Canonical's 'distroless' Linux images are a game-changer for enterprises
Canonical has announced plans to offer customized Docker container Long Term Support (LTS) Linux images via its Everything LTS service. These custom "distroless" Linux images are set to come with 12 years of security support for Linux, and any included open-source application or dependency within the container.
Canonical CEO Mark Shuttleworth didn't mince his words: "Everything LTS means CVE maintenance for your entire open-source dependency tree, including open source that is not already packaged as a deb in Ubuntu." This shift is a game-changer for enterprises and ISVs looking to meet stringent regulatory requirements with complex open-source stacks.
Also: Thinking about switching to Linux? 10 things you need to know
Shuttleworth said Canonical will deliver "distroless or Ubuntu-based Docker images to your spec, which we will support on RHEL, VMware, Ubuntu or major public cloud K8s. Our enterprise and ISV customers can now count on Canonical to meet regulatory maintenance requirements with any open source stack, no matter how large or complex, wherever they want to deploy it."
Although Shuttleworth implied Canonical, which is Ubuntu Linux's parent company, would support Red Hat Enterprise Linux (RHEL), it appears he meant Canonical would support these new Linux images on Red Hat OpenShift as well as all other Kubernetes distributions and cloud platforms.
Specifically, Canonical will back its images on all of Canonical's Kubernetes offerings -- MicroK8s or Charmed Kubernetes -- and support VMware on Tanzu Kubernetes Grid or vSphere with Kubernetes or Ubuntu virtual machines (VMs) on the vSphere cluster. On public clouds, Canonical plans to support containers on Azure, AWS, Google Cloud, IBM, and Oracle public cloud Kubernetes offerings.
Also: Sparky Linux is a blazing-fast distro that can keep your older machines running for years
With these new Open Container Initiative images, Canonical is embracing the "distroless" container paradigm in which images contain just enough of the operating system and software to run a specific application. These hardened, minimal containers have a reduced attack surface, making them much more secure than conventional Linux VMs or containers. Distros that use this approach include Alpine Linux, Fedora CoreOS, and Wolfi.
These new "chiseled" containers are built on Ubuntu with Chisel. This program chisels Debian packages into a file system containing only the minimal collections of files needed for the container to function properly.
Also: Why I use the Linux tree command daily - and what it can do for you
Canonical says that Ubuntu Pro subscriptions will include the right to run unlimited Everything LTS containers and that it will support VMware, OpenShift, and public cloud Kubernetes hosts at the same price as Ubuntu Pro hosts.
The Ubuntu Pro service will now include thousands of new open-source upstream components, including the latest AI/ML dependencies and tools. Canonical plans to maintain the 2,000 widely used AI/ML libraries and tools, including heavy hitters such as PyTorch, TensorFlow, and Rapids, as source code instead of as Debian/Ubuntu deb packages.
Canonical has also partnered with Microsoft to create chiseled containers, which are a mere 100MB, for the .NET community. A self-contained .NET application runtime base image is only 6MB when compressed.
Also: Canonical turns 20: Shaping the Ubuntu Linux world
Canonical also promises its average time for fixing critical CVE security issues will take less than 24 hours. Canonical is positioning itself as the go-to partner for organizations that want rock-solid security and cutting-edge, open-source tech.
At the same time, Canonical appears to be distancing itself from its Ubuntu brand. Ubuntu is still key, but meeting customer demands for tiny, ultra-secure images is coming first. This is a bold move by Shuttleworth in the ever-evolving market for enterprise Linux and cloud computing.