Managed base images

Managed base images are base container images that are automatically patched by Google for security vulnerabilities, using the most recent patches available from the project upstream (for example, GitHub). These images are available for any GCP customer.

This document describes managed container images and how they're maintained.

For information about the license that applies to managed base images, refer to the managed base images LICENSE file.

Container images and operating systems

When you deploy a container, you choose two separate operating systems and images:

  • Node or host image

    The operating system on which you run your container.

  • Container image

    The operating system used for your container itself.

Your container image is built by taking an operating system base image, and adding the packages, libraries, and binaries needed for your application.

How managed base images are maintained

Google maintains base images for building its own applications, including Google Cloud services like Google App Engine.

Managed base images have security properties which can make them desirable for some uses:

  • They're regularly scanned for known vulnerabilities, from the CVE database.

    This scan uses the same functionality as Container Registry Vulnerability Scanning. When a patch is available for a found vulnerability, Google applies that patch.

  • They're built reproducibly, so there is a verifiable path from the source code to the binary.

    You can verify the image by comparing it to the GitHub source, ensuring that the build has not introduced any flaws.

  • They're stored on Google Cloud, so you can pull these directly from your environment without having to traverse networks.

    You can pull these images using Private Google Access. You can of course still use them outside of Google Cloud.

Available images

Managed base images are available in GCP Marketplace.

Managed base images are available for the following OS distributions:

OS Source Repository path GCP Marketplace listing
CentOS GitHub marketplace.gcr.io/google/centos7 GCP Marketplace
Debian 9 "Stretch" GitHub marketplace.gcr.io/google/debian9 GCP Marketplace
Ubuntu 16.04 GitHub marketplace.gcr.io/google/ubuntu1604 GCP Marketplace
Ubuntu 18.04 GitHub marketplace.gcr.io/google/ubuntu1804 GCP Marketplace

Operating system lifecycle and support policy

Support for managed base images is subject to the lifecycles of the corresponding OS distributions. Unless otherwise noted, Google publishes updated images at least monthly. Published updates include security updates and other updates installed for operating system versions that are in the mainstream support stage of their lifecycles.

When an operating system version enters its extended lifecycle stage, Google no longer provides updated images. Google generally does not backport new features to these versions in the extended lifecycle stage or past the extended lifecycle.

Alternative options

If managed base images aren't for you, there are suitable alternatives:

  • Distroless images are minimal, language-focused images.

    Check them out on GitHub.

  • Container Registry's Docker Hub Mirror offers frequently requested Docker Hub images, including base images.

    Learn more about Using Container Registry's Docker Hub Mirror.

For more ways to protect your software supply chain, including image validation, see Help secure software supply chains on Google Kubernetes Engine.

Was this page helpful? Let us know how we did:

Send feedback about...

Container Registry