-
Notifications
You must be signed in to change notification settings - Fork 100
Adding initial docs for Chainguard VMs #2703
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+154
−0
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
603cbc6
Adding initial docs for Chainguard VMs
erikaheidi 361e2bf
Apply suggestion from @smythp
erikaheidi 80bb6da
Apply suggestion from @smythp
erikaheidi 605752a
Apply suggestion from @smythp
erikaheidi 1775b2a
Apply suggestion from @smythp
erikaheidi c74c15a
updates after patricks review
erikaheidi 24a2f46
updated FIPS faq after feedback from MBaker
erikaheidi f95bbb3
small tweak to FAQ
erikaheidi File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| --- | ||
| title: "Chainguard VMs" | ||
| linkTitle: "Chainguard VMs" | ||
| description: "Chainguard VMs offer a minimal and verifiable foundation for running ephemeral workloads in cloud and on-prem hypervisor deployments, designed to complement and extend the same secure-by-default philosophy found in Chainguard Containers" | ||
| type: "article" | ||
| date: 2025-10-21T08:04:00+00:00 | ||
| lastmod: 2025-10-21T15:09:59+00:00 | ||
| draft: false | ||
| weight: 021 | ||
| --- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| --- | ||
| title: "Chainguard VMs FAQ" | ||
| linktitle: "FAQ" | ||
| description: "Frequently asked questions about Chainguard VMs, including availability, supported ecosystems, compliance, and more" | ||
| type: "article" | ||
| date: 2025-10-21T08:04:00+00:00 | ||
| lastmod: 2025-10-21T15:09:59+00:00 | ||
| draft: false | ||
| tags: ["Chainguard VMs", "FAQ"] | ||
| menu: | ||
| docs: | ||
| parent: "vms" | ||
| weight: 010 | ||
| toc: true | ||
| --- | ||
|
|
||
| ## Which platforms and hypervisors are Chainguard VMs available for? | ||
|
|
||
| Chainguard VMs are available for AWS ([EC2](https://aws.amazon.com/ec2/) and [ECS](https://aws.amazon.com/ecs/)/[EKS](https://aws.amazon.com/eks/)), [GCP](https://cloud.google.com/?hl=en) (Compute Engine), and [Azure Compute](https://azure.microsoft.com/en-us/products/category/compute) cloud environments, and also for on-prem solutions based on KVM such as [QEmu](https://www.qemu.org/), [VMWare](https://www.vmware.com/products/cloud-infrastructure/vsphere), [Nutanix](https://www.nutanix.com/), among others. | ||
|
|
||
| ## What kinds of VMs are currently available? | ||
|
|
||
| As part of our initial offering, we’re providing Container Host VMs, Base VMs, and Application VMs. This list should expand as we fine tune the product based on customer feedback. | ||
|
|
||
| ## What are Container Host VMs and which versions are available? | ||
|
|
||
| Container Host VMs allow you to run containerized workloads on a hardened VM runtime. We currently offer container host VMs for AWS Container Services ECS and EKS, and also for native compute instances on AWS EC2, Google Compute Engine, and Azure Compute. | ||
erikaheidi marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ## What are Base VMs and which versions are available? | ||
|
|
||
| Base VMs are general purpose VMs that can be customized to suit your application needs. Current offerings include Chainguard Base, Java Base, and Python Base VM images available for native compute instances on AWS EC2, Google Compute Engine, and Azure Compute. | ||
|
|
||
| ## What are Application VMs and which versions are available? | ||
|
|
||
| Application VMs come pre-packaged with popular backend applications running as systemd services. We currently offer Nginx, Jenkins, and Squid Proxy Application VMs available for native compute instances on AWS EC2, Google Compute Engine, and Azure Compute. | ||
|
|
||
| ## Which operating system is used by Chainguard VMs? | ||
|
|
||
| Chainguard VMs are based on [Chainguard OS](https://get.chainguard.dev/chainguard-your-os-whitepaper-0), our minimal Linux distribution initially designed to run on containers and now extended to include a kernel and other components. | ||
|
|
||
| ## Which Linux kernel is used in Chainguard VMs? | ||
|
|
||
| The [Chainguard Factory](/chainguard/factory/overview/) tracks both the stable upstream and the latest LTS (for FIPS) versions of the kernel, building from source to provide the most up-to-date and patched versions. | ||
|
|
||
| ## Do Chainguard VMs support in-place upgrades? | ||
|
|
||
| No, Chainguard VMs do not support in-place upgrades (e.g. via package upgrade). The upgrade strategy is based on node replacement. | ||
|
|
||
| ## How does FIPS work on VMs? | ||
|
|
||
| In Virtual Machines, FIPS is traditionally dependent on the Linux kernel, which requires engineers to provision dedicated hardware and virtual machines (VMs) with the host kernel configured in FIPS mode in order to be compliant. Using a FIPS validated Linux kernel allows VMs to provide FIPS graded cryptography for use cases like Disk Encryption, IPSec, KMSV, dm-verity, dm-integrity, among others. | ||
|
|
||
| This design, which requires maintenance of FIPS cryptographic boundaries at the kernel-level, drives significant friction for vendors delivering FIPS compliant workloads for modern cloud-native applications, since it forces a dependence on a limited set of FIPS-enabled kernels. With kernel FIPS you often need separate, kernel-pinned images (and careful reboots) to keep the validated stack intact. | ||
|
|
||
| Making the cryptographic module user-space or [kernel independent](https://www.chainguard.dev/unchained/kernel-independent-fips-images) breaks that coupling, so the same validated module can serve many VMs and kernels with less toil and fewer surprises. | ||
|
|
||
| ## Do Chainguard VMs support FIPS? | ||
|
|
||
| Yes, Chainguard VMs support **kernel independent FIPS**. This means that application workloads use a FIPS validated entropy source independent of the kernel. The advantage to this approach is that the certification of the entropy source does not need to be performed against a specific kernel, so customers can take advantage of new kernel features while remaining FIPS compliant. It also means that VMs no longer need to be booted in FIPS mode. | ||
|
|
||
| Note that with kernel independent FIPS, some low level operating system functions such as disk encryption, IPSEC, KMSV, among others do not use FIPS validated entropy. This is less relevant on cloud platforms, since disk volumes are encrypted with FIPS validated entropy, as is network and filesystem encryption. On the cloud, kernel independent FIPS is a more efficient way of servicing FIPS workloads in VMs. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| --- | ||
| title: "Chainguard VMs Overview" | ||
| linktitle: "VMs Overview" | ||
| description: "Chainguard VMs are designed for minimalism, security, and operational clarity." | ||
| type: "article" | ||
| date: 2025-10-21T08:04:00+00:00 | ||
| lastmod: 2025-10-21T15:09:59+00:00 | ||
| draft: false | ||
| tags: ["Chainguard VMs", "Overview"] | ||
| menu: | ||
| docs: | ||
| parent: "vms" | ||
| weight: 001 | ||
| toc: true | ||
| --- | ||
|
|
||
| Chainguard VMs offer a minimal and verifiable foundation for running ephemeral workloads in cloud and on-prem hypervisor deployments, designed to complement and extend the same secure-by-default philosophy found in [Chainguard Containers](https://edu.chainguard.dev/chainguard/chainguard-images/overview/). With a strong focus on rapid CVE remediation and a small attack surface, Chainguard VMs are purpose-built to service the target workload and include only the packages that are essential for its operation. | ||
|
|
||
| Built in the Chainguard Factory, Chainguard VMs benefit from a highly automated, secure-by-design build pipeline that ensures consistent, reproducible artifacts. This streamlined process enables the delivery of VM images that are continuously updated to eliminate known vulnerabilities. | ||
|
|
||
| ## Why Chainguard VMs | ||
|
|
||
| Unlike traditional virtual machines, which are often burdened with legacy components, unnecessary packages, and opaque dependency chains, Chainguard VMs are designed for minimalism, security, and operational clarity. Based on Chainguard OS, Chainguard VMs include a kernel that closely tracks the upstream Linux stable tree, ensuring timely updates and compatibility, along with a minimal `systemd` for service management. Consistent with the principle of minimalism, only the essential systemd units required to support the VM’s intended workload are included. Every component is fully traceable, with SLSA guarantees and SBOMs generated at every step, providing end-to-end transparency and helping prevent CVEs from ever entering your environment. | ||
|
|
||
| For platform engineers and DevOps teams, this means: | ||
|
|
||
| * **Fewer patching cycles**: With no unnecessary software to maintain, you reduce noise from non-actionable CVEs and focus only on what matters. | ||
| * **Improved boot and runtime security**: Minimal, hardened images reduce the chances of privilege escalation, kernel exploits, and lateral movement. | ||
| * **Operational consistency**: The same secure-by-default toolchain that powers Chainguard Containers now extends to your VMs, making it easier to manage and audit infrastructure uniformly across environments. | ||
|
|
||
| ## VMs and Containers Compared | ||
|
|
||
| To understand the applicability of Chainguard VMs to your organization, it might be helpful to compare the features of Chainguard VMs to Chainguard Containers. In a nutshell, the main differences come from the fact that Chainguard VMs boot from and run with their own hardened kernel as part of Chainguard OS, while Chainguard Containers rely on the host system's kernel. | ||
|
|
||
| | Feature | Chainguard Container | Chainguard VM | | ||
| | :---- |:-------------------------------------------------------|:--------------------------------------------------------------------------------------------| | ||
| | Includes Kernel? | **No** – uses host’s kernel | **Yes** – ships and boots with its own hardened kernel | | ||
| | Environment | Userspace only, isolated via namespaces & cgroups | Full OS, boots in VM with kernel, init, userspace | | ||
| | Boot Process | Starts from container entrypoint, no bootloader/kernel | Full bootloader → kernel → init system | | ||
| | Security Boundaries | Dependent on host kernel isolation | Stronger isolation via hypervisor and custom kernel controls, secure boot, SELinux policies | | ||
| | Use Case Focus | Microservices, CI/CD, ephemeral workloads | Secure cloud workloads, edge VMs, kernel-level policy control, high performance | | ||
|
|
||
| ## Chainguard VM Types | ||
|
|
||
| We currently offer 3 distinct types of virtual machine images: | ||
|
|
||
| * **Container Host:** a versatile option to run containerized workloads, protecting how you deploy containers on underlying hosts | ||
| * **Base:** general purpose VM base images that can be customized to suit your application needs. Current offerings include Chainguard Base, Java Base, and Python Base. | ||
| * **Application:** pre-packaged with popular backend applications running as systemd services. We currently offer Nginx, Jenkins, and Squid Proxy Application VMs. | ||
|
|
||
| ## Availability | ||
|
|
||
| Chainguard VMs are currently available for the following platforms / hypervisors: | ||
|
|
||
| * Google Cloud Platform (Compute Engine) | ||
erikaheidi marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| * AWS (EC2, ECS, and EKS) | ||
| * Microsoft Azure (Azure Compute) | ||
| * QEMU/KVM (qcow2/raw) | ||
| * VMware vSphere (VMDK) | ||
| * Nutanix (qcow2/raw) | ||
|
|
||
| Offering broad compatibility, Chainguard VMs allow for deployment in any environment, from public clouds to self-managed infrastructure. This flexibility facilitates one-click deployment across environments and helps prevent vendor lock-in. | ||
erikaheidi marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| [Join the waitlist](https://get.chainguard.dev/vmearlyaccesswaitlist?utm_source=cg-academy&utm_medium=referral&utm_campaign=dev-enablement) today to get started. | ||
|
|
||
| ## Compliance and SLAs | ||
|
|
||
| Chainguard VMs (running Chainguard OS) are intentionally designed to minimize risk, maximize transparency, and satisfy security standards such as [CIS Benchmarks](https://edu.chainguard.dev/compliance/cis-benchmarks/), [FedRAMP](https://edu.chainguard.dev/chainguard/chainguard-images/staying-secure/fedramp-considerations/), SOC 2, and others. | ||
|
|
||
| * CVE remediation backed by an [industry-leading SLA](https://www.chainguard.dev/legal/cve-policy): 7 days for critical, 14 days for all others | ||
| * Consistent, reproducible builds | ||
| * Enterprise-grade support for multi-cloud and on-prem | ||
| * Verifiable provenance for all included components | ||
|
|
||
| ## Resources | ||
|
|
||
| - [Chainguard VMs](https://www.chainguard.dev/vms) | ||
| - [Unchained Blog: Announcing Chainguard VMs: Minimal, Zero-CVE Container Host Images](https://www.chainguard.dev/unchained/announcing-chainguard-vms-minimal-zero-cve-container-host-images) | ||
| - [Unchained Blog: Expanding Chainguard VMs: Zero-CVE Application & Base Virtual Machine Images](https://www.chainguard.dev/unchained/expanding-chainguard-vms-zero-cve-application-base-virtual-machine-images-for-cloud-and-on-prem) | ||
|
|
||
| ## Learn More and Get Started | ||
|
|
||
| Chainguard VMs are available through a subscription. To learn more and get started, [join the waitlist](https://get.chainguard.dev/vmearlyaccesswaitlist?utm_source=cg-academy&utm_medium=referral&utm_campaign=dev-enablement). | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.