Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News .NET Chiselled Ubuntu Container Images Now Generally Available

.NET Chiselled Ubuntu Container Images Now Generally Available

This item in japanese

At the end of November, the .NET chiselled Ubuntu container images achieved general availability. Microsoft announced that images are now suitable for production across .NET 6, 7, and 8 versions, with emphasis that chiselled images are the result of a long-term partnership and design collaboration between Canonical and Microsoft.

.NET's Chiselled images for Ubuntu are a type of distroless container. They include only the essential packages needed for .NET, removing everything else. Compared to the larger full Ubuntu images, which are based on Ubuntu base images, Chiselled images have much smaller deployment sizes and a smaller attack surface. As stated, this is achieved by focusing only on what's necessary for .NET framework.

These images, identified by the tag 8.0-jammy-chiseled, are now accessible in container repositories. It's important to note that the .NET 6 and 7 variants differ only in their version numbers, and these images depend on Ubuntu 22.04 (Jammy Jellyfish), as indicated by the jammy in the tag name.

.NET Chiselled containers aim to optimize the deployment of cloud applications by simplifying container images, focusing on essential components to enhance both size and security. As reported, Chiselled images trim over 100MB (uncompressed) compared to standard Ubuntu images, matching the size of Alpine, a favoured choice for its compact size.

It is stated that these images are the smallest publications with glibc compatibility, offering reduced exposure to Common Vulnerabilities and Exposures (CVE) through their minimalistic component composition. Their compatibility with Ubuntu, a popular choice for development environments, makes them an option for aligning development and production setups. Additionally, Chiselled images boast the most robust support among various image variants.

From a security standpoint, Chiselled images exhibit heightened resilience due to the absence of a shell and package manager, limiting potential attacker actions. Omitted components like curl and wget further enhance security by preventing the common tactic of downloading and executing scripts from a controlled server. Native Ahead-of-Time Compilation (AOT) significantly reduces the image size to below 10MB, which is particularly beneficial for console apps and services.

As reported, choosing between deployment options involves trade-offs. Framework-dependent deployment maximizes layer sharing, facilitating shared copies of .NET within registries and on a single machine hosting multiple .NET apps. On the other hand, self-contained apps excel in size and registry pull efficiency but have more limited sharing capabilities, only sharing runtime dependencies.

The introduction of Chiselled images marks a significant evolution in the container image portfolio, comparable to the support added for Alpine several years ago. Users are recommended to examine this transformative change closely. Notably, the Chiselled images released do not include ICU or tzdata, similar to Alpine unless opting for extra images.

Users adopting .NET 8 are encouraged to explore Chiselled containers, as they offer substantial benefits with a relatively straightforward transition using a different image tag. Developers can read more about this in the interesting GitHub discussion regarding the extra images.

Richard Lander, in the original announcement blog post, emphasizes close collaboration with Canonical, the initial availability of chiselled images to .NET users, and an eagerness for broader adoption, encouraging developer ecosystems such as Java, Python, and Node.js to consider offering similar chiselled images, and also stating the following:

We’ve had recent requests for information on chiseled images, after the .NET Conf presentations. Perhaps a year from now, chiseled images will have become a common choice for many developers. Over time, we’ve seen the increasing customer challenge of operationally managing containers, largely related to CVE burden. We believe that chiseled images are a great solution for helping teams reduce cost and deploy apps with greater confidence.

To learn and read more about this, readers are encouraged to look into official announcement blog posts published by Canonical and Microsoft also.

About the Author

Rate this Article