Announcing Chainguard VMs: Minimal, Zero-CVE Container Host Images

Access now available through Early Access program.

We’re excited to announce that Chainguard VMs, a catalog of guarded, minimal, zero-CVE container host images, has now entered Early Access (EA). Purpose-built for modern, ephemeral workloads in the cloud, Chainguard VMs offers a stark contrast to the legacy, general-purpose VMs and operating systems that dominate the container host market today. During the EA, Chainguard is accepting interested design partners who wish to collaborate on Chainguard VMs with our engineering, product, and design teams.

Built entirely from source in SLSA-certified build infrastructure, Chainguard VMs include only the components required to run as a container host and a kernel that is optimized for the underlying cloud provider. Our approach shrinks the attack surface of the virtual machine, making it more efficient and secure, without compromising performance. Like Containers and Libraries, Chainguard VMs is underpinned by the Chainguard OS and Software Factory, which give us full control over the software supply chain. That means Chainguard can continuously rebuild VM images in response to new security fixes and deliver a best-in-class remediation SLA for common vulnerabilities and exposures (CVEs). Chainguard VMs will help enterprises reduce costly engineering toil associated with golden image maintenance for container hosts and establish a secure, standardized foundation for open source components within the enterprise. See below for a product demo.

In this blog post, we’ll dive into the motivations behind building Chainguard VMs and the value we deliver to customers.

Status Quo Challenges with General-Purpose VMs and Container Hosts

Customers have repeatedly come to us looking for a better solution for their container hosts, which today are primarily general-purpose virtual machines based on incumbent enterprise Linux distributions. In combining thousands of packages unnecessary for running container hosts and containerized workloads, the legacy distributions must maintain a complex set of dependencies between components and “freeze” their distributions at a specific version stream. In order to fix vulnerabilities, the incumbent OS vendors often need to backport code changes from upstream maintainers, rather than use the latest release that contains the fix. With thousands of packages to maintain and support lifecycles of 5+ years, the amount of manual engineering work required to validate, backport, test and distribute fixes for CVEs is already huge, growing, and expensive. And as a distro approaches end-of-life, many packages lose support from the maintainers. That means legacy OS vendors must take over the burden of producing CVE fixes from scratch. In many cases (i.e., for lower severity CVEs), OS vendors choose to abandon this Sysiphean task completely. As a result, enterprise customers end up running an OS with a huge volume of CVEs that won’t ever be fixed.

To consume the latest upstream releases and eliminate these CVEs, enterprises must take on a major “big bang” upgrade to a new release of the distribution. Requiring big bang migrations to get access to new software releases means that enterprise users miss out on bug fixes, performance optimizations, stability enhancements, and, importantly, comprehensive security updates.

The status quo approach of relying on general-purpose VMs and traditional enterprise Linux distros to support the container host use case has created a few significant customer pain points:

1. Developer Toil: Traditional container hosts are rife with vulnerabilities because they do not receive frequent updates. Triaging, managing, and remediating these CVEs drives significant developer toil. Incumbent general-purpose VM vendors ignore some CVEs completely (i.e., marking them “will not fix”), creating complexity for users who need to meet compliance or customer SLAs. 

2. Dated Software: Stale software that is inconsistent with upstream releases results in users missing out on functionality and performance updates. This inhibits users from optimizing for the latest hardware and software capabilities when building and deploying applications. Enterprise customers are finding it increasingly difficult to run modern container orchestration engines on legacy operating systems. 

3. Big Bang Migrations: Enterprise Linux distributions require major version upgrades when they reach end-of-life. Engineering organizations then face enormous technical and operational challenges that come with big bang OS upgrades. Upgrading thousands of servers while bridging incompatibilities between software versions is expensive, resource-intensive, and painful. 

4. Limited Choice: Enterprises deserve flexibility of choice to pick solutions that best fit their needs. Today, companies deploying cloud-native containerized applications are limited in their choice of operating system and container host VMs to a set of legacy vendors that don’t meet their needs, or CSP-native solutions that can’t be used across different cloud service providers.

Chainguard’s Solution: Chainguard VMs

To address these challenges, we built Chainguard VMs, a catalog of guarded container host images that is an analog to our container images. Chainguard VMs are purpose-built virtual machines that provide the kernel and container runtime to execute a container.

There are a few key pillars of value that we will deliver with Chainguard VMs:

1. Reduce Costly Engineering Toil: Chainguard container hosts are purpose-built, minimal, and have zero CVEs. Chainguard VMs reduces the burden on engineering teams for CVE triage, management, and remediation by providing a best-in-class CVE remediation SLA for container hosts – freeing up valuable technical resources to focus on higher-value business priorities. 

2. Continuous Compliance: Critical compliance frameworks like FedRAMP, PCI DSS, and HIPAA require organizations to eliminate CVEs in their VMs, including container hosts. Chainguard accelerates audit timelines and simplifies continuous compliance with hardened, zero-CVE container hosts. 

3. Secure Foundation for Open Source: By standardizing container host deployments on Chainguard VMs, customers will reduce their attack surface and ensure end-to-end integrity for all their software components. That means greater clarity into what OSS is deployed in the enterprise and how it's built. 

4. Rapid Access to OSS Innovation: By rebuilding every VM component from source, Chainguard delivers continuous updates to customers, who benefit from the latest features, performance optimizations, and security updates from software maintainers. Chainguard eliminates the need for big bang software migrations with a better mechanism for open source software delivery. 

5. Modern, Multi-Cloud Standard: Chainguard VMs are supported on all three major cloud providers, as self-managed container hosts in compute (i.e., EC2). Chainguard has also optimized our container host images for Amazon’s managed Kubernetes offering, Elastic Kubernetes Service (EKS), to enable one-click deployments.

Getting Started with Chainguard VMs

We’re excited to launch our Early Access program for Chainguard VMs and welcome early design partners to help Chainguard iterate on the product and guide our roadmap. Your participation will play a key role in shaping Chainguard’s future plans and put you at the forefront of designing secure platforms for application deployment.

If you’d like to learn more about Chainguard VMs or how minimal, zero-CVE container hosts can transform your software supply chain, reach out today. Existing Chainguard customers can get started with Chainguard’s container host images by coordinating with your account teams over Slack or email.