Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Philip Williams
on 25 May 2023

Secure containerised Ceph with Ubuntu container images


As we announced at Cephalocon 2023 in Amsterdam, Canonical has started to make container images for Ceph available.  We received lots of questions at the booth about what it means to the average Ceph user who has or wants to deploy Ceph on Ubuntu.  

In this blog post, we will cover the benefits to users who are running containerised Ceph on Ubuntu, and specifically how these images can provide an improved security posture.

What is an OCI?

An OCI image (Open Container Initiative) is a standardised software container that can be used on a variety of compliant host environments.  Ordinary packages have been used for many years to distribute software, but across various environments there can be different language runtimes, system libraries, and other dependencies that may not have been tested with the software that you want to use.

A software container solves this problem by encapsulating both the software and the surrounding environment.  So instead of having to maintain a collection of packages, a user simply runs a single container instantiated from a container image that contains the desired software.  The provider of the image (in this case, Canonical) completes compatibility testing with the surrounding Operating System and Ceph orchestration tooling, and most importantly, provides timely updates to the packages in the image.

Why use an Ubuntu provided container image?

It’s very important to know the provenance of any container image that a user may download from a container registry, as of course, anyone can publish an image to one of the many container registries that are in existence.

Specific to Ceph, the upstream development team provides several container images with support for the last few releases of Ceph.  Those images are available via the popular container registry quay.io, so in this scenario we know that the source is trustworthy.

But what happens when there’s a critical patch required in a production environment, and upstream hasn’t released a fix yet?  A helpful user might make a patched version of an image available, but can that be trusted?  Other packages might have been added, or maybe an outdated version of a package with a security bug got included by mistake.

Ubuntu Pro + Infra Support support can help in this situation by giving users access to a team of Ceph experts that are able to create hotfixes for a wide range of open source software, often as quickly as within 24 hours.  In this scenario, we would be able to provide a patched and trustworthy container image.

Via the Ubuntu repositories and sponsored container registries we are able to provide users of our software access to these fixes faster than the upstream projects are able to.

What makes the Ubuntu OCI different from the upstream image?

The Ceph OCI provided is fully compatible with cephadm managed Ceph clusters, and we are working hard to provide full compatibility with clusters deployed using Rook.

The only difference in our image is that when we build the image we use the Ceph packages included in Ubuntu repositories, so that we have full knowledge and control over the contents of the image, which is especially important for those situations where an emergency patch is required.  

Additionally, we carry out testing with the latest versions of Ceph on Ubuntu, both for package based installations and container based deployments with cephadm and Rook.

Where can I get it?

We currently publish our image on GitHub’s container registry here.

How can I use it?

We have tested using our image in two scenarios:

  1. Cephadm – installation instructions here
  2. Rook – installation instructions here

If you have questions about the use of our image, please visit our Ceph discourse page here.

Learn more

Related posts


Philip Williams
16 August 2024

Managed storage with Ceph

Ceph Article

Treat your open source storage infrastructure as a service What if storage was like coffee: menu driven and truly service oriented? Everyone knows how quick and easy it is to order a cappuccino or cortado and have a friendly barista bring it to you in just minutes. Now imagine this is a user who needs ...


Philip Williams
25 July 2024

How do you select the best enterprise data storage solution for your business?

Ceph Article

The choices you make around IT infrastructure have great impact for both business cost and performance, across areas as diverse as operations, finance, data analysis and marketing. Given the importance of data across all of these areas and frankly, across your business as a whole, making the right decision when choosing a new storage syst ...


Philip Williams
16 July 2024

The guide to cloud storage security for public sector

Ceph Article

Cloud storage solutions can provide public sector organisations with a high degree of flexibility when it comes to their storage needs, either public cloud based, or in their own private clouds. In our previous blog post we looked at the economic differences between these two approaches. In this blog we will explore some of the ...