Canonical
on 26 June 2024
‘Everything LTS’ – Canonical will build distroless Docker images to customer spec that include upstream components not packaged in Ubuntu, and fix critical CVEs within 24 hours, supported on RHEL, Ubuntu, VMware or public cloud K8s for 12+ years.
London, 26 June 2024 Canonical today expanded its LTS offering beyond the ‘deb’ packages of Ubuntu, and launched a new distroless Docker image design-and-build service with 12 year security maintenance of any open source app or dependencies, whether or not that software is already packaged in Ubuntu.
“Everything LTS means CVE maintenance for your entire open source dependency tree, including open source that is not already packaged as a deb in Ubuntu” said Mark Shuttleworth, CEO of Canonical. “We deliver distroless or Ubuntu-based Docker images to your spec, which we will support on RHEL, VMware, Ubuntu or major public cloud K8s. Our enterprise and ISV customers can now count on Canonical to meet regulatory maintenance requirements with any open source stack, no matter how large or complex, wherever they want to deploy it.”
Canonical’s move to offer ‘Everything LTS’ expands Ubuntu Pro with thousands of new open source upstream components, including today’s latest AI/ML dependencies and tools for machine learning, training and inference, which are maintained as source alongside Ubuntu instead of as ‘deb’ packages. The CVE security maintenance commitment Canonical makes to these open source components facilitates compliance with regulatory baselines like FIPS, FedRAMP, EU Cyber Resilience Act (CRA), FCC U.S. Cyber Trust Mark and DISA-STIG.
Customers engage Canonical to design a Docker image of an open source application, or a base image that includes all of the open source dependencies to host their proprietary app. They get hardened distroless container images with a minimal attack surface and 12+ years CVE maintenance. The Docker image – an Open Container Initiative (OCI) standard container image format – runs natively on Ubuntu as well as Red Hat Enterprise Linux (RHEL), VMware Kubernetes or public cloud K8s. Canonical will support these custom-built images on all of those platforms.
Ubuntu Pro subscriptions include the right to run unlimited ‘Everything LTS’ containers. VMware, RHEL and public cloud hosts are supported at the same price as Ubuntu Pro hosts.
Distroless containers are minimal and secure
Industry research shows that 84% of codebases have at least one open source vulnerability, and 48% of those vulnerabilities are high risk.
The distroless container design paradigm describes containers that include only the files specifically required to run a single application. The goal is a container that is smaller and more difficult to exploit when vulnerabilities are discovered, because there are no surplus utilities or additional content inside the container that can aid an attacker.
Distroless containers are conventionally built from scratch and are difficult for developers to design or debug when they are working with sophisticated applications with many components, languages and runtimes. It is much easier for developers to work on a platform like Ubuntu.
Chiselled Ubuntu containers are distroless containers built on Ubuntu with Chisel to include only files which are strictly necessary for the application. Surplus distro metadata and tools are excluded, leaving only strict dependencies of the application. These ultra-small and efficient containers trim their attack surface dramatically, improving on the state of the art.
Developers work with the full and familiar Ubuntu toolchain, the most popular Linux environment for cloud developers, then build a container with Chisel to achieve a distroless production artifact. As a side benefit, debugging such containers is greatly simplified as the same container can be built without Chisel, giving developers the familiar tools they need to analyse application behaviour in test environments. Chisel enables seamless interoperability of a distribution-based engineering workflow and a distroless production environment.
As part of the container design and build service, Canonical will analyse your app dependency tree, identify open source components not yet covered in Ubuntu Pro, bring those under CVE maintenance, and create a container image which may at your option be chiselled and distroless. Once the container image is created, pipeline automation drives regular updates, making sure that relevant patches are included and minimising the number of critical and high vulnerabilities.
Chiselled runtimes for enterprise .NET apps
Microsoft and Canonical created chiselled containers for the .NET community. Chisel trims the official .NET containers by 100 MB. For self-contained .NET applications the chiselled runtime base image is only 6 MB compressed. This smaller footprint delivers faster caching, across networks and from storage to execution, as well as reduced memory overhead.
“Canonical and Microsoft are trusted vendors for many of the same customers”, says Richard Lander, Product Manager .NET at Microsoft. “We get a very positive reaction when we share what we’ve built together. Customers want to see more collaborations like this, where every aspect of the design has customer workflows, ease-of-use, and security at its core. Working together has resulted in a better product, which we’ve seen with its immediate production adoption.”
Reducing size and attack surface area is just one aspect of our joint secure container strategy. The two partners have established a zero-distance supply chain to ensure trusted provenance for all the assets used in Chiselled .NET base images, from source to production artifact.
Supported on RHEL, VMware, Ubuntu and public cloud K8s
Ubuntu is the most widely used cloud Linux and Ubuntu Pro is already the world’s most comprehensive security maintenance offering which covers over 36,700 ‘deb’ packages, more open source than any other enterprise Linux. However, some teams may be restricted to specific host operating systems by enterprise policy.
The OCI format, commonly called a Docker image, is a standard way to run confined applications on any Linux platform. Enterprise SREs can maintain their existing policies and procedures, and run Canonical maintained Docker images as native packages on their infrastructure. With Everything LTS, Canonical reaches customers beyond Ubuntu and maintains any open source stack in OCI format, for certified use on RHEL, Ubuntu and VMware hosts, and public cloud K8s.
Red Hat Enterprise Linux will be supported when containers are run on OpenShift or another certified Kubernetes distribution. On Ubuntu, containers will be supported on any of Canonical’s Kubernetes offerings – MicroK8s or Charmed Kubernetes. VMware will be supported on Tanzu Kubernetes Grid or vSphere with Kubernetes, or on Ubuntu VMs on the vSphere cluster. On public clouds, Canonical will support containers on Azure, AWS, Google, IBM and Oracle public cloud Kubernetes offerings.
“Ensuring compliance with FedRAMP or HIPAA is very challenging for CISOs. This is the simplest and most cost effective way to run a large-scale, compliant container estate in hybrid or public clouds” said Alex Gallagher, Head of Public Cloud Alliances at Canonical. “We work closely with certified public clouds to optimise the security and performance of Kubernetes, and integrate Ubuntu Pro to provide seamless, frictionless access to LTS containers.”
AWS, Azure and Google offer Ubuntu Pro natively in their IAAS services. The new offering is included in public cloud Ubuntu Pro subscriptions at no additional cost.
Latest AI/ML toolchains, dependencies and stacks
The company already has global partners and customers that build containers for AI workloads and solutions, using thousands of upstream open source dependencies maintained by Canonical alongside Ubuntu. Enterprise and ISV partners can now access this collection for their own AI needs.
As an example of the way Everything LTS changes enterprise and ISV product plans and possibilities, Canonical can disclose that it now maintains more than 2,000 widely used AI/ML libraries and tools, including PyTorch, Tensorflow, Rapids, Triton, CASK, and many more essential upstream elements of the latest machine learning and generative AI solutions.
The portfolio includes LTS containers for MLOps, data management and streaming applications to speed up enterprise AI production initiatives without worrying about future maintenance burdens.
LTS for containers and any open source dependencies
The new service is ideal for organisations looking for a trusted partner to maintain container images that meet stringent reporting and remediation requirements.
Canonical coined the term Long Term Support with the first Ubuntu LTS in 2006. The company has a reputation for security maintenance quality and speed, delivering fixes for more CVEs, sooner, and with fewer defects than other enterprise offerings. Average time to fix critical CVEs is less than 24 hours, which is why Ubuntu Pro underpins the security of global SaaS brands and AI offerings as well as enterprise solutions from major ISVs.
Canonical’s container build service will include up to a 12 year Long Term Support commitment, providing more than a decade of security maintenance for the custom Docker image. This LTS commitment combined with the company’s upstream community relationships makes Canonical an ideal partner for organisations that want to get the best of both worlds: the assurances offered by a reliable partner with the latest and greatest open source.
Compliant and future-proof
Organisations are hard-pressed to meet stringent vulnerability management, auditing and reporting requirements. Canonical and Ubuntu Pro enable companies and ISVs to comply with upcoming regulations like the EU Cyber Resilience Act (CRA). The images delivered as part of the container build service will inherit this benefit, allowing organisations to offload to Canonical the burden of meeting stringent reporting and remediation requirements.
Canonical-supported containers are trusted in highly regulated environments. For instance, hardened Ubuntu containers are pre-approved for use by US government agencies and software vendors on the Iron Bank, a secure container repository managed by the US Department of Defense’s Platform One.
Ubuntu Pro provides access to FIPS 140-2 certified cryptographic packages, facilitating compliance for FedRAMP, HIPAA, and PCI-DSS among other regulatory regimes. Organisations that get their secure containers from Canonical can take advantage of these certified components.
