(Re)Introducing the Red Hat Universal Base Image

Selecting the right base

There are a lot of choices when it comes to container base images, so why should you select Red Hat Universal Base Image (UBI)? Well, first off, all of the code in Red Hat Universal Base Image is derived from Red Hat Enterprise Linux (RHEL). To explain why you should choose UBI, we have to talk about the mission of RHEL:

“Red Hat Enterprise Linux is your source for safe and reliable Linux innovation that makes your workloads successful.”

Red Hat Universal Base Image ebook

Since containers are Linux, and UBI is derived from RHEL, the same value applies to UBI:

1. Innovate: Organizations are constantly looking to innovate quickly without friction and provide consistency from the data center to the edge by streamlining operations and centralizing development and management.
2. Optimize: Infrastructure complexity can easily increase costs and decrease efficiency.
3. Protect: Continuously mitigating risk across the hybrid cloud, including building, scaling and managing workloads, can be a challenge for most organizations.
4. Trust: It is a never-ending challenge for organizations to manage the complexity of their application life cycles and workload compatibility, security patching and compliance reporting.

Containers offer a lighter-weight version of the Linux operating system’s userland (all of the programs, libraries and dependencies that come with an operating system). Putting applications in containers strips these dependencies down to the bare essentials, but it’s still an operating system and the quality of a container base image matters just as much as the host operating system. Selecting the right container base image for your organization is an important choice that has security and life cycle repercussions just like building a standard operating environment (SOE).

Red Hat recognized early how important base images were for organizations and began offering Red Hat Enterprise Linux (RHEL) images when RHEL 7 was released (we also released RHEL 6 images shortly thereafter). These images gave RHEL customers more secure, performant and up-to-date enterprise-grade containers. Running RHEL container images on RHEL container hosts offers compatibility and portability between environments, not to mention familiarity. There was one problem though; the enterprise agreement with a RHEL subscription prevented our customers from easily sharing the container images they built outside their organization (one of the key values of containers).

With the release of the Red Hat Universal Base Image (UBI), two major things changed:

1. Customers can share container images they build on UBI with anyone they like, inside or outside of their organization
2. Non-customers can take advantage of all of the content released in Red Hat Universal Base Image

Everyone can now take advantage of the greater reliability, security footprint and performance of official Red Hat container images. This means you can build a containerized application on UBI, push it to any container registry server of your choosing, and share it with the world. With UBI you can build, share and collaborate on your containerized application wherever and however you want.

When you build applications on UBI you have the freedom to share them anywhere you want, and run them anywhere you want, but there is additional value unlocked when you run them on RHEL or Red Hat OpenShift. Here’s how it works:

1. Run anywhere: you get the same quality bits, but you only get community and self-support.
2. Run on RHEL or OpenShift: you get the same quality bits, but it’s fully supported by Red Hat, you can simply file a support ticket if you need any help.

Reasons to use UBI

Here’s a set of wants and needs that might help you figure out if UBI is right for your organization:

• My developers want a high-quality container image they can distribute publicly
• My operations team wants a supportable base image with an enterprise life cycle
• My product team wants to deliver a Red Hat Certified Container which is jointly supported with Red Hat
• My customers want enterprise support in their Red Hat environment
• My community wants to share containerized applications more freely but still wants a really high-quality container image

If any or all of these apply to your organization, then read on!

More than a base image

Less than a full operating system, UBI is three things:

1. A set of four base images (ubi-micro, ubi-minimal, ubi standard, ubi-init)
2. A set of language runtime images (Node.js, Ruby, Python, PHP, Perl, etc.)
3. A set of associated packages in a YUM repository which satisfy common application dependencies

All UBI content is a subset of RHEL. All of the packages in UBI come from RHEL channels and are supported like RHEL when they are run on RHEL or OpenShift:

It takes a lot of engineering, security analysis and resources to provide quality support for container images. It requires testing not just of the base images, but also their behavior on a given container host.

To ease upgrade challenges, Red Hat has focused heavily on engineering and support, allowing UBI 8 to be run on RHEL 9 hosts, and UBI 9 to be run on RHEL 8 hosts, as well as other permutations. This gives users greater flexibility and confidence during platform upgrades of the application in the container image or the underlying container hosts.  For a full list of what's supported, see the Container Compatibility Matrix in the Red Hat Portal.

Four base images compared

Micro - Designed for applications that contain their own dependencies (Python, Node.js, .NET, etc.)

• The absolute smallest image you can build from
• No package manager which makes it smaller
• Buildah is recommended instead of a Dockerfile

Minimal - Designed for applications that contain their own dependencies (Python, Node.js, .NET, etc.)

• Minimized pre-installed content set
• No SUID binaries
• Minimal package manager (install, update and remove)

Standard - For any application that runs on RHEL

• Unified, OpenSSL crypto stack
• Full YUM stack
• Includes useful basic OS tools (tar, gzip, vi, etc.)

Multi-service - Simplifies running multiple services in a single container

• Configured to run systemd on start
• Allows you to enable the services at build time

Pre-built language runtime container images

In addition to the base images which allow you to install languages, UBI provides developers pre-built images to consume a number of language runtimes. In many instances, developers can just consume an image and start working on the application they are building.

For a full list of pre-built runtime container images, check out the Red Hat Ecosystem Catalog:

• UBI 9 based images
• UBI 8 based images
• UBI 7 based images

Associated packages

Consuming pre-built images is great. Red Hat releases new images when a new version of RHEL is released and when critical Common Vulnerabilities and Exposures (CVEs) are patched, mirroring the RHEL update policy. The full image policy can be found here: Red Hat Container Image Updates. We have designed images such that you can just pull one of them and start building your application.

Sometimes when you are building an application, however, you need that one extra package. Or sometimes you need a package updated to make your application work. That’s why UBI also comes with a set of RPMs available via YUM, and distributed on a highly available content delivery network. When you run a YUM update in your CI/CD pipeline at that critical moment when you have to do a production release, you are hitting the same infrastructure our customers use.

RHEL is the foundation

When they were introduced way back in 2014, containerized applications represented a wave of innovation in enterprise IT. They still are game-changers in how they improve the development and maintenance of traditionally-monolithic applications. But containers aren’t a panacea. In the enterprise world, operating systems need more stability, greater reliability and security tools, guidance and timely fixes. These are needs that RHEL is designed to fulfill. Here are just a few of the Red Hat teams working on base images:

• A performance engineering team, charged with updating and maintaining fundamental libraries like glibc and OpenSSL, as well as language runtimes like Python and Ruby, designed to provide robust performance and work reliably with the workloads you choose to containerize.
• A product security team dedicated to making sure the same libraries and languages receive timely security fixes, measured by an associated Container Health Index grade.
• Product management and engineering teams dedicated to adding new features and driving a long life cycle which is designed to give you confidence in an investment to build on top of it.

RHEL is subscription-based, meaning your organization doesn’t have to shell out for licenses per release or for support on top of those license fees. When you subscribe to RHEL, you’re entitled to run any of the current versions of RHEL. This includes access to Red Hat support and the goodness of a more secure, hardened and trusted Linux operating system. While RHEL serves as a great host and image for containers, many developers need to support a wider range of use cases, some of which may be outside of the supported scenarios. That’s where UBI comes into play.

Now and into the future

Perhaps today you’re just looking for a base image to get you started with building a simple containerized application. Or maybe you're moving from standalone containers running on a container engine to a cloud-native world building and certifying Operators designed to run on OpenShift. Either way, we believe that UBI can provide a great foundation.

Containers encapsulate a lightweight operating system user space in a new packaging format, and Red Hat is the enterprise-grade Linux operating system leader. UBI is designed to set a new industry standard for container development by making enterprise-grade containers available to independent software vendors (ISVs), customers and open source communities.

In particular, ISVs can standardize on a single, trusted foundation for their containerized applications, including Kubernetes Operators. ISVs using UBI can take advantage of Red Hat Container Certification for continuous verification of software deployed on a Red Hat platform like OpenShift.

Getting started

Getting started is easy. You can pull these images with any container engine you like, but Red Hat recommends Podman Desktop or Podman if you prefer the command line. You can just pull an image from one of these repositories and go.

For UBI 9:

podman pull registry.access.redhat.com/ubi9/ubi
podman pull registry.access.redhat.com/ubi9/ubi-minimal
podman pull registry.access.redhat.com/ubi9/ubi-init

For UBI 8:

podman pull registry.access.redhat.com/ubi8/ubi
podman pull registry.access.redhat.com/ubi8/ubi-minimal
podman pull registry.access.redhat.com/ubi8/ubi-init

For UBI 7:

podman pull registry.access.redhat.com/ubi7/ubi
podman pull registry.access.redhat.com/ubi7/ubi-minimal
podman pull registry.access.redhat.com/ubi7/ubi-init

For a wealth of information, check out the full Red Hat Universal Base Image eBook or the Red Hat Universal Base Image FAQ.