Introducing trusted open supply database containers
It’s time to cease proclaiming that “cloud native is the long run”. Kubernetes has simply celebrated its 10 yr anniversary, and 76% of respondents to the newest CNCF Annual Survey reported that they’ve adopted cloud native applied sciences, like containers, for a lot or all of their manufacturing improvement and deployment. Cloud native isn’t the long run – it’s right here and now.
Information-intensive workloads are not any exception. Quite the opposite, The Voice of Kubernetes Experts Report 2024 discovered that 97% of organizations are working information workloads on cloud native platforms, with 72% of databases and 67% of analytics providers being run on Kubernetes.
Database containers are driving main enhancements in scalability, flexibility, operational simplicity, and value. However managing such stateful options on containers, typically constructed utilizing a number of open-source parts, can be inflicting no small variety of complications for web site reliability engineers, platform engineers, and CISOs alike. Alongside appreciable complexity, containers can even introduce safety and compliance dangers attributable to unsure picture provenance, massive assault surfaces, and lack of well timed CVE fixes – significantly when builders construct them themselves utilizing the newest variations of open-source parts..
On this weblog, we’ll clarify Canonical’s reply to the information container dilemma. Briefly, we’ve created a portfolio of securely designed, minimal, and absolutely maintained information utility container photos that allow organizations to benefit from the full advantages of cloud native structure with out compromising safety or compounding operational complexity.
Canonical’s database containers
At Canonical, we all know a factor or two about sustaining open supply software program – it’s what we’ve been doing for over 20 years. And that’s not simply Ubuntu, we additionally keep greater than 36,000 further packages from throughout the broader open supply ecosystem. Now, we’re extending that very same industry-leading expertise to information utility containers.
So what does this imply in observe? It implies that we’ve constructed enterprise-grade container photos, designed from the bottom up with safety in thoughts following trade greatest practices. It implies that we repeatedly monitor and quickly handle CVEs affecting the containers, with fixes for crucial vulnerabilities obtainable inside 24 hours on common. And it implies that we keep and assist every container picture for up to 12 years with Ubuntu Pro.
Our database containers are absolutely OCI-compliant, and may run on any OCI-compliant platform, together with Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Pink Hat OpenShift. What’s extra, they’ll run on any working system.
Our aim is to present organizations a single supply for trusted, securely designed, and maintained open supply containers that they’ll confidently deploy in manufacturing. You already know the place your photos come from, you already know that they’re optimally and persistently packaged, and you already know that they are going to obtain common updates and CVE fixes.
Provide chain safety has by no means been extra vital – it’s on the coronary heart of Europe’s new Cyber Resilience Act (CRA), and different related rules are more likely to comply with. Our secure-by-design containers allow you to satisfy the necessities of those requirements head-on.
We offer two types of container to satisfy the wants of various customers. On one hand, we’ve normal OCI containers that embrace every thing that you must develop, debug and run your purposes along with your most popular databases. Alternatively, we ship ultra-small containers with a minimal assault floor – we name these “chiseled” containers.
Minimal containers, minimal assault floor
On this planet of containers, measurement issues. The bigger a container picture is, the bigger its assault floor, and the extra inclined it’s to vulnerabilities. With that in thoughts, we’ve created really minimal database container photos known as chiseled containers.
Constructing on the idea of distroless containers, chiseled containers ship solely the applying and its runtime dependencies, with no different working system-level packages, utilities, or libraries. They’re rootless, and embrace no bundle supervisor or shell. This ends in a minimal footprint that trims as much as 80% of a standard container’s assault floor. They differ from normal distroless containers as they provide higher operational flexibility and compatibility with Ubuntu ecosystems. Because of the truth that they keep robust compatibility with Ubuntu-based workflows and instruments, they’re good for enterprises already utilizing Ubuntu, whereas nonetheless having the ability to run on any OS.
Let’s take Valkey for example. Whereas a full blown Valkey container is roughly 320MB, chiselled Valkey is simply 26.7MB.
The drastically lowered measurement of chiselled containers – which inherently reduces the variety of potential vulnerabilities and assault vectors – makes them perfect for manufacturing. On the similar time, the minimize down nature of the pictures makes them lighter, quicker to construct in CI pipelines, and in lots of circumstances extra performant.
Every part you want in a single container
A completely stripped down container is nice, however alone might not be adequate for probably the most scalable use circumstances. Some organizations want a extra complete answer with all of the bells and whistles – instruments, libraries, configuration choices, lifecycle administration, and plugins. For these situations, we combine charms with our containers to enhance the pictures with the advantages of software program operators.
Charms are full options that combine with the containers to offer configuration administration, monitoring, backup, excessive availability, and automation instruments, together with lots of the hottest plugins the place acceptable. In different phrases, you get a full answer composed of a strong set of containers and every thing that you must run and function your database.
Customized database containers on your use case
Within the cloud-native period, enterprises typically want the liberty to construct their very own containers, tailor-made to their distinctive necessities. One-size-fits-all database container configurations gained’t at all times handle the various wants of each group. Generic container photos are designed for broad applicability, however they might lack particular libraries or parts essential on your workloads. By composing {custom} containers, enterprises can be sure that their options are optimized for his or her use circumstances, and compliant with their inside insurance policies.
Nevertheless, sustaining the safety, consistency, and stability of custom-built photos is a extremely difficult and time-consuming endeavor. That is the place our Container Build Service is available in.
With Container Construct Service, our staff will {custom} construct minimal and optimized containers for any information answer you want – and we’ll keep these containers for you for as much as 12 years, with the identical rigor we apply to securing Ubuntu and the opposite information utility containers described above. No matter your particular necessities or use circumstances, Container Construct Service ensures which you can profit from expertly constructed and safety maintained containers.
