Secure containerised Ceph with Ubuntu container images
As we announced at Cephalocon 2023 in Amsterdam, Canonical has started to make container images for Ceph available. We received lots of questions at the booth about what it means to the average Ceph user who has or wants to deploy Ceph on Ubuntu.
In this blog post, we will cover the benefits to users who are running containerised Ceph on Ubuntu, and specifically how these images can provide an improved security posture.
What is an OCI?
An OCI image (Open Container Initiative) is a standardised software container that can be used on a variety of compliant host environments. Ordinary packages have been used for many years to distribute software, but across various environments there can be different language runtimes, system libraries, and other dependencies that may not have been tested with the software that you want to use.
A software container solves this problem by encapsulating both the software and the surrounding environment. So instead of having to maintain a collection of packages, a user simply runs a single container instantiated from a container image that contains the desired software. The provider of the image (in this case, Canonical) completes compatibility testing with the surrounding Operating System and Ceph orchestration tooling, and most importantly, provides timely updates to the packages in the image.
Why use an Ubuntu provided container image?
It’s very important to know the provenance of any container image that a user may download from a container registry, as of course, anyone can publish an image to one of the many container registries that are in existence.
Specific to Ceph, the upstream development team provides several container images with support for the last few releases of Ceph. Those images are available via the popular container registry quay.io, so in this scenario we know that the source is trustworthy.
But what happens when there’s a critical patch required in a production environment, and upstream hasn’t released a fix yet? A helpful user might make a patched version of an image available, but can that be trusted? Other packages might have been added, or maybe an outdated version of a package with a security bug got included by mistake.
Ubuntu Pro + Infra Support support can help in this situation by giving users access to a team of Ceph experts that are able to create hotfixes for a wide range of open source software, often as quickly as within 24 hours. In this scenario, we would be able to provide a patched and trustworthy container image.
Via the Ubuntu repositories and sponsored container registries we are able to provide users of our software access to these fixes faster than the upstream projects are able to.
What makes the Ubuntu OCI different from the upstream image?
The Ceph OCI provided is fully compatible with cephadm managed Ceph clusters, and we are working hard to provide full compatibility with clusters deployed using Rook.
The only difference in our image is that when we build the image we use the Ceph packages included in Ubuntu repositories, so that we have full knowledge and control over the contents of the image, which is especially important for those situations where an emergency patch is required.
Additionally, we carry out testing with the latest versions of Ceph on Ubuntu, both for package based installations and container based deployments with cephadm and Rook.
Where can I get it?
We currently publish our image on GitHub’s container registry here.
How can I use it?
We have tested using our image in two scenarios:
If you have questions about the use of our image, please visit our Ceph discourse page here.