Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Philip Williams
on 25 May 2023

Secure containerised Ceph with Ubuntu container images

As we announced at Cephalocon 2023 in Amsterdam, Canonical has started to make container images for Ceph available.  We received lots of questions at the booth about what it means to the average Ceph user who has or wants to deploy Ceph on Ubuntu.  

In this blog post, we will cover the benefits to users who are running containerised Ceph on Ubuntu, and specifically how these images can provide an improved security posture.

What is an OCI?

An OCI image (Open Container Initiative) is a standardised software container that can be used on a variety of compliant host environments.  Ordinary packages have been used for many years to distribute software, but across various environments there can be different language runtimes, system libraries, and other dependencies that may not have been tested with the software that you want to use.

A software container solves this problem by encapsulating both the software and the surrounding environment.  So instead of having to maintain a collection of packages, a user simply runs a single container instantiated from a container image that contains the desired software.  The provider of the image (in this case, Canonical) completes compatibility testing with the surrounding Operating System and Ceph orchestration tooling, and most importantly, provides timely updates to the packages in the image.

Why use an Ubuntu provided container image?

It’s very important to know the provenance of any container image that a user may download from a container registry, as of course, anyone can publish an image to one of the many container registries that are in existence.

Specific to Ceph, the upstream development team provides several container images with support for the last few releases of Ceph.  Those images are available via the popular container registry, so in this scenario we know that the source is trustworthy.

But what happens when there’s a critical patch required in a production environment, and upstream hasn’t released a fix yet?  A helpful user might make a patched version of an image available, but can that be trusted?  Other packages might have been added, or maybe an outdated version of a package with a security bug got included by mistake.

Ubuntu Pro + Infra Support support can help in this situation by giving users access to a team of Ceph experts that are able to create hotfixes for a wide range of open source software, often as quickly as within 24 hours.  In this scenario, we would be able to provide a patched and trustworthy container image.

Via the Ubuntu repositories and sponsored container registries we are able to provide users of our software access to these fixes faster than the upstream projects are able to.

What makes the Ubuntu OCI different from the upstream image?

The Ceph OCI provided is fully compatible with cephadm managed Ceph clusters, and we are working hard to provide full compatibility with clusters deployed using Rook.

The only difference in our image is that when we build the image we use the Ceph packages included in Ubuntu repositories, so that we have full knowledge and control over the contents of the image, which is especially important for those situations where an emergency patch is required.  

Additionally, we carry out testing with the latest versions of Ceph on Ubuntu, both for package based installations and container based deployments with cephadm and Rook.

Where can I get it?

We currently publish our image on GitHub’s container registry here.

How can I use it?

We have tested using our image in two scenarios:

  1. Cephadm – installation instructions here
  2. Rook – installation instructions here

If you have questions about the use of our image, please visit our Ceph discourse page here.

Learn more

Related posts

Philip Williams
11 April 2024

The role of secure data storage in fueling AI innovation

Ceph Article

There is no AI without data Artificial intelligence is the most exciting technology revolution of recent years. Nvidia, Intel, AMD and others continue to produce faster and faster GPU’s enabling larger models, and higher throughput in decision making processes. Outside of the immediate AI-hype, one area still remains somewhat overlooked: ...

Philip Williams
12 March 2024

CentOS EOL – What does it mean for Ceph storage?

Ceph Article

Out of the darkness and into the light, a new path forward Back in 2020, the CentOS Project announced that they would focus only on CentOS Stream, meaning that CentOS 7 would be the last release with commonality to Red Hat Enterprise Linux. The End of Life (EOL) of CentOS 7 on June 30, 2024, ...

Philip Williams
26 February 2024

Ceph Storage for AI

Ceph Article

Use open source Ceph storage to fuel your AI vision The use of AI is a hot topic for any organisation right now. The allure of operational insights, profit, and cost reduction that could be derived from existing data makes it a technology that’s being rolled out at an incredible pace in even change-resistant organisations. ...