Your submission was sent successfully! Close

Intel and Canonical to secure containers software supply chain

Intel and Canonical collaborate to build and publish OpenVINO™ container images based on the Ubuntu ecosystem. This work aims to provide trusted, secure, and developer-friendly container images for AI/ML applications in many industries.

The provenance challenge facing cloud software

Today, cloud-native developers benefit from an abundance of resources to compose their applications. With container images, packaging all these resources in a standard, easy-to-reuse format is now easier than ever. Unfortunately, container images also make it easier to package unneeded, vulnerable software or even malicious resources.

Knowing which resources to use and what is a safe base layer when starting a cloud-native project is challenging. Extreme caution should go into picking these dependencies deliberately. Organisations need to provide their developers with “sane defaults”, trusted sources to underpin and support applications.

To help developers solve this issue, Intel and Canonical worked together to provide a set of secure and stable container images for the OpenVINO and OneAPI ecosystem, based on the Ubuntu base image and software. This effort supports developers in packaging Machine Learning (ML) and Artificial Intelligence (AI) models to deploy from the cloud to the edge.

oneAPI

The oneAPI specification provides an open, industry standard, cross-architecture software stack for CPU and accelerator architectures (GPUs, FPGAs, and others).

The oneAPI programming model simplifies software development and delivers uncompromised performance for accelerated compute without proprietary lock-in, while enabling the integration of legacy code. This enables a common cross-architecture developer experience for faster application performance, increased developer productivity, and greater innovation.

With oneAPI, developers can choose the best accelerator architecture for the specific problem they are trying to solve without needing to rewrite software for the next architecture and platform.

Intel OpenVINO

OpenVINO™ is an open-source toolkit for optimising and deploying AI inference. With OpenVINO, developers can run high-performance inferences with a write once, deploy anywhere efficiency using the Intel® Distribution of OpenVINO™ toolkit.

OpenVINO is powered by oneAPI using the Intel® oneAPI Deep Neural Network Library (oneDNN), a library of performant building blocks for deep learning applications that accelerates performance.

OpenVINO unlocks your cloud’s true potential:

  • Boosting deep learning performance in computer vision, automatic speech recognition, natural language processing and other common tasks.
  • Using models trained with popular frameworks like TensorFlow, PyTorch and more.
  • Reducing resource demands and efficiently deploying on a range of Intel® platforms from edge to cloud.

Canonical LTS Container Images

In response to the provenance challenge in OCI images, Canonical announced a program to provide hardened application container images for popular open source software with up to 10-year guaranteed security updates. This program is based on years of security expertise maintaining the Ubuntu operating system and cloud foundations software.

Similar to this initiative, Canonical works closely with its partners to provide end-users with quality Ubuntu-based container images that can provide both security and stability, as well as an outstanding developer experience.

Secure and stable container images

Building secure and stable OCI images starts from the choice of a base image. What could seem like a harmless initial decision will have long-term consequences. In fact, most of the software contained in OCI images actually comes from this layer #0 choice. They provide the foundation for applications to run: shared libs – like SSL and libc – and they enable developers to focus on the upper application layer.

The Ubuntu base image is the ideal foundation for OpenVINO and oneAPI based software:

  • Regular updates, content watched and quickly patched for security vulnerabilities, and commercial maintenance commitment.
  • Large secure and stable software ecosystem from the Ubuntu archives.
  • Developer-friendly: making developers’ lives easier reduces risks.

This close collaboration between Canonical and Intel ensures direct and fast updates, as well as a support option with the base image and software.

Making developers’ lives easier

“Secure” software tends to make developers’ lives more difficult, with a lot of complex configurations and validations. While it might sound counterintuitive, sometimes less is more. Indeed, hard-to-use software will often lead developers to use workarounds and bad practices in order to get things done. Similarly, if patching is hard, it won’t happen as often as needed.

To avoid security liabilities related to bad practices, it is critical to provide developers with the best experience possible. With this set of Ubuntu-based container images, not only does it provide a best-in-class developer experience, it also provides a consistent and familiar environment for cloud and AI developers.


Are you a developer interested in using these oneAPI based OpenVINO containers based on Ubuntu images? Register for our webinar on Nov. 17th on secure AI models deployment at the edge.

Don’t miss part 2 and 3 of this blog series for a deeper dive into these technologies in the coming weeks.


ubuntu logo

What’s the risk of unsolved vulnerabilities in Docker images?

Recent surveys found that many popular containers had known vulnerabilities. Container images provenance is critical for a secure software supply chain in production. Benefit from Canonical’s security expertise with the LTS Docker images portfolio, a curated set of application images, free of vulnerabilities, with a 24/7 commitment.

Integrate with hardened LTS images ›

Newsletter signup

Select topics you're
interested in

In submitting this form, I confirm that I have read and agree to Canonical's Privacy Notice and Privacy Policy.

Related posts

Canonical’s first DockerCon

May 27th will be Canonical’s first time as a DockerCon sponsor. That’s exciting! Since our joint announcement back in November, the relationship between...

Running FIPS 140 workloads on Ubuntu

This is the first article in a two-article series regarding FIPS 140 and Ubuntu. The first part of this series, this article, covers running FIPS 140...

Ubuntu in the wild – 22nd of June

The Ubuntu in the wild blog post ropes in the latest highlights about Ubuntu and Canonical around the world on a bi-weekly basis.