Introducing the Red Hat Universal Base Image

There are a lot of choices when it comes to container base images, so why should you select Red Hat Universal Base Image (UBI)? First of all, the code in Red Hat Universal Base Image is derived from Red Hat Enterprise Linux (RHEL), and the mission of RHEL is to be your source for safe and reliable Linux innovation that makes your workloads successful. Because all containers are Linux, and UBI is derived from RHEL, the same values apply to UBI, including:

1. Innovate: Organizations are constantly looking to innovate quickly without friction and provide consistency from the data center to the edge by streamlining operations and centralizing development and management.
2. Optimize: Infrastructure complexity can easily increase costs and decrease efficiency.
3. Protect: Continuously mitigating risk across the hybrid cloud, including building, scaling and managing workloads, can be a challenge for most organizations.
4. Trust: It is a never-ending challenge for organizations to manage the complexity of their application life cycles and workload compatibility, security patching and compliance reporting.

Red Hat has produced base images since RHEL 7 (which included RHEL 6 images). Running a RHEL container image on a RHEL container host offers compatibility and portability between environments (not to mention familiarity).

1. Customers can share container images they build on UBI with anyone they like, inside or outside of their organization
2. Non-customers can take advantage of all of the content released in Red Hat Universal Base Image

Everyone can now take advantage of the greater reliability, security footprint and performance of official Red Hat container images. This means you can build a containerized application on UBI, push it to any container registry server of your choosing, and share it with the world. With UBI you can build, share and collaborate on your containerized application wherever and however you want.

When you build applications on UBI you have the freedom to share them anywhere you want, and run them anywhere you want, but there is additional value unlocked when you run them on RHEL or Red Hat OpenShift. Here’s how it works:

1. Run anywhere: You get the same quality bits, but you only get community and self-support
2. Run on RHEL or OpenShift: You get the same quality bits, but it’s fully supported by Red Hat, you can simply file a support ticket if you need any help

Reasons to use UBI

UBI is a great choice for your containers if:

• Your developers want a high-quality container image they can distribute publicly
• Your operations team wants a supportable base image with an enterprise life cycle
• Your product team wants to deliver a Red Hat Certified Container which is jointly supported with Red Hat
• Your customers want enterprise support in their Red Hat environment
• Your community wants to share containerized applications more freely but still wants a really high-quality container image

If any or all of these apply to your organization, then read on!

UBI is more than just a base image

Containers offer a lightweight version of the Linux operating system’s userland (all of the programs, libraries, and dependencies that come with an operating system). Putting applications in containers reduces dependencies down to the bare essentials, but it’s still an operating system and the quality of a container base image matters just as much as the host operating system. Selecting the right container base image for your organization is an important choice that has security and life cycle repercussions just like building a standard operating environment (SOE). 

In other words, without the burden of a full operating system, UBI provides you with three things:

1. A set of four base images (ubi-micro, ubi-minimal, ubi standard, ubi-init)
2. A set of language runtime images (Node.js, Ruby, Python, PHP, Perl, and so on)
3. A set of packages in a software repository to satisfy common application dependencies

All UBI content is a subset of RHEL. All packages in UBI come from RHEL channels and are supported like RHEL when they are run on RHEL or OpenShift:

It takes a lot of engineering, security analysis, and resources to provide quality support for container images. It requires testing not just of the base images, but also their behavior on a given container host. To ease upgrade challenges, Red Hat has focused heavily on engineering and support, so an old version of UBI can be run on a newer RHEL host, and a new UBI can be run on an old RHEL host. This gives users greater flexibility and confidence during platform upgrades of the application in the container image or the underlying container hosts.  For a full list of what's supported, see the container compatibility matrix in Red Hat Portal.

Four UBI base images compared

Micro: Designed for applications that contain their own dependencies (Python, Node.js, .NET, etc.)

• The absolute smallest image you can build from
• No package manager which makes it smaller
• Buildah is recommended instead of a Dockerfile

Minimal: Designed for applications containing their own dependencies (Python, Node.js, .NET)

• Minimized pre-installed content set
• No SUID binaries
• Minimal package manager (install, update and remove)

Standard: For any application that runs on RHEL

• Unified, OpenSSL crypto stack
• Full dnf stack
• Includes useful basic OS tools (tar, gzip, vi, and so on)

Multi-service: Simplifies running multiple services in a single container

• Configured to run systemd on start
• Allows you to enable the services at build time

Pre-built language runtime container images for developers

In addition to the base images allowing you to install languages, UBI provides developers pre-built images to consume a number of language runtimes. In many instances, developers can just consume an image and start working on the application they are building. For a full list of pre-built runtime container images, check out Red Hat Ecosystem Catalog.

Red Hat releases new images when a new version of RHEL is released and when critical Common Vulnerabilities and Exposures (CVEs) are patched, mirroring the RHEL update policy. We have designed images such that you can just pull one of them and start building your application.

Sometimes when you are building an application, you need an extra package, or you need a package updated to make your application work. That’s why UBI also comes with a set of RPMs available through dnf, distributed on a highly available content delivery network. When you run a dnf update in your CI/CD pipeline at that critical moment when you have to do a production release, you're hitting the same infrastructure our customers use.

RHEL is the foundation

When they were introduced way back in 2014, containerized applications represented a wave of innovation in enterprise IT. They're still game-changers in how they improve development and maintenance, but containers aren't a panacea. In the enterprise world, operating systems need stability, reliability, and security tools, guidance, and timely fixes. These are needs that RHEL is designed to fulfill. Here are just a few of the Red Hat teams working on base images:

• A performance engineering team, charged with updating and maintaining fundamental libraries like glibc and OpenSSL, as well as language runtimes like Python and Ruby, designed to provide robust performance and work reliably with the workloads you choose to containerize
• A product security team dedicated to making sure the same libraries and languages receive timely security fixes, measured by an associated Container Health Index grade
• Product management and engineering teams dedicated to adding new features and driving a long life cycle which is designed to give you confidence in an investment to build on top of it

RHEL is subscription-based, so your organization doesn’t have to shell out for licenses per release or for support on top of those license fees. When you subscribe to RHEL, you're entitled to run any of the current versions of RHEL. This includes access to Red Hat support and the goodness of a more secure, hardened and trusted Linux operating system. While RHEL serves as a great host and image for containers, many developers need to support a wider range of use cases, some of which may be outside of the supported scenarios. That’s where UBI comes into play.

Perhaps today you're just looking for a base image to get you started with building a simple containerized application. Or maybe you're moving from standalone containers running on a container engine to a cloud-native world building and certifying Operators designed to run on OpenShift. Either way, UBI provides a great foundation.

Containers encapsulate a lightweight operating system user space in a new packaging format, and Red Hat is the enterprise-grade Linux operating system leader. UBI is designed to set a new industry standard for container development by making enterprise-grade containers available to independent software vendors (ISVs), customers and open source communities.

In particular, ISVs can standardize on a single, trusted foundation for their containerized applications, including Kubernetes operators. ISVs using UBI can take advantage of Red Hat container certification for continuous verification of software deployed on a Red Hat platform like OpenShift.

Getting started with UBI

Getting started is easy. Pull these images with any container engine you like (Red Hat recommends Podman Desktop, or Podman if you prefer the command-line), and go.

For example, to pull UBI 9:

podman pull registry.access.redhat.com/ubi9/ubi
podman pull registry.access.redhat.com/ubi9/ubi-minimal
podman pull registry.access.redhat.com/ubi9/ubi-init

For a wealth of information, check out the full Red Hat Universal Base Image eBook or the Red Hat Universal Base Image FAQ.

Red Hat Universal Base Image ebook