Intel and Canonical to secure containers software supply chain
Valentin Viennot
on 10 November 2021
Tags: containers , docker , Intel , machine learning , OpenVINO , Security
Intel and Canonical collaborate to build and publish OpenVINO™ container images based on the Ubuntu ecosystem. This work aims to provide trusted, secure, and developer-friendly container images for AI/ML applications in many industries.
The provenance challenge facing cloud software
Today, cloud-native developers benefit from an abundance of resources to compose their applications. With container images, packaging all these resources in a standard, easy-to-reuse format is now easier than ever. Unfortunately, container images also make it easier to package unneeded, vulnerable software or even malicious resources.
Knowing which resources to use and what is a safe base layer when starting a cloud-native project is challenging. Extreme caution should go into picking these dependencies deliberately. Organisations need to provide their developers with “sane defaults”, trusted sources to underpin and support applications.
To help developers solve this issue, Intel and Canonical worked together to provide a set of secure and stable container images for the OpenVINO and OneAPI ecosystem, based on the Ubuntu base image and software. This effort supports developers in packaging Machine Learning (ML) and Artificial Intelligence (AI) models to deploy from the cloud to the edge.
oneAPI
The oneAPI specification provides an open, industry standard, cross-architecture software stack for CPU and accelerator architectures (GPUs, FPGAs, and others).
The oneAPI programming model simplifies software development and delivers uncompromised performance for accelerated compute without proprietary lock-in, while enabling the integration of legacy code. This enables a common cross-architecture developer experience for faster application performance, increased developer productivity, and greater innovation.
With oneAPI, developers can choose the best accelerator architecture for the specific problem they are trying to solve without needing to rewrite software for the next architecture and platform.
Intel OpenVINO
OpenVINO™ is an open-source toolkit for optimising and deploying AI inference. With OpenVINO, developers can run high-performance inferences with a write once, deploy anywhere efficiency using the Intel® Distribution of OpenVINO™ toolkit.
OpenVINO is powered by oneAPI using the Intel® oneAPI Deep Neural Network Library (oneDNN), a library of performant building blocks for deep learning applications that accelerates performance.
OpenVINO unlocks your cloud’s true potential:
- Boosting deep learning performance in computer vision, automatic speech recognition, natural language processing and other common tasks.
- Using models trained with popular frameworks like TensorFlow, PyTorch and more.
- Reducing resource demands and efficiently deploying on a range of Intel® platforms from edge to cloud.
Canonical LTS Container Images
In response to the provenance challenge in OCI images, Canonical announced a program to provide hardened application container images for popular open source software with up to 10-year guaranteed security updates. This program is based on years of security expertise maintaining the Ubuntu operating system and cloud foundations software.
Similar to this initiative, Canonical works closely with its partners to provide end-users with quality Ubuntu-based container images that can provide both security and stability, as well as an outstanding developer experience.
Secure and stable container images
Building secure and stable OCI images starts from the choice of a base image. What could seem like a harmless initial decision will have long-term consequences. In fact, most of the software contained in OCI images actually comes from this layer #0 choice. They provide the foundation for applications to run: shared libs – like SSL and libc – and they enable developers to focus on the upper application layer.
The Ubuntu base image is the ideal foundation for OpenVINO and oneAPI based software:
- Regular updates, content watched and quickly patched for security vulnerabilities, and commercial maintenance commitment.
- Large secure and stable software ecosystem from the Ubuntu archives.
- Developer-friendly: making developers’ lives easier reduces risks.
This close collaboration between Canonical and Intel ensures direct and fast updates, as well as a support option with the base image and software.
Making developers’ lives easier
“Secure” software tends to make developers’ lives more difficult, with a lot of complex configurations and validations. While it might sound counterintuitive, sometimes less is more. Indeed, hard-to-use software will often lead developers to use workarounds and bad practices in order to get things done. Similarly, if patching is hard, it won’t happen as often as needed.
To avoid security liabilities related to bad practices, it is critical to provide developers with the best experience possible. With this set of Ubuntu-based container images, not only does it provide a best-in-class developer experience, it also provides a consistent and familiar environment for cloud and AI developers.
Are you a developer interested in using these oneAPI-based OpenVINO containers based on Ubuntu images? Don’t miss part 2 and 3 of this blog series for a deeper dive into these technologies.
- Watch our on-demand webinar about secure AI models deployment at the edge.
- Continue reading the series, introducing the demo “How to colourise black and white images with OpenVINO on Ubuntu containers”
Keep reading, part two is live!
What’s the risk of unsolved vulnerabilities in Docker images?
Recent surveys found that many popular containers had known vulnerabilities. Container images provenance is critical for a secure software supply chain in production. Benefit from Canonical’s security expertise with the LTS Docker images portfolio, a curated set of application images, free of vulnerabilities, with a 24/7 commitment.
Newsletter signup
Related posts
Canonical announces the general availability of chiselled Ubuntu containers
Production-ready, secure-by-design, ultra-small containers with chiselled Ubuntu Canonical announced today the general availability of chiselled Ubuntu...
Canonical announces Ubuntu Security Research Alliance Program
Today, Canonical, the publisher of Ubuntu, announced its new Ubuntu Security Research Alliance Program, a free partnership between Canonical and open source...
Needrestart local privilege escalation vulnerability fixes available
Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991,...