Your submission was sent successfully! Close

Jump to main content
  1. Blog
  2. Article

Philip Williams
on 25 May 2023

Secure containerised Ceph with Ubuntu container images

As we announced at Cephalocon 2023 in Amsterdam, Canonical has started to make container images for Ceph available.  We received lots of questions at the booth about what it means to the average Ceph user who has or wants to deploy Ceph on Ubuntu.  

In this blog post, we will cover the benefits to users who are running containerised Ceph on Ubuntu, and specifically how these images can provide an improved security posture.

What is an OCI?

An OCI image (Open Container Initiative) is a standardised software container that can be used on a variety of compliant host environments.  Ordinary packages have been used for many years to distribute software, but across various environments there can be different language runtimes, system libraries, and other dependencies that may not have been tested with the software that you want to use.

A software container solves this problem by encapsulating both the software and the surrounding environment.  So instead of having to maintain a collection of packages, a user simply runs a single container instantiated from a container image that contains the desired software.  The provider of the image (in this case, Canonical) completes compatibility testing with the surrounding Operating System and Ceph orchestration tooling, and most importantly, provides timely updates to the packages in the image.

Why use an Ubuntu provided container image?

It’s very important to know the provenance of any container image that a user may download from a container registry, as of course, anyone can publish an image to one of the many container registries that are in existence.

Specific to Ceph, the upstream development team provides several container images with support for the last few releases of Ceph.  Those images are available via the popular container registry, so in this scenario we know that the source is trustworthy.

But what happens when there’s a critical patch required in a production environment, and upstream hasn’t released a fix yet?  A helpful user might make a patched version of an image available, but can that be trusted?  Other packages might have been added, or maybe an outdated version of a package with a security bug got included by mistake.

Ubuntu Pro + Infra Support support can help in this situation by giving users access to a team of Ceph experts that are able to create hotfixes for a wide range of open source software, often as quickly as within 24 hours.  In this scenario, we would be able to provide a patched and trustworthy container image.

Via the Ubuntu repositories and sponsored container registries we are able to provide users of our software access to these fixes faster than the upstream projects are able to.

What makes the Ubuntu OCI different from the upstream image?

The Ceph OCI provided is fully compatible with cephadm managed Ceph clusters, and we are working hard to provide full compatibility with clusters deployed using Rook.

The only difference in our image is that when we build the image we use the Ceph packages included in Ubuntu repositories, so that we have full knowledge and control over the contents of the image, which is especially important for those situations where an emergency patch is required.  

Additionally, we carry out testing with the latest versions of Ceph on Ubuntu, both for package based installations and container based deployments with cephadm and Rook.

Where can I get it?

We currently publish our image on GitHub’s container registry here.

How can I use it?

We have tested using our image in two scenarios:

  1. Cephadm – installation instructions here
  2. Rook – installation instructions here

If you have questions about the use of our image, please visit our Ceph discourse page here.

Learn more

Related posts

Philip Williams
6 September 2023

Cloud storage for enterprises

Ceph Article

Any data-centric organisation faces the prospect of data growth at some point in their existence; it is estimated that more than 2,500 Petabytes (PB) of new data is created every day. While only a few organisations will ever have to deal with that kind of scale, it is important to plan ahead for your own ...

Philip Williams
2 August 2023

Meet the Canonical team at stackconf 2023

Cloud and server Article

Date: 13-14 September,  2023 Location: Berlin, Germany Join us for stackconf at the NH Hotel Alexanderplatz to learn about the latest developments in open source technology.  Find out how to accelerate your development and deployment cycles, and how to make your operations more robust and efficient with mature infrastructure stacks like O ...

Philip Williams
14 April 2023

Cloud storage at the edge with MicroCeph

Ceph Article

Over the years, our enterprise data centre users have told us how much they love the end to end experience of an application-centric solution like Juju to manage their entire infrastructure.  Juju is a software operator framework that abstracts the specifics of operating complex software and makes it simple and straightforward to deploy, ...