Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Secure containerised Ceph with Ubuntu container images

This article was last updated 1 year ago.

As we announced at Cephalocon 2023 in Amsterdam, Canonical has started to make container images for Ceph available.  We received lots of questions at the booth about what it means to the average Ceph user who has or wants to deploy Ceph on Ubuntu.  

In this blog post, we will cover the benefits to users who are running containerised Ceph on Ubuntu, and specifically how these images can provide an improved security posture.

What is an OCI?

An OCI image (Open Container Initiative) is a standardised software container that can be used on a variety of compliant host environments.  Ordinary packages have been used for many years to distribute software, but across various environments there can be different language runtimes, system libraries, and other dependencies that may not have been tested with the software that you want to use.

A software container solves this problem by encapsulating both the software and the surrounding environment.  So instead of having to maintain a collection of packages, a user simply runs a single container instantiated from a container image that contains the desired software.  The provider of the image (in this case, Canonical) completes compatibility testing with the surrounding Operating System and Ceph orchestration tooling, and most importantly, provides timely updates to the packages in the image.

Why use an Ubuntu provided container image?

It’s very important to know the provenance of any container image that a user may download from a container registry, as of course, anyone can publish an image to one of the many container registries that are in existence.

Specific to Ceph, the upstream development team provides several container images with support for the last few releases of Ceph.  Those images are available via the popular container registry, so in this scenario we know that the source is trustworthy.

But what happens when there’s a critical patch required in a production environment, and upstream hasn’t released a fix yet?  A helpful user might make a patched version of an image available, but can that be trusted?  Other packages might have been added, or maybe an outdated version of a package with a security bug got included by mistake.

Ubuntu Pro + Infra Support support can help in this situation by giving users access to a team of Ceph experts that are able to create hotfixes for a wide range of open source software, often as quickly as within 24 hours.  In this scenario, we would be able to provide a patched and trustworthy container image.

Via the Ubuntu repositories and sponsored container registries we are able to provide users of our software access to these fixes faster than the upstream projects are able to.

What makes the Ubuntu OCI different from the upstream image?

The Ceph OCI provided is fully compatible with cephadm managed Ceph clusters, and we are working hard to provide full compatibility with clusters deployed using Rook.

The only difference in our image is that when we build the image we use the Ceph packages included in Ubuntu repositories, so that we have full knowledge and control over the contents of the image, which is especially important for those situations where an emergency patch is required.  

Additionally, we carry out testing with the latest versions of Ceph on Ubuntu, both for package based installations and container based deployments with cephadm and Rook.

Where can I get it?

We currently publish our image on GitHub’s container registry here.

How can I use it?

We have tested using our image in two scenarios:

  1. Cephadm – installation instructions here
  2. Rook – installation instructions here

If you have questions about the use of our image, please visit our Ceph discourse page here.

Learn more

ceph logo

What is Ceph?

Ceph is a software-defined storage (SDS) solution designed to address the object, block, and file storage needs of both small and large data centres.

It's an optimised and easy-to-integrate solution for companies adopting open source as the new norm for high-growth block storage, object stores and data lakes.

Learn more about Ceph ›

ceph logo

How to optimise your cloud storage costs

Cloud storage is amazing, it's on demand, click click ready to go, but is it the most cost effective approach for large, predictable data sets?

In our white paper learn how to understand the true costs of storing data in a public cloud, and how open source Ceph can provide a cost effective alternative!

Access the whitepaper ›

Interested in running Ubuntu in your organisation? Talk to us today

ceph logo

A guide to software-defined storage for enterprises

Ceph is a software-defined storage (SDS) solution designed to address the object, block, and file storage needs of both small and large data centres.

In our whitepaper explore how Ceph can replace proprietary storage systems in the enterprise.

Access the whitepaper ›

Interested in running Ubuntu in your organisation? Talk to us today

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Navigating the cost of cloud storage in the public sector

Like many other industries, organisations in the public sector have been keen to make use of the flexibility offered by cloud computing, but are now observing...

The role of secure data storage in fueling AI innovation

There is no AI without data Artificial intelligence is the most exciting technology revolution of recent years. Nvidia, Intel, AMD and others continue to...

CentOS EOL – What does it mean for Ceph storage?

Out of the darkness and into the light, a new path forward Back in 2020, the CentOS Project announced that they would focus only on CentOS Stream, meaning...