Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Valentin Viennot
on 10 November 2021

Intel and Canonical to secure containers software supply chain


Intel and Canonical collaborate to build and publish OpenVINO™ container images based on the Ubuntu ecosystem. This work aims to provide trusted, secure, and developer-friendly container images for AI/ML applications in many industries.

The provenance challenge facing cloud software

Today, cloud-native developers benefit from an abundance of resources to compose their applications. With container images, packaging all these resources in a standard, easy-to-reuse format is now easier than ever. Unfortunately, container images also make it easier to package unneeded, vulnerable software or even malicious resources.

Knowing which resources to use and what is a safe base layer when starting a cloud-native project is challenging. Extreme caution should go into picking these dependencies deliberately. Organisations need to provide their developers with “sane defaults”, trusted sources to underpin and support applications.

To help developers solve this issue, Intel and Canonical worked together to provide a set of secure and stable container images for the OpenVINO and OneAPI ecosystem, based on the Ubuntu base image and software. This effort supports developers in packaging Machine Learning (ML) and Artificial Intelligence (AI) models to deploy from the cloud to the edge.

oneAPI

The oneAPI specification provides an open, industry standard, cross-architecture software stack for CPU and accelerator architectures (GPUs, FPGAs, and others).

The oneAPI programming model simplifies software development and delivers uncompromised performance for accelerated compute without proprietary lock-in, while enabling the integration of legacy code. This enables a common cross-architecture developer experience for faster application performance, increased developer productivity, and greater innovation.

With oneAPI, developers can choose the best accelerator architecture for the specific problem they are trying to solve without needing to rewrite software for the next architecture and platform.

Intel OpenVINO

OpenVINO™ is an open-source toolkit for optimising and deploying AI inference. With OpenVINO, developers can run high-performance inferences with a write once, deploy anywhere efficiency using the Intel® Distribution of OpenVINO™ toolkit.

OpenVINO is powered by oneAPI using the Intel® oneAPI Deep Neural Network Library (oneDNN), a library of performant building blocks for deep learning applications that accelerates performance.

OpenVINO unlocks your cloud’s true potential:

  • Boosting deep learning performance in computer vision, automatic speech recognition, natural language processing and other common tasks.
  • Using models trained with popular frameworks like TensorFlow, PyTorch and more.
  • Reducing resource demands and efficiently deploying on a range of Intel® platforms from edge to cloud.

Canonical LTS Container Images

In response to the provenance challenge in OCI images, Canonical announced a program to provide hardened application container images for popular open source software with up to 10-year guaranteed security updates. This program is based on years of security expertise maintaining the Ubuntu operating system and cloud foundations software.

Similar to this initiative, Canonical works closely with its partners to provide end-users with quality Ubuntu-based container images that can provide both security and stability, as well as an outstanding developer experience.

Secure and stable container images

Building secure and stable OCI images starts from the choice of a base image. What could seem like a harmless initial decision will have long-term consequences. In fact, most of the software contained in OCI images actually comes from this layer #0 choice. They provide the foundation for applications to run: shared libs – like SSL and libc – and they enable developers to focus on the upper application layer.

The Ubuntu base image is the ideal foundation for OpenVINO and oneAPI based software:

  • Regular updates, content watched and quickly patched for security vulnerabilities, and commercial maintenance commitment.
  • Large secure and stable software ecosystem from the Ubuntu archives.
  • Developer-friendly: making developers’ lives easier reduces risks.

This close collaboration between Canonical and Intel ensures direct and fast updates, as well as a support option with the base image and software.

Making developers’ lives easier

“Secure” software tends to make developers’ lives more difficult, with a lot of complex configurations and validations. While it might sound counterintuitive, sometimes less is more. Indeed, hard-to-use software will often lead developers to use workarounds and bad practices in order to get things done. Similarly, if patching is hard, it won’t happen as often as needed.

To avoid security liabilities related to bad practices, it is critical to provide developers with the best experience possible. With this set of Ubuntu-based container images, not only does it provide a best-in-class developer experience, it also provides a consistent and familiar environment for cloud and AI developers.


Are you a developer interested in using these oneAPI-based OpenVINO containers based on Ubuntu images? Don’t miss part 2 and 3 of this blog series for a deeper dive into these technologies.

Keep reading, part two is live!

Related posts


Canonical
21 November 2023

Canonical announces the general availability of chiselled Ubuntu containers

Canonical announcements Article

Production-ready, secure-by-design, ultra-small containers with chiselled Ubuntu Canonical announced today the general availability of chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime ...


Canonical
4 December 2024

Canonical announces Ubuntu Security Research Alliance Program 

Canonical announcements Article

Today, Canonical, the publisher of Ubuntu, announced its new Ubuntu Security Research Alliance Program, a free partnership between Canonical and open source vulnerability scanning organizations. The goal is to ensure vulnerability data is more transparent and standardized, while improving on-platform security for Ubuntu users through more ...


eslerm
19 November 2024

Needrestart local privilege escalation vulnerability fixes available

Ubuntu Article

Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, and CVE-2024-11003) and a related issue in libmodule-scandeps-perl (CVE-2024-10224). The vulnerabilities affect Debian, Ubuntu and other Linux distributions. Canonical’s securit ...