Secure,
purpose-built virtual machine images

Chainguard VMs are minimal Linux images based on Chainguard OS, available in three types:

• Container Host VMs (for running containers on ECS, EKS, EC2, GCE, Azure)

• Base VMs (customizable general-purpose - Chainguard OS, Java and Python)

• Application VMs (pre-packaged services like Nginx, Jenkins, Squid-proxy).

They include only essential components, which reduces the attack surface and prevents host-level vulnerabilities from compromising workloads.

Chainguard VMs are minimal, including only the components required for ephemeral workloads (systemd, glibc, Linux kernel) while removing unnecessary packages that bloat traditional distributions. Unlike general-purpose distributions that require manual hardening and disruptive "big bang" version upgrades, Chainguard VMs are continuously rebuilt from source with zero known CVEs and backed by an industry-leading 7/14 day CVE remediation SLA, delivering security and feature updates through seamless, periodic releases.

Chainguard VMs support major cloud providers (AWS, Azure, Google Cloud) and on-premise hypervisors (VMware, Nutanix, OpenStack, Qcow2, and RAW), with one-click deployments optimized for each environment. This multi-cloud and hybrid compatibility ensures you get the same secure, minimal baseline across your entire infrastructure.

Chainguard VMs support kernel-independent FIPS 140-3-validated cryptography, allowing you to maintain FIPS compliance without kernel dependencies or dedicated FIPS-mode booting. Further, Chainguard VMs offers compliance capabilities like DISA STIG hardening and CIS Benchmark Level 1 hardening.

Chainguard VMs include only the essential components for running containers: a Linux kernel, systemd, glibc, and optional userspace tools like SSH. This minimal approach dramatically reduces attack surface compared to general-purpose distributions. Fewer packages means fewer vulnerabilities, less patching overhead, and faster security remediation.

Chainguard provides an industry-leading CVE remediation SLA for VMs: 7 days for critical CVEs and 14 days for high, medium, and low severity issues. VMs are continuously rebuilt from source, ensuring security patches are delivered automatically without requiring manual intervention from your team.

No, Chainguard VMs use a node replacement strategy rather than in-place upgrades, with new VM images continuously rebuilt from source as upstream changes are released. You benefit from the latest features, security patches, and performance improvements without the costly migration projects typical of moving between major distribution versions (e.g., Ubuntu 20.04 → 22.04).

No, Chainguard VMs work standalone with standard container runtimes (Docker, containerd, etc.) and orchestration systems like Kubernetes. However, combining Chainguard VMs with Chainguard Containers provides complete protection across your entire stack, from host OS to application dependencies, with consistent zero-CVE baselines and unified provenance.

Yes, Chainguard VMs support on-premise hypervisors (VMware, Nutanix, OpenStack, Qcow2, and RAW) and can be deployed in restricted network environments. For fully air-gapped deployments, the VMs themselves can be mirrored internally, though specific implementation details for updating and verifying images in disconnected environments depend on your infrastructure setup. Contact Chainguard's team to discuss your air-gapped requirements.