Chainguard Container for azure-functions-node

Azure Functions is a managed platform-as-a-service provider which offers scalable and serverless hosting for code projects. It extends the Azure platform with the capability to implement code triggered by many events occuring in Azure, on-premises or other 3rd party service.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/azure-functions-node:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

This image is based on the upstream azure-functions/node image, but follows the slim variant to reduce image size and improve performance.

Key differences:

• Slim base: Uses a smaller footprint compared to the full azure-functions/node image, which can lead to faster cold start times and reduced resource consumption.
• Extension Bundles: Supports only Azure Functions Extension Bundles v4. Earlier versions (v3 or v2) are not supported, as v4 provides improved performance, stability, and access to the latest Azure Functions features. These changes are intended to optimize app performance and keep the image aligned with the latest platform capabilities.

Chainguard's Azure Functions Node image is smaller in size compared to the original image and has few-to-zero CVEs.

Getting Started

Azure Functions is a managed platform-as-a-service provider which offers scalable and serverless hosting for code projects. It extends the Azure platform with the capability to implement code triggered by many events occuring in Azure, on-premises or other 3rd party service. The Azure Functions Node image offers support for writing and running Functions code in Javascript.

Creating and running a minimal Function locally

This section outlines how you can run an Azure Function application locally with the Chainguard Azure Functions Node Image.

Start by creating a sample http triggered function named HelloWolfi:

mkdir HelloWolfi

cat >HelloWolfi/index.js <<EOL
module.exports = async function (context, req) {
    context.log('HTTP trigger processed a request.');
    const name = (req.query.name || (req.body && req.body.name));
    context.res = {
        status: 200,
        body: name ? \`Hello, \${name}!\` : "Pass a name in the query string or request body."
    };
};
EOL

cat >HelloWolfi/function.json <<EOL
{
    "bindings": [
      {
        "authLevel": "anonymous",
        "type": "httpTrigger",
        "direction": "in",
        "name": "req",
        "methods": ["get", "post"]
      },
      {
        "type": "http",
        "direction": "out",
        "name": "res"
      }
    ]
}
EOL

Then, create the host.json metadata file which contains configuration options for all functions in a Function App. For more information about the this file check the host.json reference. Make sure to use version 4 of Azure Functions Extension Bundles, since version 3 and 2 are not supported.

cat >host.json <<EOL
{
    "version": "2.0",
    "logging": {
      "logLevel": {
        "default": "Information"
      },
      "console": {
          "isEnabled": true,
          "DisableColors": true
      }
    },
    "extensionBundle": {
      "id": "Microsoft.Azure.Functions.ExtensionBundle",
      "version": "[4.*, 5.0.0)"
    }
}
EOL

Following that, you can create a Dockerfile to copy your Function code to the Chainguard image and build the new image.

cat >Dockerfile <<EOL
FROM cgr.dev/chainguard/azure-functions-node

COPY . /home/site/wwwroot
EOL

docker build -t wolfi-node-function .

You can now run the image locally with the following command:

docker run -p 8080:80 wolfi-node-function

WEBSITES_INCLUDE_CLOUD_CERTS is not set to true.
info: Host.Triggers.Warmup[0]
      Initializing Warmup Extension.
info: Host.Startup[503]
      Initializing Host.
...
info: Microsoft.Azure.WebJobs.Hosting.JobHostService[0]
      Starting JobHost
...
info: Host.Startup[314]
      Loading functions metadata
info: Host.Startup[326]
      Reading functions metadata (Custom)
info: Host.Startup[327]
      0 functions found (Custom)
info: Host.Startup[315]
      1 functions loaded
info: Host.Startup[0]
      Generating 1 job function(s)
info: Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcFunctionInvocationDispatcher[0]
      Worker process started and initialized.
info: Host.Startup[0]
      Found the following functions:
      Host.Functions.HelloWolfi
      
info: Microsoft.Azure.WebJobs.Script.WebHost.WebScriptHostHttpRoutesManager[0]
      Initializing function HTTP routes
      Mapped function route 'api/HelloWolfi' [get,post] to 'HelloWolfi'
...
info: Host.Startup[412]
      Host initialized (48ms)
info: Host.Startup[413]
      Host started (59ms)
info: Host.Startup[0]
      Job host started
Hosting environment: Production
Content root path: /azure-functions-host
Now listening on: http://[::]:80
Application started. Press Ctrl+C to shut down.

Now that the function launched properly, you can test it by making a request to the /api/HelloWolfi endpoint:

curl http://127.0.0.1:8080/api/HelloWolfi?name=Chainguard

Hello, Chainguard!

Creating and running a minimal Function in an Azure Function App

The most common use case for an Azure Functions image is deploying it within an Azure Function App. You can use the Chainguard Azure Functions Node image for this purpose. The following example demonstrates how to deploy a queue-triggered function that responds to messages in an Azure Storage Queue by creating a copy of a file in Azure Blob Storage.

Start by creating the function and its metadata file:

mkdir HelloWolfi

cat >HelloWolfi/index.js <<EOL
module.exports = async function(context) {
    context.log.warn('Node.js Queue trigger function processed', context.bindings.myQueueItem);
    context.bindings.myOutputBlob = context.bindings.myInputBlob;
};
EOL

cat >HelloWolfi/function.json <<EOL
{
    "bindings": [
      {
        "queueName": "blobfunctionqueue-items",
        "connection": "AzureWebJobsStorage",
        "name": "myQueueItem",
        "type": "queueTrigger",
        "direction": "in"
      },
      {
        "name": "myInputBlob",
        "type": "blob",
        "path": "samples-workitems/{queueTrigger}",
        "connection": "AzureWebJobsStorage",
        "direction": "in"
      },
      {
        "name": "myOutputBlob",
        "type": "blob",
        "path": "samples-workitems/{queueTrigger}-Copy",
        "connection": "AzureWebJobsStorage",
        "direction": "out"
      }
    ],
    "disabled": false
}
EOL

cat >host.json <<EOL
{
    "version": "2.0",
    "logging": {
      "logLevel": {
        "default": "Warning"
      }
    },
    "extensionBundle": {
      "id": "Microsoft.Azure.Functions.ExtensionBundle",
      "version": "[4.*, 5.0.0)"
    }
}
EOL

Then, create a Dockerfile to copy the Function to the Chainguard image and built the image.

cat >Dockerfile <<EOL
FROM cgr.dev/chainguard/azure-functions-node

COPY . /home/site/wwwroot
EOL

docker build -t wolfi-queue-function .

Next, tag your image as needed and push it to your container registry by following these steps.

Once the image is published, provision the required Azure resources and configure your Function App to use the container image.

After setup, create an Azure Storage Queue named blobfunctionqueue-items and a Blob Container named samples-workitems in your storage account. Upload a file to the container.

Ensure the Function App’s managed identity has the correct roles assigned to the storage account:

• Storage Queue Data Reader
• Storage Blob Data Contributor

These roles allow the function to read from the queue and write to the blob container.

Restart the Function App to apply the updated configuration. Then, add a message to the queue containing the name of the uploaded file. Within a few seconds, the function should trigger and process the file, creating a copy in the designated container.

You can monitor execution logs in Azure Application Insights (note that logs may appear with a slight delay).

Documentation and Resources

For more information about Azure Functions in container images, please refer to the official documentation.

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.