-

Canonical Announces Everything LTS

Canonical, the company behind Ubuntu, has announced Everything LTS, a new service aimed at providing distroless Docker container images with twelve years of security updates and compatibility across a wide range of hosts, including Ubuntu itself, Red Hat Enterprise Linux (RHEL), VMware, and public Kubernetes-based clouds.

Canonical states that Everything LTS "extends Ubuntu Pro with thousands of new open-source components, including the latest AI/ML dependencies and tools for machine learning, training, and inference, maintained as a source alongside Ubuntu rather than as Deb packages. Customers hire Canonical to design a Docker image of an open-source application, or a base image that includes all the open-source dependencies needed to host their proprietary application."

In addition to container images based on Ubuntu, Canonical will also offer distroless Docker images. While the former needs no explanation as it is the default paradigm, the latter requires some clarification.

Essentially, a distroless container image, from which a distroless container is derived, is a paradigm where a Docker image contains only the files specifically required to run a single application, with nothing extra. While not a new concept, creating such images has typically been done from scratch, which introduces design and debugging challenges for developers working with complex applications that involve many components, languages, and runtime environments.

To address the challenges of distroless containers, Ubuntu's chiselled containers come into play. These are containers built on Ubuntu using a tool called Chisel, which ensures that only the files necessary for the application are included.

Distroless containers offer two key benefits: first, they reduce the size of the container itself, leading to lower resource usage. Second, with fewer components, the attack surface and potential vulnerabilities are minimized. Canonical cited a study indicating that “84% of codebases have at least one open-source vulnerability, and 48% of those vulnerabilities are high-risk,” emphasizing the need to reduce containers to the bare minimum.

Far from being a theoretical concept, Microsoft and Canonical have developed chiselled containers for the .NET framework community. By using Chisel, the official .NET containers have been reduced in size by 100 megabytes, while the base image with the runtime environment for self-contained .NET applications takes up just 6 megabytes when compressed.

Mark Shuttleworth, CEO of Canonical, explains, "Everything LTS means CVE maintenance for the entire tree of open-source dependencies, including open-source components that have not yet been packaged as Deb in Ubuntu. We deliver distroless or Ubuntu-based Docker images tailored to your specifications, supported on RHEL, VMware, Ubuntu, or major public cloud Kubernetes implementations. Our enterprise customers and ISVs can now rely on Canonical to meet regulatory maintenance requirements for any open-source stack, regardless of its size or complexity, wherever they want to deploy it."

Another important point is that "Ubuntu Pro subscriptions include the right to run unlimited 'Everything LTS' containers. VMware, RHEL, and public cloud hosts are supported at the same cost as Ubuntu Pro hosts."

The twelve years of security support, combined with the reduced attack surface provided by distribution-less containers, create a combination that Canonical claims significantly enhances security. It’s undeniable that, based on the official announcement, Everything LTS appears to be a highly appealing option for businesses, which typically lean towards tightly controlled environments.

Those interested in learning all the details about Everything LTS can check out the post published on Canonical's official blog.

Comments

Post a Comment

Popular posts from this blog

systemd 256 arrives with run0, the ‘sudo clone’ that aims to improve security

-
Image
systemd 256 arrives with run0, the ‘sudo clone’ that aims to improve security systemd 256 is now a reality, featuring an interesting innovation that could represent a significant change in Linux in the not-too-distant future, although this will ultimately depend on the decisions made by various distributions. Without further delay, let’s go over the main new features. First, we have the introduction of run0, a kind of clone of sudo that aims to enhance security by reducing the attack surface. According to Lennart Poettering, the creator of systemd, this is achieved by ensuring “the target command is invoked in an isolated execution context, freshly forked from PID 1, without inheriting any context from the client,” making its behavior more akin to SSH. And since we’ve mentioned SSH, there’s the systemd-ssh-generator , which has been added to detect if the SSHD binary (the SSH daemon) is present and then link it through socket activation per connection to various sockets depending on ...
Read more

Microsoft Releases Patch for Actively Exploited Windows Zero-Day Vulnerability

-
Image
    A day after Apple and Google rolled out urgent security updates, Microsoft has pushed software fixes as part of its monthly Patch Tuesday release cycle to plug 66 security holes affecting Windows and other components such as Azure, Office, BitLocker, and Visual Studio, including an actively exploited zero-day in its MSHTML Platform that came to light last week. Of the 66 flaws, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This is aside from the 20 vulnerabilities in the Chromium-based Microsoft Edge browser that the company addressed since the start of the month. The most important of the updates concerns a patch for CVE-2021-40444 (CVSS score: 8.8), an actively exploited remote code execution vulnerability in MSHTML that leverages malware-laced Microsoft Office documents, with EXPMON researchers noting "the exploit uses logical flaws so the exploitation is perfectly reliable." Also addressed is a publicly d...
Read more

Unpatched High-Severity Vulnerability Affects Apple macOS Computers

-
Image
  Cybersecurity researchers on Tuesday disclosed details of an unpatched vulnerability in macOS Finder that could be abused by remote adversaries to trick users into running arbitrary commands on the machines. "A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user," SSD Secure Disclosure said in a write-up published today. Park Minchan, an independent security researcher, has been credited with reporting the vulnerability which affects macOS versions of Big Sur and prior.   The weakness arises due to the manner macOS processes INETLOC files — shortcuts to internet locations such as RSS feeds or Telnet connections containing username and password for SSH — resulting in a scenario that allows commands embedded in those files to be executed wi...
Read more