Google and Canonical Certify Ubuntu Images for Cloud TPU VMs

Regulatory action → What it requires → Compliance timeline

Regulatory action: Google Cloud and Canonical have jointly issued a certification that Ubuntu LTS images are the default operating system for Tensor Processing Unit (TPU) virtual machines (VMs) across all supported TPU generations.

What it requires:

• All new TPU VMs created in Google Compute Engine must boot from Canonical‑certified Ubuntu 22.04 LTS (for TPU v5e, v5p, v6e) or Ubuntu 24.04 LTS (for TPU7x).
• Existing TPU VMs that were running Google‑modified Ubuntu 22.04 must be migrated to the certified images without service interruption.
• Customers who need enhanced security must adopt Ubuntu Pro, which provides live kernel patching, extended CVE coverage and automated hardening. Early access to Ubuntu Pro on TPU VMs is available on request; general availability is scheduled for Q3 2026.
• Canonical will deliver five years of security maintenance for each certified image, matching the standard Ubuntu LTS support model.

Compliance timeline:

• Effective immediately – All TPU VM launches default to the certified images.
• Migration window – Existing TPU v5/v6 customers should transition to the new images within the next 30 days to stay on a supported stack.
• Q3 2026 – Full Ubuntu Pro services become generally available on TPU VMs.

---

Why the change matters

Until now, Google Cloud customers running AI workloads on TPUs relied on a custom Ubuntu 22.04 build that Google patched and maintained internally. That arrangement created two practical issues:

1. Patch lag – Security updates had to flow through Google’s internal process, which could delay critical fixes.
2. Support fragmentation – Enterprises could not leverage existing Ubuntu contracts or tools such as Ubuntu Pro, limiting their ability to meet internal security policies.

By switching to Canonical‑certified images, Google aligns TPU VMs with the broader Ubuntu ecosystem. Enterprises can now apply the same patch cadence, compliance tooling and support contracts they use for other Linux workloads on Google Cloud.

---

Technical implications for AI workloads

The certified images retain compatibility with the major machine‑learning frameworks that run on TPUs:

• JAX, TensorFlow, PyTorch – All libraries have been validated against the new Ubuntu releases.
• Kubernetes – The images include the necessary container‑runtime hooks, allowing TPU nodes to join GKE clusters without custom configuration.
• Snap packages – Canonical’s universal packaging format works out‑of‑the‑box, simplifying deployment of tooling such as snapcraft‑based monitoring agents.

Performance benchmarks released by both parties show no measurable degradation when moving from the Google‑modified image to the Canonical‑certified version. In some cases, the newer kernel in Ubuntu 24.04 LTS provides modest improvements for TPU7x workloads.

---

Security and compliance benefits

Ubuntu Pro extends the baseline LTS security model with:

• Live kernel patching – Critical kernel CVEs are mitigated without reboot, a key requirement for high‑availability AI services.
• Extended CVE coverage – Pro adds security updates for thousands of additional open‑source packages beyond the standard Ubuntu archive.
• Automated hardening – CIS‑based benchmarks are applied automatically, helping customers satisfy regulatory frameworks such as GDPR, HIPAA or ISO 27001.

While Pro is not yet generally available on TPU VMs, Canonical has opened a limited early‑access program. Interested customers should contact their Canonical sales representative or Google Cloud account team.

---

Migration steps for existing TPU customers

1. Inventory – Identify all TPU VMs running the Google‑custom Ubuntu 22.04 image.
2. Backup – Snapshot the VM disks or export persistent disks to Cloud Storage.
3. Create new VM – Use the Google Cloud Console or gcloud CLI to launch a TPU VM, selecting the appropriate certified image (e.g., ubuntu-2204-lts-tpu or ubuntu-2404-lts-tpu).
4. Attach storage – Re‑attach existing data disks to the new instance.
5. Validate – Run a quick health check of your ML framework (e.g., python -c "import tensorflow as tf; print(tf.__version__)").
6. Decommission – Once the new VM passes validation, shut down the old instance.

Canonical provides a detailed migration guide in the official documentation. The guide includes scripts to automate the snapshot‑and‑restore process for large fleets.

---

Outlook

The certification marks a significant step toward treating Cloud TPU VMs like any other compute offering on Google Cloud. By unifying the operating system stack under Ubuntu LTS, Google and Canonical reduce operational friction, improve security posture, and simplify long‑term support contracts for enterprises deploying AI at scale.

Customers should plan their migration now to avoid falling behind on security updates, and consider early enrollment in the Ubuntu Pro program to benefit from advanced hardening features before the Q3 2026 general release.