Canonical has officially released chiselled Ubuntu containers, offering production-ready, secure, and ultra-small container images with a focus on efficiency and security. These container images allow users to build images that only contain their application and its runtime dependencies, excluding unnecessary operating system-level packages, utilities, or libraries, and also come with a security maintenance and support commitment from Canonical.
The chiselled Ubuntu portfolio encompasses images for popular toolchains such as Java, .NET, and Python. Furthermore, Microsoft has collaborated with Canonical on this initiative, resulting in the general availability of chiselled Ubuntu container images for .NET 6, 7, and 8.
Security remains a key concern in containerization, as highlighted by GitLab's 2022 Global DevSecOps Survey, which reported that only 64% of security professionals had a security plan for containers. Canonical addresses this by providing chiselled Ubuntu containers with trusted provenance and an optimal developer-to-production experience. The container images use a developer-friendly open-source package manager called "Chisel," allowing developers to create ultra-small and precise file systems containing only what's needed to run their application.
Chiselled Ubuntu containers solve a similar need for cut-down container base images as Google's Distroless and Chainguard's images, bringing the same benefits such as minimising dependency challenges, reducing bloat and resource usage, speeding up startup, and enhancing security through reducing the number of unneeded files in the image. Chisel itself uses Slice Definition Files, which relate to the upstream packages in the Ubuntu archives, defining subsets of those package contents needed at runtime. This provides fine-grained dependency management through a developer-friendly CLI, enabling more efficient containerization with enhanced security by reducing the container image attack surface and entirely eliminating some potential attack vectors.
The integration of Chiselled Ubuntu with popular toolchains like .NET and Java allows developers to create and deploy secure, efficient container images seamlessly. For example, the Chiselled Ubuntu image for the Java Runtime Engine achieves a 51% reduction in compressed image size compared to Eclipse Temurin Java 17 runtime image without compromising throughput or startup performance.
In addition to the images for Java and Python, Chiselled Ubuntu containers for .NET and ASP.NET are available on various platforms, including AMD64, ARM-based platforms, and s390x. Microsoft and Canonical are collaborating on stable and supported chiselled .NET images for .NET 6, 7, and 8. The release of .NET 8 introduces security hardening options with chiselled Ubuntu image variants, offering users additional control over their container security. Richard Lander, program manager for .NET at Microsoft, expressed enthusiasm for the partnership, highlighting the benefits of smaller and tighter container images. Showing full commitment from and collaboration with Microsoft to the chiselled Ubuntu container images, Lander says:
"Chiselled Ubuntu images are our recommended base image for developers going forward"
However, in a Microsoft Devblog comment (highlighted by Devclass), Lander points out that these images will only work when all packages have slice information, which remains a work in progress.
Chiselled Ubuntu containers align with Ubuntu's long-term support guarantees, receiving 5-year free bug fixing and security patching for containers built from the main repository. The release cycle and library alignment with Ubuntu LTS further enhance reliability. Canonical's announcement of chiselled Ubuntu containers aims to provide developers with secure, efficient, and compatible containerization options. More information is available on Canonical's website.