Package and Image Name Mappings

Understanding how Chainguard maps upstream package and image names to Chainguard Containers

5 min read

When migrating to Chainguard Containers, you may notice that some package and image names differ from their upstream counterparts. This guide explains why these mappings exist and provides a comprehensive reference of how Chainguard maps image and package names to our container ecosystem.

Why Chainguard Remaps Package Names

Different Linux distributions often use different names for the same software. For example, Debian calls its C compiler package build-essential, while Alpine calls the equivalent package build-base and Fedora uses gcc and related packages. Chainguard Containers standardize these names to provide consistency regardless of which distribution you’re migrating from.

In some cases, upstream package names can be ambiguous or misleading. To create more clarity, Chainguard maps netcat-traditional to netcat-openbsd to specify the implementation, and google-chrome-stable to chromium to reflect the open-source base.

Some distributions split a single piece of software into many sub-packages, while others bundle functionality together. Chainguard’s package naming reflects a more streamlined approach that reduces the number of packages you need to install, minimizing the attack surface by avoiding unnecessary package splits.

Container image name conventions

For container images, Chainguard follows naming conventions that prioritize:

Specificity: Instead of generic names, we use descriptive names (for example, argocd-repo-server instead of just argocd)
Consistency: All our images follow similar naming patterns
Discoverability: Names that clearly indicate the software’s purpose

Using package mappings

When you’re using Chainguard’s Dockerfile Converter (dfc), these mappings are applied automatically. The tool recognizes upstream package and image names and translates them to their Chainguard equivalents.

For manual migrations, you can reference the following tables to find the correct package or image name you need.

Package Name Mappings

Debian/Ubuntu packages

The following table shows how Debian and Ubuntu package names (used with apt, apt-get) map to Chainguard package names (used with apk).

Click to expand/collapse Debian package mappings table

Debian Package Name	Chainguard/Wolfi Package Name(s)
`awscli`	`aws-cli`
`build-essential`	`build-base`
`fonts-liberation`	`font-liberation`
`fonts-open-sans`	`font-opensans`
`fuse`	`fuse2` , `fuse-common`
`g++`	`gcc`
`gettext-base`	`gettext`
`git-delta`	`delta`
`gnupg2`	`gnupg`
`google-chrome-stable`	`chromium`
`libbz2-dev`	`bzip2-dev`
`libc-client-dev`	`glibc-dev`
`libc6-dev`	`glibc-dev`
`libcairo2`	`cairo`
`libcups2`	`cups-libs`
`libcurl4-openssl-dev`	`curl-dev`
`libgssapi-krb5-2`	`krb5-libs`
`libicu-dev`	`icu-dev`
`libkrb5-dev`	`krb5-dev`
`liblzma-dev`	`xz-dev`
`libmagic1`	`libmagic` , `libmagic-dev`
`libncurses5-dev`	`ncurses`
`libncursesw5-dev`	`ncurses-dev`
`libpq-dev`	`postgresql-dev`
`libpq5`	`libpq`
`librdkafka1`	`librdkafka`
`libreadline-dev`	`readline`
`libsqlite3-dev`	`sqlite-libs`
`libssl-dev`	`libssl3`
`libvshadow-utils`	`shadow`
`libxi6`	`libxi`
`libxmlsec1`	`xmlsec`
`libxmlsec1-dev`	`xmlsec-dev`
`libxmlsec1-openssl`	`xmlsec-openssl`
`locales`	`glibc-locales`
`netbase`	`wolfi-baselayout`
`netcat-traditional`	`netcat-openbsd`
`pcre2-utils`	`pcre2`
`pkg-config`	`pkgconf`
`postgresql-client-14`	`postgresql-14-client`
`postgresql-contrib`	`postgresql-14-contrib`
`protobuf-compiler`	`protobuf-c-compiler`
`python3`	`python-3`
`python3-openssl`	`py3-pyopenssl`
`python3-pip`	`py3-pip`
`python3-virtualenv`	`py3-virtualenv`
`python3-wheel`	`py3-wheel`
`s3fs`	`s3fs-fuse`
`software-properties-common`	(not needed - functionality included in base image)
`ssh`	`openssh-client` , `openssh-server`
`uuid-runtime`	`util-linux-misc`
`watch`	`procps`
`xfonts-utils`	`font-util` , `mkfontscale` , `bdftopcf`
`xz-utils`	`xz`
`zlib1g-dev`	`zlib-dev`

Fedora/RedHat/UBI packages

The following table shows how Fedora, RedHat, and UBI package names (used with yum, dnf, microdnf) map to Chainguard package names.

Click to expand/collapse Fedora package mappings table

Fedora Package Name	Chainguard/Wolfi Package Name(s)
`libpq-devel`	`postgresql-devel`
`shadow-utils`	`shadow`

Alpine packages

Alpine Linux package names generally align with Chainguard’s package names, as both use apk and share similar package management philosophies. In most cases, no mapping is necessary when migrating from Alpine to Chainguard Containers.

Image Name Mappings

The following table shows how upstream container image names map to Chainguard Containers. Note that wildcard patterns (indicated by *) match multiple variants of an image name.

Click to expand/collapse image name mappings table

Upstream Image Name	Chainguard Container
`alpine`	`chainguard-base:latest`
`amazon/cloudwatch-agent`	`amazon-cloudwatch-agent-operator`
`apache/airflow`	`airflow-core`
`apache/beam_python3.7_sdk`	`apache-beam-python-sdk`
`apache/nifi`	`apache-nifi`
`apache/tika`	`apache-tika`
`apache/yunikorn`	`yunikorn-scheduler`
`argoproj/argo-rollouts`	`kubectl-argo-rollouts`
`argoproj/argocd`	`argocd-repo-server`
`atmoz/sftp`	`atmoz-sftp`
`banzaicloud/logging-operator`	`kube-logging-operator`
`calico/node`	`calico-typha`
`camunda/zeebe`	`camunda-zeebe`
`cfssl/cfssl`	`cfssl-self-sign`
`chartmuseum/chartmuseum`	`helm-chartmuseum`
`cilium/cilium`	`cilium-operator-aws`
`clickhouse/clickhouse-server`	`clickhouse`
`confluentinc/cp-kafka`	`confluent-kafka`
`cr.l5d.io/linkerd/extension-init`	`linkerd-extension-init`
`crossplane/provider-aws`	`crossplane-aws-dynamodb`
`crossplane/provider-azure`	`crossplane-azure-storage`
`crossplane/provider-sql`	`crossplane-sql`
`cybertecpostgresql/pg_timetable`	`pg-timetable`
`cypress/base`	`cypress-base`
`dart`	`dart-runtime`
`daskgateway/dask-gateway`	`dask-gateway-server`
`datadog/agent`	`datadog-agent`
`debezium/connect`	`debezium-connect`
`debian`	`chainguard-base:latest`
`dependencytrack/bundled`	`dependency-track`
`dopplerhq/kubernetes-operator`	`doppler-kubernetes-operator`
`dragonflyoss/dfdaemon`	`dragonfly`
`eclipse-temurin`	`jdk`
`envoyproxy/gateway`	`envoy-gateway`
`envoyproxy/ratelimit`	`envoy-ratelimit`
`fedora`	`chainguard-base:latest`
`fluxcd/flux`	`flux-image-automation-controller`
`gcc`	`gcc-glibc`
`gcr.io/kaniko-project/executor`	`kaniko`
`gcr.io/kaniko-project/warmer`	`kaniko-warmer`
`gcr.io/knative-releases/knative.dev/operator/cmd/operator`	`knative-operator-webhook`
`gcr.io/knative-releases/knative.dev/serving/cmd/queue`	`knative-serving-queue`
`ghcr.io/kyverno/kyverno`	`kyvernopre`
`ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator`	`opentelemetry-operator-target-allocator`
`ghcr.io/opencost/opencost`	`opencost-ui`
`ghcr.io/opencost/opencost-ui`	`opencost`
`goharbor/harbor-core`	`harbor-jobservice`
`golang*`	`go`
`google/cloud-sdk`	`google-cloud-sdk`
`grafana/agent-operator`	`grafana-agent-operator`
`grafana/alloy`	`grafana-alloy`
`grafana/mimir`	`grafana-mimir`
`grafana/oncall`	`grafana-oncall`
`grafana/rollout-operator`	`grafana-rollout-operator`
`guacamole/guacamole`	`guacamole-server`
`hashicorp/vault`	`vault-k8s`
`istio/install-cni`	`istio-pilot`
`istio/operator`	`istio-pilot`
`istio/pilot`	`istio-pilot`
`istio/proxyv2`	`istio-pilot`
`jaegertracing/all-in-one`	`jaeger-query`
`jitsucom/bulker`	`jitsucom-syncctl`
`jitsucom/jitsu`	`jitsucom-console`
`jupyterhub/k8s-hub`	`jupyterhub-k8s-hub`
`jupyterhub/k8s-network-tools`	`jupyterhub-k8s-network-tools`
`justwatch/elasticsearch_exporter`	`prometheus-elasticsearch-exporter`
`kedacore/keda`	`keda-admission-webhooks`
`kubernetesui/dashboard`	`kubernetes-dashboard`
`kubernetesui/dashboard-api`	`kubernetes-dashboard-api`
`kubernetesui/dashboard-auth`	`kubernetes-dashboard-auth`
`kubernetesui/dashboard-metrics-scraper`	`kubernetes-dashboard-metrics-scraper`
`kubernetesui/dashboard-web`	`kubernetes-dashboard-web`
`library/docker`	`docker-dind`
`library/tomcat`	`tomcat-jdk8`
`mailcow/unbound`	`unbound-mailcow`
`mattermost/mattermost-team-edition`	`mattermost`
`mcr.microsoft.com/dotnet/aspnet`	`aspnet-runtime`
`mcr.microsoft.com/dotnet/runtime`	`dotnet-runtime`
`mcr.microsoft.com/dotnet/sdk`	`dotnet-runtime`
`minio/minio`	`minio-client`
`minio/operator`	`minio-operator`
`mongo`	`mongodb`
`neuvector/controller`	`neuvector-manager`
`newrelic/infrastructure-bundle`	`newrelic-infrastructure-bundle`
`newrelic/infrastructure-k8s`	`newrelic-infrastructure-k8s`
`newrelic/k8s-events-forwarder`	`newrelic-k8s-events-forwarder`
`newrelic/nri-kube-events`	`newrelic-kube-events`
`newrelic/nri-kubernetes`	`newrelic-kubernetes`
`newrelic/nri-prometheus`	`newrelic-prometheus`
`newrelic/nri-statsd`	`newrelic-nri-statsd`
`nodejs*`	`node`
`nvidia/container-toolkit`	`nvidia-container-toolkit`
`nvidia/k8s-device-plugin`	`nvidia-device-plugin`
`oliver006/redis_exporter`	`prometheus-redis-exporter`
`openbao/openbao`	`openbao-k8s`
`openebs/provisioner-localpv`	`dynamic-localpv-provisioner`
`openjdk`	`jdk`
`prom/alertmanager`	`prometheus-alertmanager`
`prom/blackbox-exporter`	`prometheus-blackbox-exporter`
`prom/cloudwatch-exporter`	`prometheus-cloudwatch-exporter`
`prom/mysqld-exporter`	`prometheus-mysqld-exporter`
`prom/node-exporter`	`prometheus-node-exporter`
`prom/pushgateway`	`prometheus-pushgateway`
`prom/statsd-exporter`	`prometheus-statsd-exporter`
`public.ecr.aws/karpenter/controller`	`karpenter`
`public.ecr.aws/mountpoint-s3-csi-driver/aws-mountpoint-s3-csi-driver`	`mountpoint-s3-csi-driver`
`quay.io/debezium/connect`	`debezium-connect`
`quay.io/jetstack/cert-manager-controller`	`cert-manager-webhook`
`quay.io/jupyter/base-notebook`	`jupyterhub-base-notebook`
`quay.io/prometheus/cloudwatch-exporter`	`prometheus-cloudwatch-exporter`
`quay.io/prometheuscommunity/yet-another-cloudwatch-exporter`	`yace`
`rancher/agent`	`rancher-agent`
`rancher/fleet`	`rancher-fleet-agent`
`rancher/k3s`	`k3s-static`
`redis`	`redis-sentinel`
`redpandadata/console`	`redpanda-data-console`
`registry.k8s.io/provider-aws/cloud-controller-manager`	`cloud-provider-aws`
`registryk8s`	`cluster-api-clusterctl`
`rook/ceph`	`rook-ceph`
`s3-controller`	`aws-s3-controller`
`selenium/hub`	`docker-selenium-hub`
`stakater/reloader`	`stakater-reloader`
`static*`	`static:latest`
`strimzi/kafka`	`strimzi-kafka`
`strimzi/operator`	`strimzi-kafka-operator`
`temporalio/admin-tools`	`temporal-admin-tools`
`temporalio/server`	`temporal-server`
`thingsboard/tb`	`thingsboard-tb-js-executor`
`ubuntu`	`chainguard-base:latest`
`upstream-image`	`dapr-sentry`
`vault`	`vault-k8s`
`victoriametrics/operator`	`victoriametrics-operator`
`victoriametrics/victoria-metrics`	`victoriametrics-vmstorage`
`vmware/kube-fluentd-operator`	`kube-logging-operator-fluentd`
`wrouesnel/postgres_exporter`	`prometheus-postgres-exporter`
`xpkg.upbound.io/crossplane-contrib/provider-keycloak`	`crossplane-keycloak`

Learn More

For more information about working with Chainguard Containers and package management, you can check out our overview of Chainguard’s Package Model. Additionally, you may find our doc on Using the Dockerfile Converter to be useful.

Last updated: 2025-10-23 11:07

Package and Image Name Mappings

Why Chainguard Remaps Package Names

Container image name conventions

Using package mappings

Package Name Mappings

Debian/Ubuntu packages

Fedora/RedHat/UBI packages

Alpine packages

Image Name Mappings

Learn More

Was this helpful?

Related Articles

Create an Assumable Identity to Authenticate from AWS

Verify that Chainguard FIPS Containers are Configured to Use FIPS Modules

Migrating to .NET Chainguard Containers

Getting Started with the MinIO Chainguard Container

Overview of Chainguard's Package Repositories