Red Hat Universal Base Image (UBI)

Contents

Overview
Editions and Variants
Licensing and Redistribution
Technical Features and Components
Use Cases and Adoption
Building and Runtime Practices
Security and Updates

Red Hat Universal Base Image (UBI) Red Hat Universal Base Image (UBI) is a container base image initiative produced by Red Hat designed to enable wider distribution and redistribution of container images derived from Red Hat Enterprise Linux (RHEL) sources. It allows developers, maintainers, and distributors to build, run, and share containerized applications while relying on the package ecosystem and lifecycle policies associated with RHEL, facilitating integration with cloud providers, orchestration platforms, and continuous delivery pipelines.

Overview

UBI originates from Red Hat and aligns with strategies used by Red Hat Enterprise Linux, IBM, Fedora Project, CentOS Stream, and ecosystem partners such as IBM Cloud and Microsoft Azure. It provides a trimmed selection of the RPM Package Manager-based software stack, drawing lineage to RHEL 8 and RHEL 7 content sources. UBI images are distributed via Red Hat registries and public container registries, enabling reuse by individuals, start-ups like those in Silicon Valley incubators, and enterprises including those using OpenShift Container Platform. The project addresses licensing and redistribution constraints historically associated with RHEL while maintaining compatibility with tools such as Docker Engine, Podman, Kubernetes, and CRI-O.

Editions and Variants

UBI ships in multiple variants oriented to different workloads and footprint trade-offs, analogous to editions from vendors like Canonical and SUSE. Common variants include UBI Minimal, UBI Standard, and UBI Micro, comparable in intent to Alpine Linux-based images and Debian slim images. Parallel tracks reflect upstream versioning from RHEL 8 and RHEL 9 series, and variants optimized for x86-64, ARM64, and other architectures found in data centers operated by Amazon Web Services and Google Cloud Platform. Red Hat maintains variant metadata similar to release artifacts found in projects such as CentOS and Fedora.

Licensing and Redistribution

UBI was introduced to address licensing concerns around redistribution of RHEL binary content, taking inspiration from open distribution practices in projects like Eclipse Foundation and Apache Software Foundation. The images are published under policies that permit redistribution and commercial distribution while retaining intellectual-property protections associated with Red Hat and IBM holdings. This approach contrasts with traditional RHEL subscription models used by organizations such as Bank of America and Walmart and echoes licensing frameworks used by Debian Project and Ubuntu. Redistribution of UBI-based images is permitted provided trademark rules and package licensing obligations—similar to those governed by GNU General Public License and MIT License in other projects—are observed.

Technical Features and Components

UBI leverages the RPM Package Manager and yum/dnf tooling for package management, and includes components such as the glibc runtime, systemd libraries where appropriate, and core utilities from projects like GNU Core Utilities. The images provide access to Red Hat Software Collections and modules analogous to AppStream metadata formats, and integrate with container runtime interfaces defined by Open Container Initiative and orchestration APIs used by Kubernetes. Build systems such as OpenShift BuildConfigs and Jenkins pipelines commonly consume UBI images. Compatibility with language ecosystems—Node.js, Python (programming language), Java (programming language), Golang—is facilitated by language-specific packages and toolchains available in the UBI repositories.

Use Cases and Adoption

UBI is used across scenarios including cloud-native application delivery in environments run by Google LLC and Amazon.com, Inc., edge computing projects connected to ARM Holdings silicon, CI/CD pipelines in enterprises like Salesforce and Goldman Sachs, and independent software vendors distributing containers via marketplaces such as Red Hat Marketplace and Docker Hub. It is adopted by platform operators running OpenShift Container Platform, teams migrating workloads from traditional RHEL servers to containerized deployments, and by contributors to large open-source projects coordinated through organizations like the Linux Foundation. UBI supports compliance and reproducibility needs in regulated industries that rely on supply-chain provenance similar to requirements in ISO standards and NIST guidance.

Building and Runtime Practices

When building from UBI, developers typically use multi-stage builds supported by Dockerfile patterns and tools such as Buildah and Kaniko. Best practices mirror guidance from Cloud Native Computing Foundation and include minimizing layers, using UBI Minimal for runtime images, and separating build-time dependencies into builder images inspired by distroless concepts. Runtime observability uses integrations with telemetry stacks like Prometheus, Grafana, and log collectors such as Fluentd. Continuous integration workflows often integrate with GitHub Actions, GitLab CI/CD, and Jenkins to produce signed artifacts compatible with image attestation frameworks advocated by in-toto and Sigstore.

Security and Updates

Security posture for UBI leverages Red Hat’s vulnerability management and update process similar to practices in RHEL and advisories coordinated with vendors like Intel Corporation and Qualcomm. UBI repositories receive fixes, errata, and backports aligned with lifecycle policies comparable to Red Hat Enterprise Linux life cycle. Container security scanning tools from vendors such as Twistlock (now part of Palo Alto Networks), Aqua Security, and community tools like Clair operate against UBI images to identify CVEs cataloged by CVE databases and tracked via National Vulnerability Database. Red Hat provides guidance for timely updates, image rebuilding strategies, and automated patch pipelines compatible with orchestration systems managed via Kubernetes Operators.

Category:Linux distributions