Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Canonical
on 21 November 2023

Canonical announces the general availability of chiselled Ubuntu containers


Production-ready, secure-by-design, ultra-small containers with chiselled Ubuntu

Canonical announced today the general availability of chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime dependencies, and no other operating system-level packages, utilities, or libraries. This makes them lightweight to maintain and operate, secure, and efficient in resource utilisation.

Canonical’s chiselled Ubuntu portfolio includes pre-built images for popular toolchains like Java, .NET and Python. Microsoft announced today the general availability of chiselled Ubuntu container images for .NET 6, 7 and 8, the result of a long-term partnership and design collaboration between Canonical and Microsoft.

“There has always been a need for smaller and tighter images. Developers remind us, as a base image provider, of that on a regular basis. Chiselled images leapfrog over approaches we’ve looked at in the past. We love the idea and implementation of Chiselled images and Canonical as a partner. When technical leaders at Canonical shared the first demos of Chiselled images with us, we immediately wanted to be a launch partner, and we’re thrilled that we’re shipping Ubuntu Chiselled images for .NET as part of this GA release.”

Richard Lander, Program Manager, .NET at Microsoft

Trusted provenance, optimal developer experience

According to GitLab’s 2022 Global DevSecOps Survey, only 64% of security professionals had a security plan for containers, and many DevOps teams don’t have a plan in place for other cutting-edge software technologies, including cloud-native/serverless, APIs, and microservices. Running applications securely at scale – with peace of mind – is one of Canonical’s key commitments to the open source world. 

Chiselled Ubuntu containers provide both trusted provenance and an optimal developer-to-production experience, leading to more productive teams as well as more secure applications. At the heart of these containers sits a developer-friendly open source package manager called “Chisel”,  which developers can use to sculpt meticulously precise and therefore ultra-small file systems. 

Chisel relies on a curated collection of Slice Definition Files. These files are related to the upstream packages from the Ubuntu archives, and define one or more slices for any given package. A package slice details a subset of the package’s contents (comprising its maintainer scripts and dependencies) needed at run-time.

Chisel effectively layers reusable knowledge on top of traditional Ubuntu debian packages through a developer-friendly CLI and fine-grained dependency management mechanism.

The lack of unnecessary bits in the final image (as well as unused system utilities and excess package contents) reduces bloat, making it more efficient, as well as reducing their attack surface and mitigating entire classes of attacks. Faster network transfers, caching and startup, as well as reduced run times resource utilisation are guaranteed as applications carry only the dependencies they absolutely need. 

With Chiselled Ubuntu organisations can simplify their containerisation journey with a smooth transition from development to production.

Key benefits include:

  • Bug-for-bug compatibility of containers and their contents from Developer experience through DevOps and DevSecOps to production, as all the containers are built from the same package contents 
  • Smaller containers means fewer dependency headaches across the container CI lifecycle 
  • Chisel CLI for an easy, Ubuntu-like experience as customers build or extend chiselled containers themselves using the same tools as Canonical
  • Simple images means simpler image rebuilds 

Learn more about Canonical containers

Reliable support and release cadence

Chiselled Ubuntu images inherit Ubuntu’s long-term support guarantees and are updated within the same release cycle using the self-same packages as within other LTS components. They are fully supported by Canonical:

  • 5-year free bug fixing and security patching for containers build from the main repository
  • 10-year security patching for Ubuntu Pro customers on all Ubuntu packages
  • Optional weekday or 24/7 customer support
  • 100% library and release cycle alignment with Ubuntu LTS

Prebuilt chiselled images for popular toolchains such as .NET and Java

Chiselled Ubuntu and toolchains come together seamlessly. It’s a developer’s shortcut to creating and deploying secure, super-efficient images for production from their development environment. 

The Chiselled Ubuntu image for the Java Runtime Engine provides a ~51% reduction in the size of the compressed image compared to Eclipse Temurin Java 17 runtime image. The Chiselled Ubuntu image does not degrade throughput or startup performance compared to the evaluated images.

Chiselled Ubuntu containers for .NET and ASP.NET are now available on AMD64- and ARM-based platforms, offering precision-engineered, production-destined containers to the .NET community. Shipping only the binaries needed to run .NET applications means a ready-for-production OCI container and lets you focus your added value: layering on your world-class applications and shipping to any platform. 

Microsoft’s chiselled .NET images are now stable and supported for .NET 6, 7 and 8 images

With the release of .NET8, Microsoft and Canonical are joining forces to release chiselled Ubuntu for .NET8, including for AOT – Ahead of Time binaries. With .NET8, users can opt-in to security hardening with chiselled Ubuntu image variants to reduce their attack surface even further, as well as optimal container build, testing and deployment.

“Many .NET developers look to the .NET Team at Microsoft for best practice guidance, particularly if they are new to a domain. Chiselled Ubuntu images are our recommended base image for developers going forward. If you want to just use containers and not learn all the ins-and-outs, just choose chiselled images.”

Richard Lander, Program Manager, Microsoft .NET

Watch our interview with Microsoft on chiselled Ubuntu.

Support and security features with Ubuntu Pro

Organisations can purchase security maintenance and support for chiselled Ubuntu containers with an Ubuntu Pro subscription. Canonical experts offer support for bug fixes and troubleshooting to help manage containers more efficiently. With Ubuntu Pro,  teams can reduce their average CVE exposure time from 98 days to one with 10 years of security maintenance guaranteed.

Learn more at ubuntu.com/pro.

Go off and chisel

Related posts


Canonical
5 September 2023

도커(Docker) 컨테이너 보안: 우분투 프로(Ubuntu Pro)로 FIPS 지원 컨테이너 이해하기

FIPS Security

오늘날 급변하는 디지털 환경에서 강력한 도커 컨테이너 보안 조치의 중요성은 아무리 강조해도 지나치지 않습니다. 컨테이너화된 계층도 규정 준수 표준의 적용을 받기 때문에 보안 문제 및 규정 준수 요구 사항이 발생합니다. 도커 컨테이너 보안 조치는 경량의 어플라이언스 유형 컨테이너(각 캡슐화 코드 및 해당 종속성)를 위협 및 취약성으로부터 보호하는 것을 수반합니다. 민감한 개인 데이터를 처리하는 데 의존하는 ...


Andreea Munteanu
30 January 2024

AI on-prem: what should you know?

Cloud and server Article

Organisations are reshaping their digital strategies, and AI is at the heart of these changes, with many projects now ready to run in production. Enterprises often start these AI projects on the public cloud because of the ability to minimise the hardware burden. However, as initiatives scale, organisations often look to migrate the workl ...


Tytus Kurek
12 January 2024

Cloud-native infrastructure – When the future meets the present

Cloud and server Article

We’ve all heard about cloud-native applications in recent years, but what about cloud-native infrastructure? Is there any reason why the infrastructure couldn’t be cloud-native, too? Or maybe it’s already cloud-native, but you’ve never had a chance to dive deep into the stack to check it out? What does the term “cloud-native infrastructur ...