With 12 years of support, Landscape 24.04 LTS adds snap and repository management controls to a modernised systems management web portal and API.

London, 30 April 2024.

Today Canonical announced the availability of Landscape’s first LTS release. Landscape 24.04 LTS features a new versioned API, a new web portal with accessibility and performance in mind, and intuitive controls for software distribution. Landscape 24.04 LTS comprises Landscape Server and Landscape Client. With a modernised backend and web portal in place, engineering teams can work efficiently, focusing on patches and new features.

Predictable release cadence and 12 years of support for LTS versions

Building on Canonical’s commitment to reliability, Landscape releases going forward will align with Ubuntu LTS and interim releases for predictable security coverage, feature patches, and bug fixes.

Landscape Server 24.04 can be installed on Ubuntu 22.04 LTS and Ubuntu 24.04 LTS releases with Ubuntu Pro. Landscape Server 24.04 is compatible with the previous four Ubuntu LTS releases (Ubuntu 16.04 LTS onwards), and will manage future Ubuntu releases including Ubuntu 26.04 LTS.

Like Ubuntu 24.04 LTS, this Landscape release gets a 12 year commitment for security maintenance and support. Landscape 24.04 LTS will get five years of bug fixes and incremental feature patches until August 2029. Ubuntu Pro subscribers can continue using Landscape 24.04 LTS after these 5 years for a total of 12 years, with the Legacy Support add-on.

A new web portal built with Canonical’s Vanilla Framework

Vanilla Framework provides consistent and uniform design patterns across Canonical’s products. Landscape joins MAAS, LXD UI, and others with a responsive React JS driven user interface. This web portal is built using a new versioned API serving JSON data. This API enhancement ensures seamless integration for developers, offering a forward-looking assurance that applications developed with a particular API version will remain robust and reliable, regardless of future updates to Landscape and its accompanying API endpoints.

The Monitoring feature from the legacy Landscape web portal has not yet been migrated to Landscape 24.04 LTS, yet. Monitoring will arrive as an incremental patch for Landscape 24.04 LTS with a modern charting library, a monitoring API, and companion documentation.

Lastly, the web portal provides a significant improvement in Lighthouse scores for Accessibility. The dashboard’s accessibility scores as measured by Lighthouse improved from 70% to 95%. Landscape 24.04 LTS has a web portal which is accessible to users with deficiencies in colour vision, complete colour blindness, and other visual impairments.

Save terabytes in storage and bandwidth with point-in-time repository snapshots

Landscape’s new web portal includes an intuitive point-and-click repository mirroring experience, and the repository snapshot service is available as a source when mirroring repositories. In late 2023, Canonical became the first Linux provider to integrate a repository snapshot service with Microsoft Azure’s update mechanisms. Landscape 24.04 LTS brings this simplified and safe deployment practice capability on-premises, and to mixed and hybrid cloud environments.

Benefits of Landscape’s repository snapshot service include predictable updates, consistency across deployments, and simplified repository mirroring, providing improved resilience and security for Ubuntu workloads.

Beyond the conveniences afforded to system administrators, the repository snapshots implementation also saves over 100 terabytes of disk space and network throughput, for organisations making complete repository mirrors every week. Canonical’s on-demand repository snapshot capability extends back to February 2023 for non-ESM (Expanded Security Maintenance) repositories. This innovation frees storage and network resources, because scheduled mirroring and archival of these mirrors becomes unnecessary.

Snap management for Ubuntu and Ubuntu Core

Beyond managing Ubuntu interim and LTS releases, Landscape 24.04 LTS also manages Ubuntu Core, Canonical’s snap based, immutable and strictly-confined operating system. A strictly confined Landscape Client snap package provides snap package management, remote script execution, monitoring and inventory capabilities to Ubuntu, for anyone interested in consuming the latest Landscape Client as a snap package.

Snap management capabilities also exist in the Landscape Client Debian package, available in the Main repository for Ubuntu 24.04 LTS, and in ppa:landscape/self-hosted-24.04 for previous versions of Ubuntu.

Distribution of updated snap revisions is controlled through the Snap Store, which organisations can self-host as a snap store proxy, or as a brand store if there is a need to distribute proprietary non-public snaps within the organisation. Snap management in Landscape 24.04 LTS can add, remove, update, and pause updates from Snap Store, snap store proxy, and brand stores.

Landscape has historically provided fine grained management of Debian packages installed through the apt package manager. With Landscape 24.04 LTS, similar management capabilities arrive for snap packages, with consideration for revisions and channels, which are specific to the snap ecosystem. By default, snap packages self-update through transactional over-the-air updates, and have the ability to rollback automatically if the upgrade fails. Organisations and individuals interested in uniformity across machines can pin revisions of a snap to machines, and ensure consistency between machines that must be uniformly configured.

Next steps

• Read the Landscape datasheet
• Install Landscape 24.04 LTS on Ubuntu Server, using Ubuntu 20.04 LTS or later
• Learn to enrol Ubuntu 24.04 LTS instances with Landscape, using Pro Client

About Canonical

Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.

Learn more at canonical.com.

Canonical recently announced the release of Ubuntu 24.04 LTS, codenamed “Noble Numbat”. This update underscores Ubuntu’s ongoing commitment to enhancing performance and security, focusing on optimizing developer productivity. The latest version features an optimized Linux kernel 6.8 and significant system management upgrades as detailed in the release notes. In this blog post, we highlight the key features and improvements that Ubuntu 24.04 LTS brings to the table, specifically tailored for users of Microsoft/Azure.

Unified marketplace offering

Ubuntu 24.04 LTS introduces a consolidated Azure Marketplace experience. Easily find the official Ubuntu images created by Canonical and endorsed by Microsoft for Azure, all under a single offering: ubuntu-24_04-lts. This simplification aids your search and selection process, helping you choose the right image for your needs and ensuring optimal compatibility and performance. [Explore the Ubuntu 24.04 images on the Azure Marketplace].

Optimized for Azure

Ubuntu 24.04 LTS is finely tuned to enhance performance on Azure infrastructure, ensuring that the Ubuntu images are fully compatible and support the latest cloud features as they are released. This optimization boosts system efficiency, speed, and reliability. Integration with Azure Guest Patching and the Update Management Center facilitates streamlined and continuous system updates, thereby reinforcing the overall security and stability of Ubuntu deployments.

Enhanced developer toolchains

.NET 8 is fully compatible with Ubuntu 24.04 LTS from launch, being directly available through the official Ubuntu feeds. This synchronization with the .NET release cadence ensures developers have immediate access to the latest features and updates. Additionally, .NET 8 introduces streamlined package management and new Ubuntu container images, boosting development flexibility and deployment efficiency. (Read more in this Microsoft’s blog post).

The commitment to developer productivity also extends to other popular programming languages, including TCK-certified Java versions and the latest Rust toolchains, enhancing support and smoothing the development experience.

Confidential Computing

Ubuntu continues to lead in confidential computing with support for Confidential VMs, including capabilities for confidential AI. This is facilitated by utilizing advanced hardware security extensions such as AMD’s 4th Gen EPYC processors with SEV-SNP and NVIDIA H100 Tensor Core GPUs. These features help safeguard data at runtime from system vulnerabilities and unauthorized access, making them particularly suitable for AI training and data inference involving sensitive information.

Windows Subsystem for Linux (WSL)

Ubuntu 24.04 LTS enhances its WSL integration using the same installer technology as Ubuntu Server. This update includes support for cloud-init, standardizing developer environments across installations and ensuring consistent and streamlined workflows.

Wrapping up

As we explore the capabilities of Ubuntu 24.04 LTS, Microsoft/Azure users will experience an integration that is tailored to current technological needs and equipped for upcoming developments. This version is supported for up to 12 years, providing a stable and reliable foundation that enterprises and developers can rely on for long-term projects and innovation.

We’re excited about the upcoming Ubuntu 24.04 LTS release, Noble Numbat. Like all Ubuntu releases, Ubuntu 24.04 LTS comes with 5 years of free security maintenance for the main repository. Support can be expanded for an extra 5 years, and to include the universe repository, via Ubuntu Pro.  Organisations looking to keep their systems secure without needing a major upgrade can also get the Legacy Support add-on to expand that support beyond the 10 years. Combined with the enhanced security coverage provided by Ubuntu Pro and Legacy Support, Ubuntu 24.04 LTS provides a secure foundation on which to develop and deploy your applications and services in an increasingly risky environment. In this blog post, we will look at some of the enhancements and security features included in Noble Numbat, building on those available in Ubuntu 22.04 LTS.

Unprivileged user namespace restrictions

Unprivileged user namespaces are a widely used feature of the Linux kernel, providing additional security isolation for applications, and are often employed as part of a sandbox environment. They allow an application to gain additional permissions within a constrained environment, so that a more trusted part of an application can then use these additional permissions to create a more constrained sandbox environment within which less trusted parts can then be executed. A common use case is the sandboxing employed by modern web browsers, where the (trusted) application itself sets up the sandbox where it executes the untrusted web content. However, by providing these additional permissions, unprivileged user namespaces also expose additional attack surfaces within the Linux kernel. There has been a long history of (ab)use of unprivileged user namespaces to exploit various kernel vulnerabilities. The most recent interim release of Ubuntu, 23.10, introduced the ability to restrict the use of unprivileged user namespaces to only those applications which legitimately require such access. In Ubuntu 24.04 LTS, this feature has both been improved to cover additional applications both within Ubuntu and from third parties, and to allow better default semantics of the feature. For Ubuntu 24.04 LTS, the use of unprivileged user namespaces is then allowed for all applications but access to any additional permissions within the namespace are denied. This allows more applications to more better gracefully handle this default restriction whilst still protecting against the abuse of user namespaces to gain access to additional attack surfaces within the Linux kernel.

Binary hardening

Modern toolchains and compilers have gained many enhancements to be able to create binaries that include various defensive mechanisms. These include the ability to detect and avoid various possible buffer overflow conditions as well as the ability to take advantage of modern processor features like branch protection for additional defence against code reuse attacks.

The GNU C library, used as the cornerstone of many applications on Ubuntu, provides runtime detection of, and protection against, certain types of buffer overflow cases, as well as certain dangerous string handling operations via the use of the _FORTIFY_SOURCE macro. FORTIFY_SOURCE can be specified at various levels providing increasing security features, ranging from 0 to 3. Modern Ubuntu releases have all used FORTIFY_SOURCE=2 which provided a solid foundation by including checks on string handling functions like sprintf(), strcpy() and others to detect possible buffer overflows, as well as format-string vulnerabilities via the %n format specifier in various cases. Ubuntu 24.04 LTS enables additional security features by increasing this to FORTIFY_SOURCE=3. Level three greatly enhances the detection of possible dangerous use of a number of other common memory management functions including memmove(),  memcpy(), snprintf(), vsnprintf(), strtok() and strncat(). This feature is enabled by default in the gcc compiler within Ubuntu 24.04 LTS, so that all packages in the Ubuntu archive which are compiled with gcc, or any applications compiled with gcc on Ubuntu 24.04 LTS also receive this additional protection.

The Armv8-M hardware architecture (provided by the “arm64” software architecture on Ubuntu) provides hardware-enforced pointer authentication and branch target identification. Pointer authentication provides the ability to detect malicious stack buffer modifications which aim to redirect pointers stored on the stack to attacker controlled locations, whilst branch target identification is used to track certain indirect branch instructions and the possible locations which they can target. By tracking such valid locations, the processor can detect possible malicious jump-oriented programming attacks which aim to use existing indirect branches to jump to other gadgets within the code. The gcc compiler supports these features via the -mbranch-protection option. In Ubuntu 24.04 LTS, the dpkg package now enables -mbranch-protection=standard, so that all packages within the Ubuntu archive enable support for these hardware features where available.

AppArmor 4

The aforementioned unprivileged user namespace restrictions are all backed by the AppArmor mandatory access control system. AppArmor allows a system administrator to implement the principle of least authority by defining which resources an application should be granted access to and denying all others. AppArmor consists of a userspace package, which is used to define the security profiles for applications and the system, as well as the AppArmor Linux Security Module within the Linux kernel which provides enforcement of the policies. Ubuntu 24.04 LTS includes the latest AppArmor 4.0 release, providing support for many new features, such as specifying allowed network addresses and ports within the security policy (rather than just high level protocols) or various conditionals to allow more complex policy to be expressed. An exciting new development provided by AppArmor 4 in Ubuntu 24.04 LTS is the ability to defer access control decisions to a trusted userspace program. This allows for quite advanced decision making to be implemented, by taking into account the greater context available within userspace or to even interact with the user / system administrator in a real-time fashion. For example, the experimental snapd prompting feature takes advantage of this work to allow users to exercise direct control over which files a snap can access within their home directory. Finally, within the kernel, AppArmor has gained the ability to mediate access to user namespaces as well as the io_uring subsystem, both of which have historically provided additional kernel attack surfaces to malicious applications. 

Disabling of old TLS versions

The use of cryptography for private communications is the backbone of the modern internet. The Transport Layer Security protocol has provided confidentiality and integrity to internet communications since it was first standardised in 1999 with TLS 1.0. This protocol has undergone various revisions since that time to introduce additional security features and avoid various security issues inherent in the earlier versions of this standard. Given the wide range of TLS versions and options supported by each, modern internet systems will use a process of auto-negotiation to select an appropriate combination of protocol version and parameters when establishing a secure communications link. In Ubuntu 24.04 LTS, TLS 1.0, 1.1 and DTLS 1.0 are all forcefully disabled (for any applications that use the underlying openssl or gnutls libraries) to ensure that users are not exposed to possible TLS downgrade attacks which could expose their sensitive information.

Upstream Kernel Security Features

Linux kernel v5.15 was used as the basis for the Linux kernel in the previous Ubuntu 22.04 LTS release. This provided a number of kernel security features including core scheduling, kernel stack randomisation and unprivileged BPF restrictions to name a few. Since that time, the upstream Linux kernel community has been busy adding additional kernel security features. Ubuntu 24.04 LTS includes the v6.8 Linux kernel which provides the following additional security features:

Intel shadow stack support

Modern Intel CPUs support an additional hardware feature aimed at preventing certain types of return-oriented programming (ROP) and other attacks that target the malicious corruption of the call stack. A shadow stack is a hardware enforced copy of the stack return address that cannot be directly modified by the CPU. When the processor returns from a function call, the return address from the stack is compared against the value from the shadow stack – if the two differ, the process is terminated to prevent a possible ROP attack. Whilst compiler support for this feature has been enabled for userspace packages since Ubuntu 19.10, it has not been able to be utilised until it was also supported by the kernel and the C library. Ubuntu 24.04 LTS includes this additional support for shadow stacks to allow this feature to be enabled when desired by setting the GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK environment variable.

Secure virtualisation with AMD SEV-SNP and Intel TDX

Confidential computing represents a fundamental departure from the traditional threat model, where vulnerabilities in the complex codebase of privileged system software like the operating system, hypervisor, and firmware pose ongoing risks to the confidentiality and integrity of both code and data. Likewise, unauthorised access by a malicious cloud administrator could jeopardise the security of your virtual machine (VM) and its environment. Building on the innovation of Trusted Execution Environments at the silicon level, Ubuntu Confidential VMs aim to restore your control over the security assurances of your VMs.

For the x86 architecture, both AMD and Intel processors provide hardware features (named AMD SEV SNP and Intel TDX respectively) to support running virtual machines with memory encryption and integrity protection. They ensure that the data contained within the virtual machine is inaccessible to the hypervisor and hence the infrastructure operator.  Support for using these features as a guest virtual machine was introduced in the upstream Linux kernel version 5.19.

Thanks to Ubuntu Confidential VMs, a user can make use of compute resources provided by a third party whilst maintaining the integrity and confidentiality of their data through the use of memory encryption and other features.  On the public cloud, Ubuntu offers the widest portfolio of confidential VMs. These build on the innovation of both the hardware features, with offerings available across Microsoft Azure, Google Cloud and Amazon AWS. 

For enterprise customers seeking to harness confidential computing within their private data centres, a fully enabled software stack is essential. This stack encompasses both the guest side (kernel and OVMF) and the host side (kernel-KVM, QEMU, and Libvirt). Currently, the host-side patches are not yet upstream. To address this, Canonical and Intel have forged a strategic collaboration to empower Ubuntu customers with an Intel-optimised TDX Ubuntu build. This offering includes all necessary guest and host patches, even those not yet merged upstream, starting with Ubuntu 23.10 and extending into 24.04 and beyond. The complete TDX software stack is accessible through this github repository. 

This collaborative effort enables our customers to promptly leverage the security assurances of Intel TDX. It also serves to narrow the gap between silicon innovation and software readiness, a gap that grows as Intel continues to push the boundaries of hardware innovation with 5th Gen Intel Xeon scalable processors and beyond.

Strict compile-time bounds checking

Similar to hardening of binaries within the libraries and applications distributed in Ubuntu, the Linux kernel itself gained enhanced support for detecting possible buffer overflows at compile time via improved bounds checking of the memcpy() family of functions. Within the kernel, the FORTIFY_SOURCE macro enables various checks in memory management functions like memcpy() and memset() by checking that the size of the destination object is large enough to hold the specified amount of memory, and if not will abort the compilation process. This helps to catch various trivial memory management issues, but previously was not able to properly handle more complex cases such as when an object was embedded within a larger object. This is quite a common pattern within the kernel, and so the changes introduced in the upstream 5.18 kernel version to enumerate and fix various such cases greatly improves this feature. Now the compiler is able to detect and enforce stricter checks when performing memory operations on sub-objects to ensure that other object members are not inadvertently overwritten, avoiding an entire class of possible buffer overflow vulnerabilities within the kernel.

Wrapping up

Overall, the vast range of security improvements that have gone into Ubuntu 24.04 LTS greatly improve on the strong foundation provided by previous Ubuntu releases, making it the most secure release to date. Additional features within both the kernel, userspace and across the distribution as a whole combine to address entire vulnerability classes and attack surfaces. With up to 12 years of support, Ubuntu 24.04 LTS provides the best and most secure foundation to develop and deploy Linux services and applications. Expanded Security Maintenance, kernel livepatching and additional services are all provided to Ubuntu Pro subscribers to enhance the security of their Ubuntu deployments.

Introduction

DISA, the Defense Information Systems Agency, has published their Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS. The STIG is free for the public to download from the DOD Cyber Exchange. Canonical has been working with DISA since we published Ubuntu 22.04 LTS to draft this STIG, and we are delighted that it is now finalised and available for everyone to use.

We are now developing the Ubuntu Security Guide profile with a target release in summer 2024.

What is a STIG?

A STIG is a set of guidelines for how to configure an application or system in order to harden it. Hardening means reducing the system’s attack surface: removing unnecessary software packages, locking down default values to the tightest possible settings and configuring the system to run only what you explicitly require. System hardening guidelines also seek to lessen collateral damage in the event of a compromise.

STIGs are intended to be applied with judgement and common sense. Each mission or deployment is going to be different: where a piece of guidance doesn’t make sense for your specific needs, you can choose your own path forward whilst keeping the overall intentions of the STIG in mind.

The STIGs have been primarily developed for use within the US Department of Defense. However, because they are based on universally-recognised security principles, they can be used by anyone who wants a robust system hardening framework. As a result, STIGs are being more widely adopted across the US government and numerous industries, such as financial services and online gaming.

When will Canonical publish a DISA-STIG USG profile?

The STIG that DISA has published is primarily composed of a manual XCCDF XML document that describes in human-readable words how to configure Ubuntu 22.04 LTS. This XML file contains nearly 200 individual pieces of guidance, which can be quite a daunting prospect to tackle from scratch. To simplify this process, Canonical produces the Ubuntu Security Guide (USG), an automation tool that handles both the checking and remediation of the STIG rules. USG is available as part of Ubuntu Pro, and can be enabled through the Pro client.

Our engineering team is currently working through the XCCDF document and codifying the rules into a new profile for USG. We will publish the STIG profile for USG in the coming months, with a target release in summer 2024, and will make an announcement at that time.

Conclusion

The STIG for Ubuntu 22.04 LTS will allow any users or administrators to harden their systems in accordance with this rigorous standard. Doing this by hand is a time-consuming proposition, so we recommend waiting until automated tooling is available to speed up the hardening and auditing process; the USG profile is in active development and will be published as soon as it’s ready.

Further resources

• Maximizing security and compliance in the US public sector with Ubuntu Pro
• A guide to Infrastructure Hardening
• The Ubuntu Security Guide documentation

At the world’s leading industrial trade fair, companies from the mechanical engineering, electrical engineering and digital industries as well as the energy sector will come together to present solutions for a high-performance, but also sustainable industry at Hannover Messe. This year, Qualcomm brought its DX Summit to Hannover Messe, putting together business and technology leaders to discuss digital transformation solutions and experiences that are moving enterprise forward today, from manufacturing to logistics, transportation, energy and more.

Canonical will join the Qualcomm DX Summit at Hannover Messe on April 23rd , 2024, where industry experts will delve into the cutting-edge technologies that are driving Industry 4.0 forward.  We’re looking forward to meeting our partners and customers on-site to discuss the latest in open-source innovation, and solutions on edge AI. Fill in the form and get a free ticket for Qualcomm DX Summit and Hannover Messe from Canonical.

Book a meeting with us

Canonical and Qualcomm collaborate to speed up Industry 4.0 adoption

Last week, Canonical and Qualcomm Technologies announced strategic collaboration to bring Ubuntu and Ubuntu Core to devices powered by Qualcomm® processors which offers an easy solution for developers to create safe, compliant, security-focused, and high-performing applications for multiple industries including industrial, robotics and edge automation.

Secure and scale your smart edge AI deployments with Ubuntu

During the event, Canonical will present a talk using a real-world case-study to showcase our joint offering with Qualcomm and illustrate how Canonical solutions benefit enterprise IoT customers to bring digital transformation and AI to their latest IoT projects. 

Presenter: Aniket Ponkshe, Director of Silicon Alliances, Canonical

Date and time: 2:20 pm – 2:40 pm, April 23rd, 2024

Location: Hall 18

Schedule a meeting with our devices experts

Book a meeting with us

Today, Canonical is thrilled to announce our expanded collaboration with Google Cloud to provide Ubuntu images for Google Distributed Cloud. This partnership empowers Google Distributed Cloud customers with security-focused Ubuntu images, ensuring they meet the most stringent compliance standards.

Since 2021, Google Cloud, with its characteristic vision, has built a strong partnership with Canonical. This collaboration highlights both companies’ commitment to providing customers with the air-gapped cloud solutions they need. Through this partnership, Google Cloud demonstrates its strategic brilliance – delegating foundational image creation and maintenance to Canonical’s expertise, allowing Google Cloud to focus on the heart of Google Distributed Cloud development. Canonical’s dedication to rigorous testing upholds the reliability that data centers demand. Moreover, proactive support helps swiftly tackle critical issues, ensuring seamless data center operations. This partnership is a testament to the power of strategic collaborations in the tech sector:

• GDC Ready OS Images: Canonical supports multiple active releases of Google Distributed Cloud (1.9.x, 1.10.x, 1.11.x, and 1.12.x) ensuring Google Cloud has flexibility and choice.

• Risk Mitigation: Canonical employs a two-tiered image system–”development” and “stable.” This allows for thorough testing of changes before they are released into the stable production environment, minimizing potential problems.

These key benefits are the result of our unwavering pursuit of progress and innovation. Google Distributed Cloud customers can expect to reap the rewards of our continuous hard work:

• FIPS & CIS Compliance: Google Distributed Cloud customers operating in highly regulated industries can confidently deploy FIPS-compliant and CIS-hardened Ubuntu images, knowing they adhere to critical security standards.
• Multi-distro Support: Ubuntu’s adaptability allows Google Distributed Cloud users to run a diverse range of distro images, maximizing their choice and flexibility within the cloud environment.
• Air-gapped Innovation: Canonical and Google Cloud are dedicated to supporting air-gapped cloud technology, providing secure, cutting-edge solutions for customers with even the most sensitive data requirements.

At Canonical, we’re committed to open-source innovation. This collaboration with Google Cloud is a prime example of how we can work together to deliver industry-leading cloud solutions to our customers. We look forward to continued partnership and providing even more value to the Google Distributed Cloud ecosystem.

This blog post explores the technical and strategic benefits of deploying open-source AI models on Ubuntu. We’ll highlight why it makes sense to use Ubuntu with open-source AI models, and outline the deployment process on Azure.

Authored by Gauthier Jolly, Software Engineer, CPC, and Jehudi Castro-Sierra, Public Cloud Alliance Director, both from Canonical.

Why Ubuntu for Open-Source AI?

• Open Philosophy: Ubuntu’s open-source nature aligns seamlessly with the principles of open-source AI models, fostering collaboration and accessibility.
• Seamless Integration: Deploying open-source AI is smooth on Ubuntu, thanks to its robust support for AI libraries and tools.
• Community: Ubuntu’s large community provides valuable resources and knowledge-sharing for AI development.

The Role of Ubuntu Pro

Ubuntu Pro elevates the security and compliance aspects of deploying AI models, offering extended security maintenance, comprehensive patching, and automated compliance features that are vital for enterprise-grade applications. Its integration with Confidential VMs on Azure enhances the protection of sensitive data and model integrity, making it an indispensable tool for tasks requiring stringent security measures like ML training, inference, and confidential multi-party data analytics.

Why use the public cloud for deploying AI models?

Using a public cloud like Azure gives straightforward access to powerful GPUs and Confidential Compute capabilities, essential for intensive AI tasks. These features significantly reduce the time and complexity involved in setting up and running AI models, without compromising on security and privacy. Although some may opt for on-prem deployment due to specific requirements, Azure’s scalable and secure environment offers a compelling argument for cloud-based deployments.

Provisioning and Configuration

We are going to explore using open models on Azure by creating an instance with Ubuntu, installing NVIDIA drivers for GPU support, and setting up Ollama for running the models. The process is technical, involving CLI commands for creating the resource group, VM, and configuring NVIDIA drivers. Ollama, the chosen tool for running models like Mixtral, is best installed using Snap for a hassle-free experience, encapsulating dependencies and simplifying updates.

Provision an Azure VM

Begin by creating a resource group and then a VM with the Ubuntu image using the Azure CLI.

az group create --location westus --resource-group ml-workload
az vm create \
    --resource-group ml-workload \
    --name jammy \
    --image Ubuntu2204 \
    --generate-ssh-keys \
    --size Standard_NC4as_T4_v3 \
    --admin-username ubuntu --license-type UBUNTU_PRO

Install Nvidia Drivers (GPU Support)

For GPU capabilities, install NVIDIA drivers using Ubuntu’s package management system. Restart the system after installation.

sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y ubuntu-drivers-common
sudo ubuntu-drivers install
sudo systemctl reboot

Important: Standard NVIDIA drivers don’t support vGPUs (fractional GPUs). See instructions on the Azure site for installing GRID drivers, which might involve building an unsigned kernel module (which may be incompatible with Secure Boot).

Deploying Ollama with Snap

Snap simplifies the installation of Ollama and its dependencies, ensuring compatibility and streamlined updates. The –beta flag allows you to access the latest features and versions, which might still be under development

sudo snap install --beta ollama

Configuration

Configure Ollama to use the ephemeral disk

sudo mkdir /mnt/models
sudo snap connect ollama:removable-media # to allow the snap to reach /mnt
sudo snap set ollama models=/mnt/models

Installing Mixtral

At this point, you can run one of the open models available out of the box, like mixtral or llama2. If you have a fine-tuned version of these models (a process that involves further training on a specific dataset), you can run those as well.

ollama run mixtral

The first run might take a while to download the model.

Now you can use the model through the console interface:

Installing a UI

This step is optional, but provides a UI via your web browser.

sudo snap install --beta open-webui

Access the web UI securely

To quickly access the UI without open ports in the Azure security group, you can create an SSH tunnel to your VM using the following command:

ssh -L 8080:localhost:8080 ubuntu@${IP_ADDR}

Go to http://localhost:8080 in your web browser on your local machine (the command above tunnels the traffic from your localhost to the instance on Azure).:

In case you want to make this service public, follow this documentation.

Verify GPU usage

sudo watch -n2 nvidia-smi

Check that the ollama process is using the GPU, you should see something like this:

+---------------------------------------------------------------------------+
| Processes:                                                                |                                                                            
|  GPU   GI   CI        PID   Type   Process name                GPU Memory |
|        ID   ID                                                 Usage      |
|===========================================================================|
|    0   N/A  N/A      1063      C   /snap/ollama/13/bin/ollama     4882MiB |
+---------------------------------------------------------------------------+

Complementary and Alternative Solutions

• Charmed Kubeflow: Explore this solution for end-to-end MLOps (Machine Learning Operations), providing a streamlined platform to manage every stage of the machine learning lifecycle. It’s particularly well-suited for complex or large-scale AI deployments.
• Azure AI Studio: Provides ease of use for those seeking less customization.

Conclusion

Ubuntu’s open-source foundation and robust ecosystem make it a compelling choice for deploying open-source AI models. When combined with Azure’s GPU capabilities and Confidential Compute features, you gain a flexible, secure, and performant AI solution.

Ubuntu 23.10 experimental image with x86-64-v3 instruction set now available on Azure

Canonical is enabling enterprises to evaluate the performance of their most critical workloads in an experimental Ubuntu image on Azure compiled with x86-64-v3, which is a microarchitecture level that has the potential for performance gains. Developers can use this image to characterise workloads, which can help inform planning for a transition to x86-64-v3 and provide valuable input to the community working to make widespread adoption of x86-64-v3 a reality. 

The x86-64-v3 instruction set enables hardware features that have been added by chip vendors since the original instruction set architecture (ISA) commonly known as x86-64-v1, x86-64, or amd64.  Canonical Staff Engineer Michael Hudson-Doyle recently wrote about the history of the x86-64/amd64 instruction sets, what these v1 and v3 microarchitecture levels represent, and how Canonical is evaluating their performance. While fully backwards compatible, later versions of these feature groups are not available on all hardware, so when deciding on an ISA image you must choose to maximise the supported hardware or to get access to more recent hardware capabilities. Canonical plans to continue supporting x86-64-v1 as there is a significant amount of legacy hardware deployed in the field. However, we also want to enable users to take advantage of newer x86-64-v3 hardware features that provide the opportunity for performance improvements the industry isn’t yet capitalising on. 

Untapped performance and power benefits

Intel and Canonical partner closely to ensure that Ubuntu takes full advantage of the advanced hardware features Intel silicon offers, and the Ubuntu image on Azure is an interim step towards giving the industry access to the capabilities of x86-64-v3 and understanding the benefits that it offers. Intel has made x86-64-v3 available since Intel Haswell was first announced a decade ago. Support in their low power processor family is more recent, arriving in the Gracemont microarchitecture which was first in the 12th generation of Intel Core processors. Similarly, AMD has had examples since 2015, and emulators such as QEMU have supported  x86-64-v3 since 2022. Yet, with this broad base of hardware availability, distro support of the features in the x86-64-v3 microarchitecture level is not widespread. In the spirit of enabling Ubuntu everywhere and ensuring that users can benefit from the unique features on different hardware families, Canonical feels strongly about enabling a transition to x86-64-v3 while remaining committed to our many users on hardware that doesn’t support v3. x86-64-v3 is available in a significant amount of hardware, and provides the opportunity for performance improvements which are currently being left on the table. This is why we believe that v3 is the next logical microarchitecture level to offer in Ubuntu, and Michael’s blog post explains in greater detail why v3 should be chosen instead of v2 or v4.

Not just a porting exercise

The challenge with enabling the transition to v3 is that while we expect a broad range of performance improvements depending on the workload, the results are much more nuanced. From Canonical’s early benchmarking we see that certain workloads see significant benefit from the adoption of x86-64-v3; however there are outliers that regress and need further analysis.

Canonical continues to do benchmarking, with plans to evaluate different compilers, compiler parameters, and configurations of hostOS and guestOS. In certain cases, such as the Glibc Log2 benchmark, we have reproducibly seen up to a 60% improvement. On the other hand, we also see other benchmarks  that regress significantly. When digging in, we found unexpected behaviour in the compiled code. For example, in one of the benchmarks we verified an excessive number of moves between registers, leading to much worse performance due to the increased latency. In another situation, we noticed a large code size increase, as enabling x86-64-v3 on optimised SSE code caused the compiler to expand it into 17x more instructions, due to a possible bug during the translation to VEX encoding. With community efforts, these outliers  could be resolved.  However, they will require interdisciplinary collaboration to do so. This also underscores the necessity of benchmarking different types of workloads, so that we can understand their specific performance and bottlenecks. That’s why we believe it’s important to enable workloads to run on Azure, so that a broader community can give feedback and enable further optimisation.

Try Ubuntu 23.10 with x86-64-v3 on Azure today

The community now has access to resources on Azure to easily evaluate the performance of x86-64-v3 for their workloads, so that they can understand the benefits of migrating and can identify where improvements are still required.  What is being shared today is experimental and for evaluation and benchmarking purposes only, which means that it won’t receive security updates or other maintenance updates you would expect for an image you could use in production. When x86-64-v3 is introduced for production workloads there will be a benefit to being able to run both v3 and v1 depending on the workload and hardware available. As is usually the case, the answer to the question of whether to run on a v3 image or a v1 image is ‘it depends’. This image provides the tools to answer that cost, power, and performance optimisation problem. In addition to the availability of the cloud image on Azure, we’ve also previously posted on the availability of Ubuntu 23.04 rebuilt to target the x86-64-v3 microarchitecture level, and made available installer images from that archive. These are additional tools that the community can use to benchmark, when cloud environments can’t be targeted.

In order to access the image on Azure and use it, you can follow the instructions in our discourse post. Please be sure to leave your feedback there, or Contact us directly to discuss your use case.

Further reading

• Optimising Ubuntu performance on amd64 architecture
• Trying out Ubuntu 23.04 on x86-64-v3 rebuild for yourself

Today, Canonical announced the general availability of Legacy Support, an Ubuntu Pro add-on that expands security and support coverage for Ubuntu LTS releases to 12 years. The add-on will be available for Ubuntu 14.04 LTS onwards. 

Long term supported Ubuntu releases get five years of free security maintenance on the main Ubuntu repository. Ubuntu Pro expands that commitment to 10 years on both the main and universe repositories, providing enterprises and end users alike access to a vast secure open source software library. The subscription also comes with a phone and ticket support tier. Ubuntu Pro subscribers can purchase an extra two years of security maintenance and support with the new Legacy Support add-on. 

“We’re thrilled to offer our customers additional years of security maintenance and support for Ubuntu LTS releases”, said Maximilian Morgan, Global VP of Support Engineering at Canonical. “Drawing on 20 years of excellence in open source, Canonical delivers expert security maintenance and support for customers around the world. With Legacy Support, we empower organisations to navigate their operational needs and investments into open source with confidence, ensuring their systems remain available, secure, and supported for many years to come”. 

Ideal for stability and peace of mind

Running the latest operating system (OS) offers new features and enhanced performance, which is a good choice for new deployments. However, for large, established production systems, the transition to a new OS version presents a challenge as it may involve updating the entire software stack running on top of it. This complexity is amplified by modern software architectures that incorporate containerisation, microservices, extensive data management features, as well as integration with third-party APIs. 

Given these multifaceted challenges, ensuring the system remains operational, secure, and supported is paramount. Organisations looking to gain peace of mind and stability while they plan and execute their migration strategy can trust Canonical.

12 years of timely security fixes and support

Security maintenance is part of a continuous process that proactively protects systems. It includes regular vulnerability scanning, evaluation and patch management. With Ubuntu Pro, Canonical provides continuous vulnerability management for critical, high and medium Common Vulnerabilities and Exposures (CVEs) across all software packages shipped with Ubuntu. Canonical’s security team actively backports these crucial fixes to all supported Ubuntu LTS releases, giving enterprises and end users peace of mind to keep their systems secure without requiring a major upgrade.

Support is a user-triggered service that comes into play when incidents occur or additional expertise is required to address complex issues. Customers looking to strengthen their business continuity strategy with open source expertise can rely on Canonical support for troubleshooting, break fixes, bug fixes and guidance.

Available for Ubuntu 14.04 LTS Trusty Tahr and future LTS releases

Ubuntu Pro coverage for Ubuntu 14.04 LTS will end in April 2024. With Legacy Support, organisations running their systems on top of Ubuntu 14.04 LTS can obtain an additional two years of expanded security maintenance and phone and ticket support. This enables IT managers to prepare a detailed upgrade plan for the next LTS, and software architects to concentrate on the application level with the support offered by Canonical’s team.

Learn more about Ubuntu Pro and the Legacy Support add-on at https://ubuntu.com/pro,  https://ubuntu.com/support or contact Canonical  for more information.

Since the outset, Anbox Cloud was developed with a variety of use cases for running Android at scale. Cloud gaming, more specifically for casual games as found on most user’s mobile devices, is the most prominent one and growing in popularity. Enterprises are challenged to find a solution that can keep up with the increasing user demand, provide a rich experience and keep costs affordable while shortening the time to market.

Anbox Cloud brings Android from mobile devices to the cloud. This enables service providers to deliver a large and existing ecosystem of games to more users, regardless of their device or operating system. Existing games can be moved to Anbox Cloud with zero to minimal effort.

Canonical has built Anbox Cloud upon existing technologies that allow for a higher container density compared to traditional approaches, which helps to reduce the overall cost of building and operating a game streaming service. The cost structure of a casual game, based in the cloud, also shows that density is key for profitability margins. To achieve density optimisation, three factors must be considered: container density (CPU load, memory capacity and GPU capacity), profitability and user experience optimisation. Additional considerations include choosing the right hardware to match the target workload, intended rendering performance and the pricing sensitivity of gamers. Finding the optimal combination for these factors and adding a layer of automation is crucial to improve profitability margins and to meet SLAs.

To further address specific challenges in cloud gaming, Canonical collaborates with key silicon and cloud partners to build optimised hardware and cloud instance types. Cloud gaming has a high demand on various hardware components, specifically GPUs which provide the underlying foundation for every video streaming solution. Utilising the available hardware with the highest density for cost savings, requires optimisation on every layer. Anbox Cloud specifically helps to get the maximum out of the available hardware capacity. It keeps track of resources spent by all launched containers and optimises placement of new containers based on available capacity and resource requirements of specific containers.

Next to finding the right software and hardware platform, cloud gaming mandates positioning the actual workload as close to the user as possible to reduce latency and ensure a consistent experience. To scale across different geographical regions, Anbox Cloud provides operational tooling and software components to simplify the deployment without manual overhead and ensures users get automatically routed to their nearest location. By plugging individual regions dynamically into a control plane allows new regions to be easily added on the go without any downtime or manual intervention.

Anbox Cloud builds a high-density and easy-to-manage containerisation platform on top of the LXD container hypervisor which helps to minimise the time to market and reduce overall costs. It reflects Canonical’s deep expertise in cloud-native applications and minimises operational overhead in multiple ways. With the use of existing technologies from Canonical like Juju or MAAS, it provides a solid and proven platform which is easy to deploy and maintain. Combined with the Ubuntu Pro support program from Canonical, an enterprise can ensure it gets long-term help whenever needed.

As differentiation is key in building a successful cloud gaming platform, Anbox Cloud provides a solid foundation which is extensible and fits into many different use cases. For example, integrating a custom streaming protocol is possible by writing a plug-in and integrating it via provided customising hooks into the containers which power Anbox Cloud. To make this process easy, Canonical provides an SDK, rich documentation with example plugins and engineering services to help with any development around Anbox Cloud.

In summary, Anbox Cloud provides a feature rich, generic and solid foundation to build a state of the art cloud gaming service which provides optimal utilisation of the underlying hardware to deliver the best user experience while keeping operational costs low.

If you’re interested to learn more, please come and talk to us.

Android is a trademark of Google LLC. Anbox Cloud uses assets available through the Android Open Source Project.

The NVIDIA BlueField-3 networking platform – powering the latest data processing units (DPUs) and SuperNICs, and transforming data centre performance and efficiency – runs BlueField OS, an optimised Linux operating system (OS) derived from Ubuntu. With Ubuntu’s signature maintenance and support guarantees, the comprehensive Ubuntu Pro software infrastructure stack, and bespoke optimisation, the collaboration between NVIDIA and Canonical accelerates time to value for NVIDIA BlueField-3 users and elevates security. 

What are DPUs? 

DPUs are a relatively new technology that represents the third pillar of accelerated data centre processing units, alongside CPUs and GPUs. By offloading and accelerating a wide variety of complex networking, security and storage workloads to the DPU, enterprises can reduce server power consumption by up to 30% while freeing up CPU capacity for computation tasks.

NVIDIA, now shipping the third generation of its industry-leading BlueField DPU, empowers enterprises to transform data centres with a 400Gb/s infrastructure compute platform that can handle the most demanding AI workloads. 

NVIDIA BlueField OS is built on Ubuntu

DPUs require an operating system that is secure, stable and capable of supporting all of the innovative features that the new technology brings to the table – and that’s why NVIDIA BlueField-3 runs an optimised derivative of Ubuntu as its default OS. 

Ubuntu, delivered by Canonical, supports a broad range of  NVIDIA BlueField-3 features, ensuring that enterprise customers can readily consume the DPU functions with optimal performance. Canonical’s collaboration with NVIDIA delivers a solution that is easy to implement and offers full functionality out of the box.

Alongside time to value, Ubuntu reinforces the stability of NVIDIA BlueField-3. The optimised Ubuntu derivative powering the NVIDIA BlueField OS is based on Ubuntu Long Term Support (LTS) and goes through the same rigour of validation as an LTS release, which consequently delivers the same level of stability and performance. Ubuntu Pro embedded support is a core part of NVIDIA BlueField’s OS, thus enhancing the reliability of any NVIDIA BlueField-accelerated solution. 

NVIDIA BlueField-3 Enterprise support and security backed by Canonical

Ubuntu’s extensive security features, hardening and compliance tooling, coupled with Canonical’s enterprise-grade support, have been instrumental in making Ubuntu the first-choice OS for organisations worldwide. NVIDIA customers can be assured that these same capabilities are also extended to NVIDIA BlueField-3 deployments.

One of the key factors that sets Ubuntu’s security apart from alternative operating systems is the pace at which Canonical delivers fixes for security common vulnerabilities and exposures (CVEs). Canonical has the fastest turnaround for CVE fixes in the industry, and this rapid patching applies to the NVIDIA BlueField OS. What’s more, these updates can be applied automatically, further minimising any windows of vulnerability. 

Canonical is also signing the entire kernel image for the NVIDIA BlueField OS. This enables secure boot in enterprise deployments and guarantees that no modifications are made to the kernel, so that users can have complete trust in the OS.

Powering AI with Canonical infrastructure solutions and NVIDIA BlueField-3 

NVIDIA BlueField-3 DPUs are increasingly becoming a central component in enterprise AI strategies. These use cases require a comprehensive ecosystem of software for optimal performance and efficiency. Canonical’s close collaboration with NVIDIA enables BlueField-3 users to take advantage of infrastructure solutions to address most enterprise AI data centre deployments and enable end-to-end management.

Customers can utilise metal-as-a-service (MAAS) for cloud-style provisioning of their physical infrastructure, turning bare-metal servers into an elastic, cloud-like resource that they can easily provision, monitor and manage. Meanwhile, Juju provides an orchestration engine for software operators that enables the deployment, integration, and lifecycle management of applications at any scale on infrastructure compute.

On the infrastructure software side, Canonical OpenStack provides an enterprise cloud platform, and Canonical Kubernetes drives seamless, highly automated container orchestration. These infrastructure services can fully utilise the offload capabilities supported in NVIDIA BlueField DPUs. In fact, Canonical also offers MicroK8s, a lightweight Kubernetes distribution that is tailor-made for low footprint deployments on DPUs. Similarly, MicroCloud is a miniature version of LXD, providing enterprises with everything they need to run virtualized workloads and system containers on their DPUs. All of these solutions are secured and supported for 10 years with an Ubuntu Pro subscription.

Ubuntu Pro and NVIDIA DOCA

The Ubuntu Pro stack works in tandem with NVIDIA DOCA, software at the heart of NVIDIA BlueField-3. NVIDIA DOCA is a unified software framework that provides a variety of APIs for improved NVIDIA BlueField-3 management, unlocking features around connectivity, monitoring, logging and more. Utilised alongside Ubuntu Pro, these features drive unprecedented infrastructure efficiency.

• To learn more about deploying DPUs on Ubuntu, get in touch.
• To learn more about NVIDIA BlueField-3, check out the datasheet.
• Further reading: Canonical solutions reduce SmartNIC time-to-market and drive efficiency in enterprise data centers

Canonical expands its collaboration with NVIDIA through NVIDIA AI Workbench. NVIDIA AI Workbench is supported across workstations, data centres, and cloud deployments.

NVIDIA AI Workbench is an easy-to-use toolkit that allows developers to create, test, and customise AI and machine learning models on their PC or workstation and scale them to the data centre or public cloud.  It simplifies interactive development workflows while automating technical tasks that halt beginners and derail experts. Collaborative AI and ML development is now possible on any platform – and for any skill level. 

As the preferred OS for data science, artificial intelligence and machine learning, Ubuntu and Canonical play an integral role in AI Workbench capabilities. 

• On Windows, Ubuntu powers AI Workbench via WSL2. 
• In the cloud, Ubuntu 22.04 LTS enables AI Workbench cloud deployments as the only target OS supported for remote machines. 
• For AI application deployments from the datacenter to cloud to edge, Ubuntu-based containers are included as a key part of AI Workbench.

This seamless end user experience is made possible thanks to the partnership between Canonical and NVIDIA.

Define your AI journey, start local and scale globally

Create, collaborate, and reproduce generative AI and data science projects with ease. Develop and execute while NVIDIA AI Workbench handles the rest:

• Streamlined setup: easy installation and configuration of containerized development environments for GPU-accelerated hardware.
• Laptop to cloud: start locally on a RTX PC or workstation and scale out to data centre or cloud in just a few clicks.
• Automated workflow management: simplified management of project resources, versioning, and dependency tracking.

Ubuntu and NVIDIA AI Workbench improve the end user experience for Generative AI workloads on client machines

As the established OS for data science, Ubuntu is now commonly being used for AI/ML development and deployment purposes. This includes development, processing, and iterations of Generative AI (GenAI) workloads. GenAI on both smaller devices and GPUs is increasingly important with the growth of edge AI applications and devices. Applications such as smart cities require more edge devices such as cameras and sensors and thus require more data to be processed at the edge. To make it easier for end users to deploy workloads with more customisability, Ubuntu containers are often preferred due to their ease of use for bare metal deployments. NVIDIA AI Workbench offers Ubuntu container options that are well integrated and suited for GenAI use cases.

Peace of mind with Ubuntu LTS

With Ubuntu, developers benefit from Canonical’s 20-year track record of Long Term Supported releases, delivering security updates and patching for 5 years. With Ubuntu Pro, organisations can extend that support and security maintenance commitment to 10 years to offload security and compliance from their team so you can focus on building great models. Together, Canonical and Ubuntu provide an optimised and secure environment for AI innovators wherever they are. 

Getting started is easy (and free).

Get started with Canonical Open Source AI Solutions

• Check out more information about Canonical and NVIDIA’s efforts to help enterprises adopt AI.
• Canonical software is validated as part of the NVIDIA DGX-Ready Software program.
• Download the Run AI at scale whitepaper to learn how to build your performant ML stack with NVIDIA DGX and Kubeflow.
• Check out more information about AI Workbench.

Collaboration to benefit communication service providers and business application vendors at the telco edge

Barcelona, Spain. 28 February 2024. Canonical today announced an expansion of its relationship with Amazon Web Services (AWS) to make Real-time Ubuntu available to Amazon Elastic Kubernetes Service Anywhere (Amazon EKS Anywhere) customers for use in Open radio access network (RAN) commercial deployments. With Real-time Ubuntu and Amazon EKS Anywhere, customers can benefit from ultra-reliable low-latency operating system performance and simplified Kubernetes cluster management.

The need for ultra-reliability and low latency in data processing

Open RAN enables distributed deployment of mobile networking software that runs an operator’s RAN across edge clouds, making it possible to bring data processing closer to where devices and end users are located. Low-latency compute at the edge is required due to the stringent real-time processing of RAN workloads. Open RAN software requires agility in packet processing at the operating system level, so that the networking software stack can deliver information with bounded latency levels.

Besides Open RAN system software, business services that are sensitive to time delay, such as factory control systems, enterprise resource planning, and passenger information systems, also require low-latency and reliable communications quality. This means that the time delay in delivering information between a service and the devices that consume that service must be bounded throughout the lifetime of the service. This is necessary for operators to be able to meet application service level agreement (SLA) requirements given to business customers, so they can have the desired quality of experience.

Amazon EKS Anywhere

Amazon EKS Anywhere allows users to create and operate Kubernetes clusters on their own infrastructure. It builds on the strengths of Amazon EKS Distro and provides open source software that’s up to date and patched, so that users can have an on-premises Kubernetes environment that’s more reliable than a self-managed Kubernetes offering. These features make Amazon EKS Anywhere an ideal deployment option to run cloud-native Open RAN functions on Kubernetes at the telco edge.

Real-time Ubuntu

Real-time Ubuntu provides bounded low latency in the Linux kernel to applications that are sensitive to time-delay. By assigning a higher priority to such applications when scheduling system resources, Real-time Ubuntu can guarantee uninterrupted processing of latency-sensitive applications, minimising the time to process them. Real-time processing is an essential feature for telco clouds where Open RAN and edge computing workloads run.

“We are pleased to mark another milestone in our continued collaboration with AWS by bringing real-time data processing, required by advanced Open RAN workloads, on Amazon EKS Anywhere with Real-time Ubuntu,” said Arno Van Huyssteen, CTO of Telco at Canonical. 

“By continuing our joint innovation with AWS to provide cutting-edge capabilities and total cost of ownership benefits, this partnership delivers further value to our shared telecom customers. We take pride in making the most powerful Linux platform on the market accessible to all Amazon EKS Anywhere and Open RAN consumers. Drawing on Ubuntu’s renowned open source prowess and AWS’s cloud services, we strive to satisfy the performance and adaptability required for virtualised RAN and edge computing transformation in telecommunications. Together, we aim to supply the technical bedrock to propel the next wave of advancement.“

Ubuntu with real-time kernel on Amazon EKS Anywhere: A technology enabler for 5G telco edge

By working with AWS, Canonical will make it possible to offer real-time processing capabilities to Amazon EKS Anywhere customers. Operators deploying Open RAN software components, such as distributed unit (DU) and central unit (CU) on Amazon EKS Anywhere platforms can then boost the performance of their radio access networks, and get the benefits of Open RAN.

The technology also opens up the possibility to deliver real-time capabilities to application workloads on Amazon EKS Anywhere platforms, such as 5G industrial applications and location-based services among many others.

Join the discussion at MWC 2024

Canonical’s CTO for Telco, Arno Van Huysteen, will join industry leaders in a panel discussion at MWC 2024. The panel, titled “A roadmap to successful O-RAN deployment on cloud” and hosted by AWS, will take place on 28 February 2024 at 14:00 – 14:30 CET at the Inspiration Zone, Room CC1.4. Join the round-table discussion on how Open RAN on cloud computing systems will play a role in the future of telecommunications.

Learn more about Canonical’s solutions for telco

To learn more about Real-time Ubuntu and how it benefits telecommunication networks and applications, read our blog. If you would like to learn more about the telecommunication services we provide, visit https://ubuntu.com/telco.  

About Canonical

Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone. Learn more at https://canonical.com/.

Canonical 正式发布 MicroCloud — 一款低接触开源云解决方案。MicroCloud 是 Canonical 不断增长的云基础架构产品组合中的一员，专为所有类型企业的可扩展集群和边缘部署而构建。其设计集简单性、安全性和自动化于一身，最大限度地减少了其部署和维护的时间与精力。MicroCloud 还作为 Canonical Ubuntu Pro 订阅服务的一部分，提供企业支持，有多个支持层级可供选择，并且按节点定价，非常方便。 

使用单个命令即可完成云部署

优化的 MicroCloud 可实现可重复的可靠远程部署。单个命令即可启动各种组件的编排和集群，且用户的参与度非常低，数分钟内即可部署形成一个功能齐全的云。这种简化的部署过程大大降低了进入门槛，使得人人都可轻松触及生产级云。 

“云计算不仅仅关乎技术，它还是一切现代工业转型中推动敏捷性和创新的灵魂部分。我们的使命是为客户提供最有效的创新途径并创造价值；拥有一个无复杂性的云基础架构是这一难题的一个重要组成部分。有了 MicroCloud，即可将问题重点由云运营转移到解决真正的业务挑战。”Spindox 架构与技术主管 Juan Manuel Ventura 道。

更新安全无忧

除了无缝部署，MicroCloud 还优先考虑了安全性和易维护性。所有 MicroCloud 组件都是在严格的限制条件下构建而成，以此提高安全性，通过无线更新可以保存数据并自动回滚错误。如有新版本，将自动升级而无需停止运行，并且可以根据需要保留或设定升级时间。 

通过这种方法，MicroCloud 既可以满足内部云部署，也可以满足远程位置的边缘部署，由此一来，企业组织可在任何需要的地方使用相同的基础架构原语和服务。这适用于分支机构办公地点或工厂内的工业用途，以及侧重于可复制性和无人值守操作的分布式地点。 

“随着数据变得愈加分散，基础架构也必须跟上这样的步伐。云计算如今也是分布式的，横跨数据中心、远端边缘和近端边缘计算设备。MicroCloud 就是我们针对该难题的解决方案。”Canonical 产品副总裁 Cedric Gegout 称，“我们以一种可移植和无人值守的方式将已知的基础架构原语进行打包，从而提供一种更简单、更规范的云体验，使众多行业实现零运营。”

降低成本且不失性能

MicroCloud 的轻量级架构使其可以用于商品和高端硬件上，并且根据工作负载需求，可以通过诸多方法进一步减少其占用空间。除了标准版 Ubuntu Server 或 Desktop，MicroCloud 还可以在 Ubuntu Core 上运行 — 一款针对边缘优化的轻量级操作系统。有了 Ubuntu Core，MicroCloud 可形成针对计算能力有限的远端边缘位置的绝佳解决方案。用户可以选择使用虚拟机、通过系统容器或者通过 Microk8s 使用 Kubernetes 来运行其工作负载。基于 LXD 的系统容器在功能方面与传统虚拟机类似，但在提供裸机性能的同时消耗的资源更少。

订阅 Canonical 推出的 Ubuntu Pro + Support，MicroCloud 用户可以享受企业级开源云解决方案的众多好处，获得全面的支持服务，并且更加经济实惠。Ubuntu Pro 订阅可以为目前单个供应商提供的最广泛的开源软件集合提供安全维护。其涵盖超过具有一致安全维护承诺的 30000 个包，以及内核实时补丁、大规模系统管理、认证合规性和强化配置文件等附加功能，方便企业进行采用。按节点定价且无隐藏费用，客户可以安心于其环境是安全且受支持的，且无需支付通常与云解决方案相关的高昂价格。

了解关于 MicroCloud 的更多信息

访问网站

下载数据表

使用虚拟机在您的工作站中测试 MicroCloud，在实际操作中进行了解。

已在运行 MicroCloud？联系我们，了解关于商业支持的信息。

In our ongoing exploration of Rust and Ubuntu, we delve into an experimental kernel project that leverages these technologies to create new schedulers for Linux.

Playing around with CPU scheduling policies has always been a dream for many kernel hackers and OS enthusiasts. However, such material typically remains within the domain of a few core kernel developers with extensive years of experience.

But what if we could have a technology that allows us to hot-swap the Linux kernel scheduler at run-time and replace it with a user-space program?

This would provide not only a safer way to test scheduling policies, but it would also open the path to provide a pool of schedulers optimized for specific workload profiles (gaming, server, low-latency, power-saving, HPC, etc.), or schedulers specifically designed for complex heterogeneous architectures (e.g., systems with an intricate topology, such as fast cores mixed with slow cores, associated with multiple NUMA nodes).

Additionally, thanks to the availability of BPF maps, we can even implement full scheduling policies almost entirely in user space. This gives us access to a large variety of libraries and services, as well as debugging and profiling tools (see for example the recent trend in Ubuntu to focus on performance and observability).

Let’s see how to turn this dream into reality on Ubuntu, using eBPF, sched-ext and Rust.

The Foundation: eBPF and sched-ext

eBPF is a technology provided by the Linux kernel that allows the injection of sandboxed programs in kernel-space from the user-space.

These programs have access to kernel information and they can intercept kernel events and affect kernel actions.

eBPF programs can also store information to data structures called eBPF maps, which can be also accessed by regular user-space programs via system calls and direct memory accesses.

This can be achieved dynamically and efficiently at run-time, as eBPF programs execute actual kernel code. Additionally, this process is safe, as eBPF programs are validated by an in-kernel verifier before loading.

This verification ensures that the programs do not include out-of-bound access, potential infinite loops, memory leaks, or any other safety-related risk.

sched-ext is a new scheduling class introduced in the Linux kernel that provides a mechanism to implement scheduling policies as eBPF programs.

Exploiting the sched-ext capabilities, along with eBPF and eBPF maps, we can defer scheduling decisions to standard user-space programs, implementing fully functional hot-swappable Linux schedulers, using any language, tool, library, or resource accessible within the user-space environment.

Rust takes control

A direct consequence of this flexibility is the ability to leverage Rust for implementing Linux schedulers.

Rust can offer a great coding flexibility and advantages such as memory safety, zero-cost abstractions, and a strong type system.

With proper Rust abstractions, we can enjoy the advantages of programming at a very highly abstracted and elevated level, while retaining the capability to delve deep into low-level implementation details when necessary. All without incurring any noticeable performance overhead.

From theory to practice: scx_rustland

After outlining the theoretical benefits of a user-space scheduler written in Rust, the need for a practical proof of concept led to the creation of scx_rustland.

scx_rustland is a fully functional Linux scheduler included in the scx schedulers repository. The scheduler uses sched-ext / eBPF to channel scheduling events and actions from the kernel to a user-space program written in Rust.

This program runs all scheduling decisions, sending the results back to the kernel, which then dispatches tasks according to the order determined by the user-space scheduler.

How to use scx_rustland

Testing scx_rustland with Ubuntu 24.04 is actually very easy, it is just the matter of installing a few packages from ppa:arighi/sched-ext:

$ sudo add-apt-repository -y --enable-source ppa:arighi/sched-ext
$ sudo apt install -y linux-generic-wip scx
$ sudo sed -i "s/SCX_SCHEDULER=.*/SCX_SCHEDUER=scx_rustland/" /etc/default/scx
$ sudo systemctl enable scx
$ sudo reboot

WARNING: keep in mind that these packages are still experimental, so you should not use them in a production environment.

Result

While being a newly developed project (still in a proof-of-concept state), this scheduler exhibits promising results: despite the overhead of running in user-space it can achieve performance levels almost on par with the default Linux scheduler (EEVDF) and, with specific workloads, even outperform it.

However, the key point of this project is to prove that it is possible to implement schedulers in user-space and thanks to Ubuntu’s solid support of various packages, tools and frameworks, we can make scheduling development and experimentation accessible to everyone.

Conclusion

Key takeaways:

• A scheduler in user-space can give an extreme flexibility to quickly implement and experiment high level abstract concepts, without introducing noticeable performance overhead.
  Rust does not make the scheduler faster, its advantage lies in the safety it provides, its robust programming ecosystem and its ergonomic design, over the C language (typically used with kernel code).
• Schedulers do not magically make everything run faster: it depends on how you distribute the available “CPU bandwidth”. Typically one scheduler is better than another for a specific workload, because it gives more bandwidth to that workload, penalizing the others.
• Linux follows the approach of “one scheduler to rule them all”, but with the advent of new architectures with complex topology and the extreme portability of Linux it becomes more and more difficult to find a single solution that works for everything.
• Having the flexibility to hot-swap schedulers at run-time opens the possibility to dynamically load schedulers optimized for the specific workload that we need: gaming, server, low-latency, power-saving, etc.
• Implementing Linux schedulers as user-space programs enables an easier maintenance of the code: schedulers can be distributed as regular packages (deb, snap, etc.) and bug fixes, or updates can be applied at run-time without stopping the service or rebooting the system.
• Thanks to Rust and Ubuntu developers, researchers and students can easily access this technology to experiment scheduling policies and test them in a safe and accessible environment.

Future ideas

We are heading towards a micro-kernel design that has the potential to pave the way to certification on Linux: in the aforementioned scenario, if the user-space scheduler crashes, tasks will seamlessly transition to the default in-kernel scheduler, ensuring continuous system usability without any downtime.

This suggests that a similar approach could be used in other subsystems as well, allowing the Linux kernel to provide fully redundant and crash-safe systems.

We recently published a technical document showing how to install NVIDIA drivers on a G4DN instance on AWS, where we covered not only how to install the NVIDIA GPU drivers but also how to make sure to get CUDA working for any ML work. 

In this document we are going to run one of the most used generative AI models, Stable Diffusion, on Ubuntu on AWS for research and development purposes.

According to AWS, “G4dn instances, powered by NVIDIA T4 GPUs, are the lowest cost GPU-based instances in the cloud for machine learning inference and small scale training. (…) optimized for applications using NVIDIA libraries such as CUDA, CuDNN, and NVENC.”

G4DN instances come in different configurations:

For this exercise, we will be using the g4dn.xlarge instance, since we need only 1 GPU, and with 4 vCPUs and 16GB of RAM, it will provide sufficient resources for our needs, as the GPU will handle most of the workload. 

Image generation with Stable Diffusion

Stable Diffusion is a deep learning model released in 2022 that has been trained to transform text into images using latent diffusion techniques. Developed by Stability.AI, this groundbreaking technology not only provides open-source access to its trained weights but also has the ability to run on any GPU with just 4GB of RAM, making it one of the most used Generative AI models for image generation.

In addition to its primary function of text-to-image generation, Stable Diffusion can also be used for tasks such as image retouching and video generation. The license for Stable Diffusion permits both commercial and non-commercial use, making it a versatile tool for various applications.

Requirements

You’ll need SSH access. If running on Ubuntu or any other Linux distribution, opening a terminal and typing ssh will get you there. If running windows, you will need either WSL (to run a Linux shell inside windows) or PuTTY to connect to the machine using an external software.

Make sure you have NVIDIA Drivers and CUDA installed on your G4DN machine. Test with the following command:

nvidia-smi

You should be able to see the driver and CUDA versions as shown here:

Let’s get started!

Step 1: Create a python virtual environment:

First, we need to download some libraries and dependencies as shown below:

sudo apt-get install -y python3.10-venv
sudo apt-get install ffmpeg libsm6 libxext6 -y

Now we can create the Python environment.

python3 -m venv myvirtualenv

And finally, we need to activate it. Please note that every time we log in into the machine, we will need to reactivate it with the following line:

source myvirtualenv/bin/activate

Step 2: Download the web GUI and get a model.

To interact with the model easily, we are going to clone the Stable Diffusion WebUI from AUTOMATIC1111.

git clone https://github.com/AUTOMATIC1111/stable-diffusion-webui.git

After cloning the repository, we can move on to the interesting part: choosing and downloading a Stable Diffusion model from the web. There are many versions and variants that can make the journey more complicated but more interesting as a learning experience. As you delve deeper, you will find that sometimes you need specific versions, fine-tuned or specialized releases for your purpose.

This is where HuggingFace is great, as they host a plethora of models and checkpoint versions that you can download. Please be mindful of the license model of each model you will be using.

Go to Hugging Face, click on models, and start searching for “Stable Diffusion”. For this exercise, we will use version 1.5 from runwayml.

Go to the “Files and versions” tab and scroll down to the actual checkpoint files.

Copy the link and go back to your SSH session. We will download the model using wget:

cd ~/stable-diffusion-webui/models/Stable-diffusion
wget https://huggingface.co/runwayml/stable-diffusion-v1-5/resolve/main/v1-5-pruned.safetensors

Now that the model is installed, we can run the script that will bootstrap everything and run the Web GUI.

Step 3: Run the WebUI securely and serve the model

Now that we have everything in place, we will run the WebUI and serve the model.

Just as a side note, since we are not installing this on a local desktop, we cannot just open the browser and enter the URL. This URL will only respond locally because of security constraints (in other words, it is not wise to open development environments to the public). Therefore, we are going to create an SSH tunnel.

Exit the SSH session.

If you are running on Linux (or Linux under WSL on Windows), you can create the tunnel using SSH by running the following command:

ssh -L 7860:localhost:7860 -i myKeyPair.pem ubuntu@<the_machine's_external_IP>

In case you are running on Windows and can’t use WSL, follow these instructions to connect via PuTTY.

If everything went well, we can now access the previous URL in our local desktop browser. The entire connection will be tunneled and encrypted via SSH.

In your new SSH session, enter the following commands to run the WebUI.

cd ~/stable-diffusion-webui
./webui.sh

The first time will take a while as it will install PyTorch and all the required dependencies. After it finishes, it will give you the following local URL:

http://127.0.0.1:7860

So open your local browser and go to the following URL: http://127.0.0.1:7860

We are ready to start playing. 

We tested our first prompt with all the default values, and this is what we got. Quite impressive, right?

Now you are ready to start generating!

Final thoughts

I hope this guide has been helpful in deploying the Stable Diffusion model on your own instance and has also provided you with a better understanding of how these models work and what can be achieved with generative AI. It is clear that generative AI is a powerful tool for businesses today. 

In our next post, we will explore how to deploy and self-host a Large Language Model, another groundbreaking AI tool. 

Remember, if you are looking to create a production-ready solution, there are several options available to assist you. From a security perspective, Ubuntu Pro offers support for your open source supply chain, while Charmed Kubeflow provides a comprehensive stack of services for all your machine learning needs. Additionally, AWS offers Amazon Bedrock, which simplifies the complexities involved and allows you to access these services through an API. 

Thank you for reading and stay tuned for more exciting AI content!

The world’s largest and most influential telecommunications exhibition event, Mobile World Congress (MWC), is taking place in Barcelona on 26-29 February 2024. Canonical is excited to join this important annual event once again and meet the telecom industry. 

Telecommunications is a key sector for Canonical. We offer solutions for private, public and hybrid/multi cloud environments, with a consistent experience across the entire telecom spectrum, from core clouds to the edge, with a single set of tooling. Built with the same philosophy as Ubuntu – secure, trusted and production-grade open source backed by full operations support – our solutions are fully upstream and integrate the latest technology advancements that telco leaders require to deliver best-in-class services to their customers. 

We are looking forward to meeting you at MWC 2024. Come and speak with our experts to learn how we can help you in your journey to cost-effective, secure and trusted open source telecom solutions for your infrastructure.

Hot topics in telco

To meet today’s customer expectations, telecom operators require flexible, scalable and agile operations across the many service types that make up a modern mobile network.

At this year’s MWC event in Barcelona, Canonical’s team will explain how you can elevate your telecom infrastructure with the latest innovations in cloud-native technologies and modernise your telco clouds with open source. These strategies will empower you to meet and exceed customer expectations with repeatable and reliable deployments.

Automation at scale for telco edge clouds with CNEP

We have been listening to our telco customers to understand their needs in delivering cost-effective modern edge clouds for their infrastructure that they can rely on. Canonical is proud to offer a new holistic solution, Cloud Native Execution Platform (CNEP) to meet these needs precisely at telco edge clouds.

With CNEP, we deliver the ideal software stack for telco edge clouds with automation in place, based on fully upstream and CNCF certified Kubernetes running on bare metal hardware for best performance. It brings all essential open source components together, with the aim of achieving high performance in data processing and delivery, whilst ensuring platform security and efficiency with Ubuntu Pro.

At MWC, our team will explain how operators can achieve scalable and repeatable deployment of edge clouds with CNEP. For Open Radio Access Network (RAN) readiness, CNEP is the ideal RAN platform, bringing all the technology features that cloud-native Open RAN components require. CNEP is also tailored for best performance and security assurance for distributed compute and multi-access edge computing (MEC) applications, enabling businesses to run their telco workloads on 5G edge networks.

Real-time Ubuntu for ultra-reliable and low-latency communications

Canonical has been working with all major silicon hardware vendors, such as Intel, to deliver the highest levels of performance and security to telco networks and applications. 

We have been running advanced engineering programs with the aim of enabling the latest innovations in silicon hardware in telco software infrastructure at a rapid pace, with quick software release cycles. As part of our collaboration with Intel, we have integrated Intel FlexRAN in Ubuntu real-time kernel for telco applications and networking software, which has enabled real-time processing at both operating system and silicon levels.

At this year’s MWC, we will explain how Ubuntu Pro brings real-time data processing capabilities to the telco edge for mission-critical operations and also ensures confidential computing for the most-sensitive telco workloads.

Sustainable telco edge infrastructure with an energy-efficient system stack

Telecom networks will increasingly deploy edge cloud sites in the journey to distributed and flexible cloud-native operations. This requires support for several features across the hardware and software stack to make sure that platforms are energy and cost efficient. From container images to bare metal hardware automation, Canonical’s edge cloud stack is equipped with features that ensure sustainable operations.

In Barcelona, we will explain how our open source software stack can deliver optimal deployments on telco edge clouds and help operators meet their sustainability goals.

Demos

At MWC 2024, you will get the chance to see our technical team demonstrate Canonical’s CNEP solution. This is a great opportunity for all players in the telco ecosystem to see how we meet sector requirements on cloud-native operations at the telco edge with automation. In our demo, the Canonical team will run CNEP on Intel’s 4^th Generation Xeon Scalable Processor, bringing the acceleration capabilities provided by Xeon to large-scale edge network rollout for cost-efficient Open RAN deployments.

CNEP’s open and upstream APIs along with Canonical’s observability stack and telemetry solutions enable machine learning algorithms to assist edge cloud operations. The Canonical team will demonstrate how our AI/ML platform solutions can be used to boost the effectiveness of distributed computing applications running on telco edge clouds. We will show how a multi-cloud data platform can be formed for various data types collected from a telecom network. We will also show ML-based anomaly detection and LLM to summarise and explain collected data from the network. 

Come and meet us at MWC 2024

If you are interested in building your own modern telecom infrastructure and migrating to open source with cost-effective, secure and trusted solutions, Canonical can help you. We provide a full stack for your telecom infrastructure, enabling secure, trusted, flexible, optimised, automated and low-touch operations.

To learn more about our telco solutions, meet us to discuss your telecom needs at MWC Barcelona 2024, and visit our webpage at ubuntu.com/telco.

If you’re unable to find a suitable time, please reach out to Mariam Tawakol <mariam.tawakol@canonical.com> or Jacob Boe <jacob.boe@canonical.com>. Let them know your availability and what you’re interested in, and they will set up a meeting for you.

Further reading

Canonical joins Open Networking Foundation

Fast and reliable telco edge clouds with Intel FlexRAN and Real-time Ubuntu

Bringing automation to telco edge clouds at scale

How telcos are building carrier-grade infrastructure using open source

Welcome to Ubuntu AI podcast, where we talk about AI with the industry leaders.

This episode was recorded in Riga, during the Ubuntu Summit 2023. We’re talking about the implementation of AI solutions for day-to-day tasks with the CEO of Nextcloud Frank Karlitschek.

AI usage in Nextcloud

We are talking about the AI usage at Nextcloud and privacy plays a big role there. Listen to the episode to learn more about how to ensure customer’s privacy when implementing AI solutions. We will also dive deeper into use-cases for Nextcloud.

Implementing AI solutions within your organization

You can built all your AI projects with secure and supported Canonical MLOps. Stable, secure, scalable tooling is a priority for enterprises. Having AI that enterprises can benefit from is critical.

If you are still defining the use-cases within your organization, our expert team is here to provide Canonical’s AI consulting services, designed to support you in every step of your journey.

Learn more about Canonical AI solutions here.

Download our guide to MLOps. Take your AI projects to production.