain point: bloated container pulls. The company is introducing multi-layer container images with what it calls “intelligent layering”—a behind-the-scenes upgrade that promises to dramatically speed up image pulls, save bandwidth, and accelerate build and deployment cycles for customers.


“We’ve always been about minimal, secure containers,” said Kim Lewandowski, Chainguard’s CPO and co-founder. “But minimalism can’t get in the way of velocity. This update brings the best of both worlds.”


Why It Matters

Traditionally, Chainguard has embraced a single-layer design philosophy. Every container image—no matter how large or complex—was packaged into a single, verifiable layer. This made sense from a security and simplicity perspective, but it became an Achilles' heel when only one small package needed updating. Developers would be forced to re-download the entire image, often hundreds of megabytes, even if only a few kilobytes changed.

In a cloud economy increasingly measured in milliseconds and megabytes, that inefficiency is costly.


“The problem becomes especially apparent in AI/ML pipelines,” explained Jason Hall, Principal Software Engineer at Chainguard. “Workloads like PyTorch or TensorFlow are large, and they update often. A single package change meant a full image pull. That’s not sustainable.”


The Engineering Behind the Shift

Unlike Dockerfiles, which incrementally build images using layered commands, Chainguard’s apko tool creates containers using declarative configurations. That gives it more control—but also means layering isn’t as straightforward.


So the team rethought the approach from the ground up.


Rather than assigning a layer to each package (which quickly hits technical limits in container runtimes), Chainguard adopted a “per-origin” model. Packages built from the same source—like those maintained by a common upstream project—are grouped together. This strikes a balance between granularity and efficiency: small enough to avoid full image re-downloads, but compact enough to fit within layer limits.


In real-world testing, the results were impressive:

  • ~70% reduction in total unique layer data across the catalog

  • 70–85% reduction in bytes transferred during update simulations of large images like PyTorch and NVIDIA NeMo


They didn’t stop there. The team layered in (literally) a few more innovations:

  • A final "metadata" layer captures frequently updated system files

  • Intelligent ordering of layers improves caching and parallel download performance

  • Sufficient layer counts enable better parallelism without breaking runtime limits


Zero Changes for Users, All Gains

The best part? Developers don’t have to lift a finger.


“There’s no change to how you pull or use our containers,” Lewandowski emphasized. “It’s a drop-in upgrade. You just start noticing everything feels faster.”


For organizations deploying thousands of services on Chainguard Containers, the impact could be significant. Faster builds. Faster CI/CD pipelines. Reduced storage costs. Less network strain. All while maintaining the tight security posture Chainguard is known for.


A Shift That Echoes Beyond Chainguard

This isn’t just a tweak—it’s a strategic evolution that pushes back on the idea that secure infrastructure has to be slow or rigid. In many ways, Chainguard’s move mirrors broader industry shifts: declarative infrastructure, immutable systems, and smarter caching are becoming the new baseline for modern DevOps.


With over 1,300 container images already converted to the new format, the rollout is complete—and likely to influence how others in the container space rethink efficiency and layering.


Lewandowski puts it plainly: “This is us obsessing over customer experience, and doing the hard engineering so they don’t have to.”


For developers and DevOps teams already running on Chainguard—or those eyeing it for more secure supply chains—the message is clear: You’ll get your containers faster, with less waste, and no compromise on security.


Sometimes, good things come in layers.

bottom of page