Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Canonical
on 21 November 2023

Canonical announces the general availability of chiselled Ubuntu containers


Production-ready, secure-by-design, ultra-small containers with chiselled Ubuntu

Canonical announced today the general availability of chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime dependencies, and no other operating system-level packages, utilities, or libraries. This makes them lightweight to maintain and operate, secure, and efficient in resource utilisation.

Canonical’s chiselled Ubuntu portfolio includes pre-built images for popular toolchains like Java, .NET and Python. Microsoft announced today the general availability of chiselled Ubuntu container images for .NET 6, 7 and 8, the result of a long-term partnership and design collaboration between Canonical and Microsoft.

“There has always been a need for smaller and tighter images. Developers remind us, as a base image provider, of that on a regular basis. Chiselled images leapfrog over approaches we’ve looked at in the past. We love the idea and implementation of Chiselled images and Canonical as a partner. When technical leaders at Canonical shared the first demos of Chiselled images with us, we immediately wanted to be a launch partner, and we’re thrilled that we’re shipping Ubuntu Chiselled images for .NET as part of this GA release.”

Richard Lander, Program Manager, .NET at Microsoft

Trusted provenance, optimal developer experience

According to GitLab’s 2022 Global DevSecOps Survey, only 64% of security professionals had a security plan for containers, and many DevOps teams don’t have a plan in place for other cutting-edge software technologies, including cloud-native/serverless, APIs, and microservices. Running applications securely at scale – with peace of mind – is one of Canonical’s key commitments to the open source world. 

Chiselled Ubuntu containers provide both trusted provenance and an optimal developer-to-production experience, leading to more productive teams as well as more secure applications. At the heart of these containers sits a developer-friendly open source package manager called “Chisel”,  which developers can use to sculpt meticulously precise and therefore ultra-small file systems. 

Chisel relies on a curated collection of Slice Definition Files. These files are related to the upstream packages from the Ubuntu archives, and define one or more slices for any given package. A package slice details a subset of the package’s contents (comprising its maintainer scripts and dependencies) needed at run-time.

Chisel effectively layers reusable knowledge on top of traditional Ubuntu debian packages through a developer-friendly CLI and fine-grained dependency management mechanism.

The lack of unnecessary bits in the final image (as well as unused system utilities and excess package contents) reduces bloat, making it more efficient, as well as reducing their attack surface and mitigating entire classes of attacks. Faster network transfers, caching and startup, as well as reduced run times resource utilisation are guaranteed as applications carry only the dependencies they absolutely need. 

With Chiselled Ubuntu organisations can simplify their containerisation journey with a smooth transition from development to production.

Key benefits include:

  • Bug-for-bug compatibility of containers and their contents from Developer experience through DevOps and DevSecOps to production, as all the containers are built from the same package contents 
  • Smaller containers means fewer dependency headaches across the container CI lifecycle 
  • Chisel CLI for an easy, Ubuntu-like experience as customers build or extend chiselled containers themselves using the same tools as Canonical
  • Simple images means simpler image rebuilds 

Learn more about Canonical containers

Reliable support and release cadence

Chiselled Ubuntu images inherit Ubuntu’s long-term support guarantees and are updated within the same release cycle using the self-same packages as within other LTS components. They are fully supported by Canonical:

  • 5-year free bug fixing and security patching for containers build from the main repository
  • 10-year security patching for Ubuntu Pro customers on all Ubuntu packages
  • Optional weekday or 24/7 customer support
  • 100% library and release cycle alignment with Ubuntu LTS

Prebuilt chiselled images for popular toolchains such as .NET and Java

Chiselled Ubuntu and toolchains come together seamlessly. It’s a developer’s shortcut to creating and deploying secure, super-efficient images for production from their development environment. 

The Chiselled Ubuntu image for the Java Runtime Engine provides a ~51% reduction in the size of the compressed image compared to Eclipse Temurin Java 17 runtime image. The Chiselled Ubuntu image does not degrade throughput or startup performance compared to the evaluated images.

Chiselled Ubuntu containers for .NET and ASP.NET are now available on AMD64- and ARM-based platforms, offering precision-engineered, production-destined containers to the .NET community. Shipping only the binaries needed to run .NET applications means a ready-for-production OCI container and lets you focus your added value: layering on your world-class applications and shipping to any platform. 

Microsoft’s chiselled .NET images are now stable and supported for .NET 6, 7 and 8 images

With the release of .NET8, Microsoft and Canonical are joining forces to release chiselled Ubuntu for .NET8, including for AOT – Ahead of Time binaries. With .NET8, users can opt-in to security hardening with chiselled Ubuntu image variants to reduce their attack surface even further, as well as optimal container build, testing and deployment.

“Many .NET developers look to the .NET Team at Microsoft for best practice guidance, particularly if they are new to a domain. Chiselled Ubuntu images are our recommended base image for developers going forward. If you want to just use containers and not learn all the ins-and-outs, just choose chiselled images.”

Richard Lander, Program Manager, Microsoft .NET

Watch our interview with Microsoft on chiselled Ubuntu.

Support and security features with Ubuntu Pro

Organisations can purchase security maintenance and support for chiselled Ubuntu containers with an Ubuntu Pro subscription. Canonical experts offer support for bug fixes and troubleshooting to help manage containers more efficiently. With Ubuntu Pro,  teams can reduce their average CVE exposure time from 98 days to one with 10 years of security maintenance guaranteed.

Learn more at ubuntu.com/pro.

Go off and chisel

Related posts


Simon Fels
20 March 2024

Implementing an Android™ based cloud game streaming service with Anbox Cloud

Cloud and server Article

Since the outset, Anbox Cloud was developed with a variety of use cases for running Android at scale. Cloud gaming, more specifically for casual games as found on most user’s mobile devices, is the most prominent one and growing in popularity. Enterprises are challenged to find a solution that can keep up with the increasing ...


Canonical
19 November 2024

Canonical provides the ideal platform for Microsoft Azure IoT Operations

IoT Article

London, 19 November 2024. Canonical has collaborated with Microsoft as an early adopter partner and tested Microsoft Azure IoT Operations on Ubuntu Core and Kubernetes, which is notable as Microsoft today released Azure IoT Operations, a unified data plane providing significant improvements in node data capture, edge-based telemetry proce ...


eslerm
19 November 2024

Needrestart local privilege escalation vulnerability fixes available

Ubuntu Article

Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, and CVE-2024-11003) and a related issue in libmodule-scandeps-perl (CVE-2024-10224). The vulnerabilities affect Debian, Ubuntu and other Linux distributions. Canonical’s securit ...