Ubuntu chiselled containers arrive for .NET – smaller, more secure, but beware ‘sharp edges’

Ubuntu chiselled containers arrive for .NET – smaller, more secure, but beware ‘sharp edges’
Forklift and container, image via Shutterstock

Ubuntu has made its chiselled containers for .NET generally available, providing a claimed 20 percent performance improvement for container startup as well as security benefits.

A chiselled container is the same concept as Google’s distroless project: stripping down the container image to only what is required in production. If the container targets a specific runtime such as Java or Node.js, only the binaries used by that runtime are included. Further, there is typically no shell, since a running application does not require it. Other elements removed include the package manager, package dependency metadata, headers and code. There is also no user with root privileges. All operations requiring root can be done when the container image is built. 

Google’s distroless images are widely used, not least by the Kubernetes project, the reason given being to “make the images thinner, safer and less vulnerable.”

Less is better: Chiselled images are notable for what they omit

The new .NET images are the result of cooperation between Microsoft and Ubuntu. Why not just use Google Distroless? The answer is perhaps political. Microsoft Principal Program Manager Richard Lander said that the company only takes artifacts from “upstream distros, specifically Alpine, Debian and Ubuntu … that’s why we never adopted Google Distroless and have been waiting for something like Ubuntu chiseled.” Google Distroless is in fact based on Debian, but Lander’s concern is that if an issue arises with the operating system outside of .NET, Microsoft will look for resolution from the provider of the upstream distro. 

The advantage for Canonical, owner of Ubuntu, is more obvious. Customers using Ubuntu Chiselled Containers can purchase support from the company. 

Another oddity is that Microsoft itself apparently does not use Ubuntu Chiselled Containers. “At Microsoft, we use Mariner Linux,” said Lander, this being its own distro. “That has worked out quite well.”

Developers already using Alpine Linux in product may also wonder what is the point of the Ubuntu offering. Alpine is a small distro build with containers and security in mind. Alpine is almost as small according to Microsoft and Canonical. One reason might be that there is benefit in using the same distro for both development and production, and Alpine is not suitable for development. Lander said that “we expect that many Alpine users will remain happy with Alpine and others will prefer Ubuntu Chiseled.”

Despite its advantages, there are snags, the main one being what to do if an application requires a binary that is not included. “We use SkiaSharp and depend on the fontconfig pkg on Alpine to be able to draw text on bitmaps so we install it using apk. How would we go about switching to chiseled runtimes?” asked one developer. The answer might not be straightforward. It is possible to add packages to the chiselled container, though the technique used depends on whether the target package is defined as a “slice”, this being the subset of a package contents “chiselled out” to make it suitable. By default the Chiselled Container for .NET does not include the ICU (International Components for Unicode) which means that among other things, the Microsoft SQL Server client for .NET does not work. There is an official variant that handles this, but for other libraries this can get fiddly. “They call it chiseled because it produces a result with some sharp edges!” said Lander.