Chiselled Ubuntu closes prevailing container security gaps

Canonical announced chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment.

Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime dependencies, and no other operating system-level packages, utilities, or libraries. This makes them lightweight to maintain and operate, secure, and efficient in resource utilisation.

Canonical’s chiselled Ubuntu portfolio includes pre-built images for popular toolchains like Java, .NET and Python. The company has been working closely with Microsoft to provide stable and supported chiselled containers for .NET 6 and 7. Support for .NET 8 was also announced at the Ubuntu Summit earlier this month.

“There has always been a need for smaller and tighter images. Developers remind us, as a base image provider, of that on a regular basis,” said Rich Lander, Program Manager, .NET at Microsoft.

“Chiselled images leapfrog over approaches we’ve looked at in the past. We love the idea and implementation of Chiselled images and Canonical as a partner. When technical leaders at Canonical shared the first demos of Chiselled images with us, we immediately wanted to be a launch partner, and we’re thrilled that we’re shipping Ubuntu Chiselled images for .NET as part of this GA release.”

Trusted provenance, optimal developer experience

According to GitLab’s 2022 Global DevSecOps Survey, only 64% of security professionals had a security plan for containers, and many DevOps teams don’t have a plan in place for other cutting-edge software technologies, including cloud-native/serverless, APIs, and microservices. Running applications securely at scale – with peace of mind – is one of Canonical’s key commitments to the open source world.

Chiselled Ubuntu containers provide both trusted provenance and an optimal developer-to-production experience, leading to more productive teams as well as more secure applications. At the heart of these containers sits a developer-friendly open source package manager called “Chisel”, which developers can use to sculpt meticulously precise and therefore ultra-small file systems.

Chisel relies on a curated collection of Slice Definition Files. These files are related to the upstream packages from the Ubuntu archives, and define one or more slices for any given package. A package slice details a subset of the package’s contents (comprising its maintainer scripts and dependencies) needed at run-time.

Chisel effectively layers reusable knowledge on top of traditional Ubuntu debian packages through a developer-friendly CLI and fine-grained dependency management mechanism.

The lack of unnecessary bits in the final image (as well as unused system utilities and excess package contents) reduces bloat, making it more efficient, as well as reducing their attack surface and mitigating entire classes of attacks. Faster network transfers, caching and startup, as well as reduced run times resource utilisation are guaranteed as applications carry only the dependencies they absolutely need.

With Chiselled Ubuntu organizations can simplify their containerisation journey with a smooth transition from development to production. Key benefits include:

• Bug-for-bug compatibility of containers and their contents from Developer experience through DevOps and DevSecOps to production, as all the containers are built from the same package contents
• Smaller containers means fewer dependency headaches across the container CI lifecycle
• Chisel CLI for an easy, Ubuntu-like experience as customers build or extend chiselled containers themselves using the same tools as Canonical
• Simple images means simpler image rebuilds

Reliable support and release cadence

Chiselled Ubuntu images inherit Ubuntu’s long-term support guarantees and are updated within the same release cycle using the self-same packages as within other LTS components. They are fully supported by Canonical:

• 5-year free bug fixing and security patching for containers build from the main repository
• 10-year security patching for Ubuntu Pro customers on all Ubuntu packages
• Optional weekday or 24/7 customer support
• 100% library and release cycle alignment with Ubuntu LTS

Prebuilt chiselled images for popular toolchains such as .NET and Java

Chiselled Ubuntu and toolchains come together seamlessly. It’s a developer’s shortcut to creating and deploying secure, super-efficient images for production from their development environment.

The Chiselled Ubuntu image for the Java Runtime Engine provides a ~51% reduction in the size of the compressed image compared to Eclipse Temurin Java 17 runtime image. The Chiselled Ubuntu image does not degrade throughput or startup performance compared to the evaluated images.

Chiselled Ubuntu containers for .NET and ASP.NET are now available on AMD64- and ARM-based platforms, as well as s390x, offering precision-engineered, production-destined containers to the .NET community. Shipping only the binaries needed to run .NET applications means a ready-for-production OCI container and lets you focus your added value: layering on your world-class applications and shipping to any platform.

Microsoft’s chiselled .NET images are now stable and supported for .NET 6, 7 and 8 images

With the release of .NET8, Microsoft and Canonical are joining forces to release chiselled Ubuntu for .NET8, including for AOT – Ahead of Time binaries. With .NET8, users can opt-in to security hardening with chiselled Ubuntu image variants to reduce their attack surface even further, as well as optimal container build, testing and deployment.

“Many .NET developers look to the .NET Team at Microsoft for best practice guidance, particularly if they are new to a domain. Ubuntu Chiselled images are our recommended base image for developers going forward. If you want to just use containers and not learn all the ins-and-outs, just choose Chiselled images”, Lander added.

Support and security features with Ubuntu Pro

Organizations can purchase security maintenance and support for Chiselled Ubuntu containers with an Ubuntu Pro subscription. Canonical experts offer support for bug fixes and troubleshooting to help manage containers more efficiently. With Ubuntu Pro, teams can reduce their average CVE exposure time from 98 days to one with 10 years of security maintenance guaranteed.