chainguard-dev · erikaheidi · Oct 21, 2025 · Oct 22, 2025 · Oct 22, 2025 · Oct 22, 2025
@@ -0,0 +1,10 @@
+---
+title: "Chainguard VMs"
+linkTitle: "Chainguard VMs"
+description: "Chainguard VMs offer a minimal and verifiable foundation for running ephemeral workloads in cloud and on-prem hypervisor deployments, designed to complement and extend the same secure-by-default philosophy found in Chainguard Containers"
+type: "article"
+date: 2025-10-21T08:04:00+00:00
+lastmod: 2025-10-21T15:09:59+00:00
+draft: false
+weight: 021
+---
@@ -0,0 +1,59 @@
+---
+title: "Chainguard VMs FAQ"
+linktitle: "FAQ"
+description: "Frequently asked questions about Chainguard VMs, including availability, supported ecosystems, compliance questions, and more"
+type: "article"
+date: 2025-10-21T08:04:00+00:00
+lastmod: 2025-10-21T15:09:59+00:00
+draft: false
+tags: ["Chainguard VMs", "FAQ"]
+menu:
+  docs:
+    parent: "vms"
+weight: 010
+toc: true
+---
+
+## Which platforms and hypervisors are Chainguard VMs available for?
+
+Chainguard VMs are available for AWS (EC2 and ECS/EKS), GCP (Compute Engine), and Azure Compute cloud environments, and also for on-prem solutions based on KVM such as QEmu, VMWare, Nutanix, among others.
+
+## What kinds of VMs are currently available?
+
+As part of our initial offering, we’re providing Container Host VMs, Base VMs, and Application VMs. This list should expand as we fine tune the product based on customer feedback.
+
+## What are Container Host VMs and which versions are available?
+
+Container Host VMs allow you to run containerized workloads on a hardened VM runtime. We currently offer container host VMs for AWS Container Services ECS and EKS, and also for native compute instances on AWS EC2, Google Compute Engine, and Azure Compute.
+
+## What are Base VMs and which versions are available?
+
+Base VMs are general purpose VMs that can be customized to suit your application needs. Current offerings include Chainguard Base, Java Base, and Python Base VM images available for native compute instances on AWS EC2, Google Compute Engine, and Azure Compute.
+
+## What are Application VMs and which versions are available?
+
+Application VMs come pre-packaged with popular backend applications running as systemd services. We currently offer Nginx, Jenkins, and Squid Proxy Application VMs available for native compute instances on AWS EC2, Google Compute Engine, and Azure Compute.
+
+## Which operating system is used by Chainguard VMs?
+
+Chainguard VMs are based on Chainguard OS, our minimal Linux distribution initially designed to run on containers and now extended to include a kernel and other components.
+
+## Which Linux kernel is used in Chainguard VMs?
+
+The Chainguard Factory tracks both the stable upstream and the latest LTS (for FIPS) versions of the kernel, building from source to provide the most up-to-date and patched versions.
+
+## Do Chainguard VMs support in-place upgrades?
+
+No, Chainguard VMs do not support in-place upgrades (e.g. via package upgrade). The upgrade strategy is based on node replacement.
+
+## Do Chainguard VMs support FIPS?
+
+Yes, Chainguard VMs support Kernel Independent FIPS.
+
+## How does FIPS work on VMs?
+
+Traditionally, FIPS in Virtual Machines is dependent on the Linux Kernel. That means that Linux Kernel’s entropy source and Cryptographic subsystem needs to be FIPS validated. Using a FIPS validated Linux Kernel allows VMs to provide FIPS graded cryptography for use cases like Disk Encryption, IPSec, KMSV, dm-verity, dm-integrity, etc.
+
+This is more relevant in on-prem environments.
+
+Chainguard VMs support kernel independent FIPS. This means that application workloads use a FIPS validated entropy source independent of the kernel. The advantage to this approach is that the certification of the entropy source does not need to be performed against a specific kernel, so customers can take advantage of new kernel features while remaining FIPS compliant. It also means that VMs no longer need to be booted in FIPS mode.  The disadvantage is that some low level operating system functions such as disk encryption, IPSEC etc.. are not able to use FIPS validated entropy. In clouds, disk volumes are encrypted and provided with FIPS validated entropy, as is network and filesystem encryption. In cloud, kernel independent FIPS is a more efficient way of servicing FIPS workloads in VMs.
@@ -0,0 +1,75 @@
+---
+title: "Chainguard VMs Overview"
+linktitle: "VMs Overview"
+description: "Chainguard VMs are designed for minimalism, security, and operational clarity."
+type: "article"
+date: 2025-10-21T08:04:00+00:00
+lastmod: 2025-10-21T15:09:59+00:00
+draft: false
+tags: ["Chainguard VMs", "Overview"]
+menu:
+  docs:
+    parent: "vms"
+weight: 001
+toc: true
+---
+
+Chainguard VMs offer a minimal and verifiable foundation for running ephemeral workloads in cloud and on-prem hypervisor deployments, designed to complement and extend the same secure-by-default philosophy found in [Chainguard Containers](https://edu.chainguard.dev/chainguard/chainguard-images/overview/). With a strong focus on rapid CVE remediation and a small attack surface, Chainguard VMs are purpose-built to service the target workload and include only the packages that are essential for its operation.
+
+Built in the Chainguard Factory, Chainguard VMs benefit from a highly automated, secure-by-design build pipeline that ensures consistent, reproducible artifacts. This streamlined process enables the delivery of VM images that are continuously updated to eliminate known vulnerabilities.
+
+## Why Chainguard VMs
+
+Unlike traditional virtual machines, which are often burdened with legacy components, unnecessary packages, and opaque dependency chains, Chainguard VMs are designed for minimalism, security, and operational clarity. Based on Chainguard OS, Chainguard VMs include a kernel that closely tracks the upstream Linux stable tree, ensuring timely updates and compatibility, along with a minimal `systemd` for service management. Consistent with the principle of minimalism, only the essential systemd units required to support the VM’s intended workload are included. Every component is fully traceable, with SLSA guarantees and SBOMs generated at every step, providing end-to-end transparency and helping prevent CVEs from ever entering your environment.
+
+For platform engineers and DevOps teams, this means:
+
+* **Fewer patching cycles**: With no unnecessary software to maintain, you reduce noise from non-actionable CVEs and focus only on what matters.
+* **Improved boot and runtime security**: Minimal, hardened images reduce the chances of privilege escalation, kernel exploits, and lateral movement.
+* **Operational consistency**: The same secure-by-default toolchain that powers Chainguard Containers now extends to your VMs, making it easier to manage and audit infrastructure uniformly across environments.
+
+## VMs and Containers Compared
+
+To understand the applicability of Chainguard VMs in your organization, it might be helpful to compare its features with Chainguard Containers. In a nutshell, the main differences come from the fact that Chainguard VMs boot from and run with their own hardened kernel as part of Chainguard OS, while Chainguard Containers rely on the host system's kernel.
+
+| Feature | Chainguard Container                                   | Chainguard VM                                                                               |
+| :---- |:-------------------------------------------------------|:--------------------------------------------------------------------------------------------|
+| Includes Kernel? | **No** – uses host’s kernel                            | **Yes** – ships and boots with its own hardened kernel                                      |
+| Environment | Userspace only, isolated via namespaces & cgroups      | Full OS, boots in VM with kernel, init, userspace                                           |
+| Boot Process | Starts from container entrypoint, no bootloader/kernel | Full bootloader → kernel → init system                                                      |
+| Security Boundaries | Dependent on host kernel isolation                     | Stronger isolation via hypervisor and custom kernel controls, secure boot, SELinux policies |
+| Use Case Focus | Microservices, CI/CD, ephemeral workloads              | Secure cloud workloads, edge VMs, kernel-level policy control, high performance             |
+
+## Chainguard VM Types
+
+We currently offer 3 distinct types of virtual machine images:
+
+* **Container Host:** a versatile option to run containerized workloads, protecting how you deploy containers on underlying hosts
+* **Base:** general purpose VM base images that can be customized to suit your application needs. Current offerings include Chainguard Base, Java Base, and Python Base.
+* **Application:** pre-packaged with popular backend applications running as systemd services. We currently offer Nginx, Jenkins, and Squid Proxy Application VMs.
+
+## Availability
+
+Chainguard VMs are currently available for the following platforms / hypervisors:
+
+* Google Cloud Platform (Compute Engine)
+* AWS (EC2, ECS, and EKS)
+* Microsoft Azure (Azure Compute)
+* QEMU/KVM (qcow2/raw)
+* VMware vSphere (VMDK)
+* Nutanix (qcow2/raw)
+
+Offering broad compatibility, Chainguard VMs allow for deployment in any environment, from public clouds to self-managed infrastructure. This flexibility facilitates one-click deployment across environments and helps prevent vendor lock-in.
+
+## Compliance and SLAs
+
+Chainguard VMs (running Chainguard OS) are intentionally designed to minimize risk, maximize transparency, and satisfy security standards such as CIS Benchmarks, FedRAMP, SOC 2, and others.
+
+* CVE remediation backed by an industry-leading SLA: 7 days for critical, 14 days for all others
+* Consistent, reproducible builds
+* Enterprise-grade support for multi-cloud and on-prem
+* Verifiable provenance for all included components
+
+## Learn More and Get Started
+
+Chainguard VMs are available through a subscription. To learn more and get started today, use [this form](https://get.chainguard.dev/vmearlyaccesswaitlist?utm_source=cg-academy&utm_medium=referral&utm_campaign=dev-enablement).