Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Valentin Viennot
on 10 November 2021

Intel and Canonical to secure containers software supply chain

Intel and Canonical collaborate to build and publish OpenVINO™ container images based on the Ubuntu ecosystem. This work aims to provide trusted, secure, and developer-friendly container images for AI/ML applications in many industries.

The provenance challenge facing cloud software

Today, cloud-native developers benefit from an abundance of resources to compose their applications. With container images, packaging all these resources in a standard, easy-to-reuse format is now easier than ever. Unfortunately, container images also make it easier to package unneeded, vulnerable software or even malicious resources.

Knowing which resources to use and what is a safe base layer when starting a cloud-native project is challenging. Extreme caution should go into picking these dependencies deliberately. Organisations need to provide their developers with “sane defaults”, trusted sources to underpin and support applications.

To help developers solve this issue, Intel and Canonical worked together to provide a set of secure and stable container images for the OpenVINO and OneAPI ecosystem, based on the Ubuntu base image and software. This effort supports developers in packaging Machine Learning (ML) and Artificial Intelligence (AI) models to deploy from the cloud to the edge.


The oneAPI specification provides an open, industry standard, cross-architecture software stack for CPU and accelerator architectures (GPUs, FPGAs, and others).

The oneAPI programming model simplifies software development and delivers uncompromised performance for accelerated compute without proprietary lock-in, while enabling the integration of legacy code. This enables a common cross-architecture developer experience for faster application performance, increased developer productivity, and greater innovation.

With oneAPI, developers can choose the best accelerator architecture for the specific problem they are trying to solve without needing to rewrite software for the next architecture and platform.

Intel OpenVINO

OpenVINO™ is an open-source toolkit for optimising and deploying AI inference. With OpenVINO, developers can run high-performance inferences with a write once, deploy anywhere efficiency using the Intel® Distribution of OpenVINO™ toolkit.

OpenVINO is powered by oneAPI using the Intel® oneAPI Deep Neural Network Library (oneDNN), a library of performant building blocks for deep learning applications that accelerates performance.

OpenVINO unlocks your cloud’s true potential:

  • Boosting deep learning performance in computer vision, automatic speech recognition, natural language processing and other common tasks.
  • Using models trained with popular frameworks like TensorFlow, PyTorch and more.
  • Reducing resource demands and efficiently deploying on a range of Intel® platforms from edge to cloud.

Canonical LTS Container Images

In response to the provenance challenge in OCI images, Canonical announced a program to provide hardened application container images for popular open source software with up to 10-year guaranteed security updates. This program is based on years of security expertise maintaining the Ubuntu operating system and cloud foundations software.

Similar to this initiative, Canonical works closely with its partners to provide end-users with quality Ubuntu-based container images that can provide both security and stability, as well as an outstanding developer experience.

Secure and stable container images

Building secure and stable OCI images starts from the choice of a base image. What could seem like a harmless initial decision will have long-term consequences. In fact, most of the software contained in OCI images actually comes from this layer #0 choice. They provide the foundation for applications to run: shared libs – like SSL and libc – and they enable developers to focus on the upper application layer.

The Ubuntu base image is the ideal foundation for OpenVINO and oneAPI based software:

  • Regular updates, content watched and quickly patched for security vulnerabilities, and commercial maintenance commitment.
  • Large secure and stable software ecosystem from the Ubuntu archives.
  • Developer-friendly: making developers’ lives easier reduces risks.

This close collaboration between Canonical and Intel ensures direct and fast updates, as well as a support option with the base image and software.

Making developers’ lives easier

“Secure” software tends to make developers’ lives more difficult, with a lot of complex configurations and validations. While it might sound counterintuitive, sometimes less is more. Indeed, hard-to-use software will often lead developers to use workarounds and bad practices in order to get things done. Similarly, if patching is hard, it won’t happen as often as needed.

To avoid security liabilities related to bad practices, it is critical to provide developers with the best experience possible. With this set of Ubuntu-based container images, not only does it provide a best-in-class developer experience, it also provides a consistent and familiar environment for cloud and AI developers.

Are you a developer interested in using these oneAPI-based OpenVINO containers based on Ubuntu images? Don’t miss part 2 and 3 of this blog series for a deeper dive into these technologies.

Keep reading, part two is live!

Related posts

5 September 2023

도커(Docker) 컨테이너 보안: 우분투 프로(Ubuntu Pro)로 FIPS 지원 컨테이너 이해하기

FIPS Security

오늘날 급변하는 디지털 환경에서 강력한 도커 컨테이너 보안 조치의 중요성은 아무리 강조해도 지나치지 않습니다. 컨테이너화된 계층도 규정 준수 표준의 적용을 받기 때문에 보안 문제 및 규정 준수 요구 사항이 발생합니다. 도커 컨테이너 보안 조치는 경량의 어플라이언스 유형 컨테이너(각 캡슐화 코드 및 해당 종속성)를 위협 및 취약성으로부터 보호하는 것을 수반합니다. 민감한 개인 데이터를 처리하는 데 의존하는 ...

21 November 2023

Canonical announces the general availability of chiselled Ubuntu containers

Canonical announcements Article

Production-ready, secure-by-design, ultra-small containers with chiselled Ubuntu Canonical announced today the general availability of chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime ...

4 April 2024

Canonical at America Digital Congress in Chile

AI Article

Canonical participates in America Digital Congress in Santiago, Chile. Learn how Canonical can support your digital transformation journey. ...