Linux image for docker

Long Term Supported
OCI Images

Hardened container images, with stable tracks from development to production. Up to ten years guaranteed security maintenance from Canonical’s trusted repositories.

Critical CVE fixes in 24 hours

Scanning container images for vulnerabilities is now widespread, but fixing them requires dedicated skills and infrastructure. Trusted provenance is key.

The LTS Docker Image Portfolio provides ready-to-use application base images, free of high and critical CVEs. Images are built on the same secure infrastructure that builds Ubuntu, and updated automatically when apps or dependencies are fixed.

Our Commitment

• Minimum 5 years of 24/7 security updates from Canonical
• Fixes for high and critical Common Vulnerabilities and Exposures (CVEs)
• The Ubuntu distribution base image and application layers
• All major architectures
• Designed for layering — » FROM public.ecr.aws/lts/mysql «

FAQ on the LTS Docker Image Portfolio

Where are the images?

On Amazon ECR Public and Docker Hub, images are provided in three groups:

• Ubuntuon Docker Hub and ECR Public have development releases with security updates
• LTS («Canonical») on ECR Public has Free LTS images with up to five years fixes
• Customer-only content with up to ten years of fixes. Contact us.

All of our Docker Hub repositories are exempted from per-user rate limits.

Are these Official Images on Docker Hub?

Several images from the Canonical LTS Docker Image Portfolio are free Docker Official Image versions during their five year standard security maintenance period. The Ubuntu base image is available both as an official image on Docker hub and through the LTS and Ubuntu namespaces on Amazon ECR Public.

Is the LTS Docker Image Portfolio a free or a commercial offering?

Both. Some LTS Docker Images have a free five year maintenance period, based on the underlying Ubuntu LTS free standard security maintenance period. After five years, these LTS images will get five more years of security patches through the Expanded Security Maintenance (ESM) program. The ESM program is available with our Ubuntu Advantage subscriptions. Some images don’t get the free five initial LTS years, but still are eligible for the 10-year ESM program. On each image’s documentation, the support dates and LTS/ESM logos indicate the current support status for every version. As with Ubuntu interim releases, ongoing development images are released regularly and receive free security updates while they are the current version. Read more.

Is there a long-term commitment? How long?

LTS Images are security-maintained for the full ten year period of their underlying Ubuntu LTS release. Some applications will have versions on multiple Ubuntu LTS versions. In each case, the image is maintained for the full life of the underlying Ubuntu LTS.

Can I use these images to build other applications?

Yes. Our hardened images are optimised for the developer experience, layering, and minimality. Each image is engineered to be clean, without layering artefacts, making it an ideal foundation for enterprise continuous integration and golden images. If you are an ISV, Canonical can offer embedded terms for redistribution and specific support. Get in touch.

Can I enable FIPS mode on Ubuntu-based container images?

Yes, with a valid Ubuntu Advantage subscription. Hosts or nodes running the hardened Ubuntu-based container images must be covered with Ubuntu Advantage subscriptions or be entitled Ubuntu Pro machines. You can read more about how to enable FIPS mode on container images in this blog post.

Secure your cloud solutions

Would you like to discuss your specific use case with us? Our team is here to help you secure your cloud solutions, starting with secure Docker images.

Try Landscape for free

Landscape is the most cost-effective way to manage desktops, servers, and clouds. Landscape is available with an Ubuntu Pro subscription. Self-hosted Landscape has a free tier for up to 10 machines for personal use, or evaluation purposes.

Contact us today

Landscape is part of the Ubuntu Advantage service package, delivered by Canonical. To talk to a member of our team about the benefits it could bring to your organisation.

Источник

Using the Ubuntu Docker image

The official Ubuntu Docker image is the most downloaded image from Docker Hub. With over one billion downloads, Ubuntu has proven itself to be a popular and reliable base image on which to build your own custom Docker images.

In this post, I show you how to make the most of the base Ubuntu images while building your own Docker images.

An example Dockerfile

This is an example Dockerfile that includes the tweaks discussed in this post. I go through each of the settings to explain what value they add:

FROM ubuntu:22.04 RUN echo 'APT::Install-Suggests "0";' >> /etc/apt/apt.conf.d/00-docker RUN echo 'APT::Install-Recommends "0";' >> /etc/apt/apt.conf.d/00-docker RUN DEBIAN_FRONTEND=noninteractive \ apt-get update \ && apt-get install -y python3 \ && rm -rf /var/lib/apt/lists/* RUN useradd -ms /bin/bash apprunner USER apprunner 

Build the image with the command:

Now that you’ve seen how to build a custom image from the Ubuntu base image, let’s go through each of the settings to understand why they were added.

Selecting a base image

Docker images are provided for all versions of Ubuntu, including Long Term Support (LTS) releases such as 20.04 and 22.04, and normal releases like 19.04, 19.10, 21.04, and 21.10.

LTS releases are supported for 5 years, and the associated Docker images are also maintained by Canonical during this period, as described on the Ubuntu release cycle page:

These images are also kept up to date, with the publication of rolled up security updated images on a regular cadence, and you should automate your use of the latest images to ensure consistent security coverage for your users.

When creating Docker images hosting production software, it makes sense to base your images from the latest LTS release. This allows DevOps teams to rebuild their custom images on top of the latest LTS base image, which automatically includes all updates, but is also unlikely to include the kind of breaking changes that can be introduced between major operating system versions.

I used the Ubuntu 22.04 LTS Docker image as the base for this image:

Not installing suggested or recommended dependencies

Some packages have a list of suggested or recommended dependencies that aren’t required but are installed by default. These additional dependencies can add to the size of the final Docker image unnecessarily, as Ubuntu note in their blog post about reducing Docker image sizes.

To disable the installation of these optional dependencies for all invocations of apt-get , the configuration file at /etc/apt/apt.conf.d/00-docker is created with the following settings:

RUN echo 'APT::Install-Suggests "0";' >> /etc/apt/apt.conf.d/00-docker RUN echo 'APT::Install-Recommends "0";' >> /etc/apt/apt.conf.d/00-docker 

Installing additional packages

Most custom images based on Ubuntu require you to install additional packages. For example, to run custom applications written in Python, PHP, Java, Node.js, or DotNET, your custom image must have the packages associated with those languages installed.

On a typical workstation or server, packages are installed with a simple command like:

The process of installing new software in a Docker image is non-interactive, which means you don’t have an opportunity to respond to prompts. This means you must add the -y argument to automatically answer «yes» to the prompt asking to continue with the package installation:

RUN apt-get install -y python3 

Preventing prompt errors during package installation

The installation of some packages attempts to open additional prompts to further customize installation options. In an non-interactive environment, such as during the construction of a Docker image, attempts to open these dialogs results in errors like:

unable to initialize frontend: Dialog 

These errors can be ignored as they don’t prevent the packages from being installed. But the errors can be prevented by setting the DEBIAN_FRONTEND environment variable to noninteractive :

RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python3 

The Docker website provides official guidance on the use of the DEBIAN_FRONTEND environment variable. They consider it a cosmetic change, and recommend against permanently setting the environment variable. The command above sets the environment variable for the duration of the single apt-get command, meaning any subsequent calls to apt-get will not have the DEBIAN_FRONTEND defined.

Cleaning up package lists

Before any packages can be installed, you need to update the package list by calling:

However, the package list is of little value after the required packages have been installed. It’s best practice to remove any unnecessary files from a Docker image to ensure the resulting image is as small as it can be. To clean up the package list after the required packages have been installed, the files under /var/lib/apt/lists/ are deleted.

Here you update the package list, install the required packages, and clean up the package list as part of a single command, broken up over multiple lines with a backslash at the end of each line:

RUN DEBIAN_FRONTEND=noninteractive \ apt-get update \ && apt-get install -y python3 \ && rm -rf /var/lib/apt/lists/* 

Run as non-root user

By default, the root user is run in a Docker container. The root user typically has far more privileges than are required when running a custom application, and so creating a new user without root privileges provides better security.

This isn’t to be confused with the adduser command, which is a higher level wrapper over useradd .

After all configuration files have been edited and packages have been installed, you create a new user called apprunner :

RUN useradd -ms /bin/bash apprunner 

This user is then set as the default user for any further operations:

Conclusion

It’s possible to use the base Ubuntu Docker images with little customization beyond installing any required additional packages. But with a few tweaks to limit optional packages from being installed, cleaning up package lists after the packages are installed, and creating new users with limited permissions to run custom applications, you can create smaller and more secure images for your custom applications.

Learn how to use other popular container images:

Resources

Learn more

If you want to build and deploy containerized applications to AWS platforms such as EKS and ECS, try the Octopus Workflow Builder. The Builder populates a GitHub repository with a sample application built with GitHub Actions workflows and configures a hosted Octopus instance with sample deployment projects demonstrating best practices such as vulnerability scanning and Infrastructure as Code (IaC).

Источник