Critical CVE fixes in 24 hours
Scanning container images for vulnerabilities is now widespread, but fixing them requires dedicated skills and infrastructure. Trusted provenance is key.
The LTS Docker Image Portfolio provides ready-to-use application base images, free of high and critical CVEs. Images are built on the same secure infrastructure that builds Ubuntu, and updated automatically when apps or dependencies are fixed.Explore our CVE-fixing track record ›
- Minimum 5 years of 24/7 security updates from Canonical
- Fixes for high and critical Common Vulnerabilities and Exposures (CVEs)
- The Ubuntu distribution base image and application layers
- All major architectures
- Designed for layering - "
FAQ on the LTS Docker Image Portfolio
Where are the images?
On Amazon ECR Public and Docker Hub, images are provided in three groups:
- Ubuntu on Docker Hub and ECR Public have development releases with security updates
- LTS ("Canonical") on ECR Public has Free LTS images with up to five years fixes
- Customer-only content with up to ten years of fixes. Contact us.
All of our Docker Hub repositories are exempted from per-user rate limits.
Are these Official Images on Docker Hub?
Several images from the Canonical LTS Docker Image Portfolio are free Docker Official Image versions during their five year standard security maintenance period. The Ubuntu base image is available both as an official image on Docker hub and through the LTS and Ubuntu namespaces on Amazon ECR Public.
Is the LTS Docker Image Portfolio a free or a commercial offering?
Both. Some LTS Docker Images have a free five year maintenance period, based on the underlying Ubuntu LTS free standard security maintenance period. After five years, these LTS images will get five more years of security patches through the Expanded Security Maintenance (ESM) program. The ESM program is available with our Ubuntu Advantage subscriptions. Some images don't get the free five initial LTS years, but still are eligible for the 10-year ESM program. On each image's documentation, the support dates and LTS/ESM logos indicate the current support status for every version. As with Ubuntu interim releases, ongoing development images are released regularly and receive free security updates while they are the current version. Read more.
Is there a long-term commitment? How long?
LTS Images are security-maintained for the full ten year period of their underlying Ubuntu LTS release. Some applications will have versions on multiple Ubuntu LTS versions. In each case, the image is maintained for the full life of the underlying Ubuntu LTS.
Can I use these images to build other applications?
Yes. Our hardened images are optimised for the developer experience, layering, and minimality. Each image is engineered to be clean, without layering artefacts, making it an ideal foundation for enterprise continuous integration and golden images. If you are an ISV, Canonical can offer embedded terms for redistribution and specific support. Get in touch.
Can I enable FIPS mode on Ubuntu-based container images?
Yes, with a valid Ubuntu Advantage subscription. Hosts or nodes running the hardened Ubuntu-based container images must be covered with Ubuntu Advantage subscriptions or be entitled Ubuntu Pro machines. You can read more about how to enable FIPS mode on container images in this blog post.