mariadb
Learn what the mariadb image is, how Echo's hardened mariadb differs from the public image, and why teams choose Echo for CVE-free databases.
What is MariaDB?
The mariadb image runs the MariaDB relational database server, an open-source community-maintained fork of MySQL. It is wire-compatible with MySQL clients and adds its own storage engines (Aria, ColumnStore), security features, and performance improvements. Production setups run it as a StatefulSet with PersistentVolumeClaims, often paired with replication or a Galera cluster for high availability.
What is Echo's MariaDB image?
Echo's mariadb image is a hardened build of the MariaDB server with the same wire protocol and on-disk format as the public image. Echo images are designed to be a drop-in replacement: change the FROM line in your Dockerfile and CVEs go to zero without breaking your app. Every image is tested across clouds, image use cases, and deployment targets. Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. Echo OS uses apt and glibc - the most common libc and package manager - to maximize compatibility, instead of less common stacks like apk/musl.
What is the difference between Echo's MariaDB image and the public MariaDB image?
Public mariadb images use Ubuntu as a base and bring in OS-level CVEs unrelated to the database. Echo's image is built from source with only the components needed to run mariadbd, so CVEs drop to zero without changing your data path or any backup tooling. Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown - with vulnerabilities triaged within 24 hours. Echo images are recognized by all major scanners and mirrored to all major registries, so they fit into existing pipelines without changing your registry, scanner, or runtime tooling.
FAQ
Can I replace my mariadb image with Echo's mariadb image?
Yes. Echo's mariadb image is a drop-in replacement. Update the FROM line in your Dockerfile (or the image reference in your manifests) and your application keeps working - the CVEs disappear, the behavior doesn't.
Is Echo's mariadb image FIPS-validated?
Yes. Echo's FIPS-validated images use cryptographic modules with an active FIPS 140-3 CMVP certificate, making them fit for federal use - unlike FIPS-compliant images that haven't been validated.
What is Echo's vulnerability management SLA on the mariadb image?
Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown - with vulnerabilities triaged within 24 hours. Patches are mirrored automatically into your private registry so you're always running a clean version.
Is Echo's mariadb image distroless?
Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells.
How does Echo achieve such a drastic CVE reduction in mariadb?
Echo mariadb is built from source with only the absolute essentials needed to run the workload, which significantly shrinks the attack surface. Echo also patches aggressively over time, with backports available so you can stay on the version that works for you without forcing a functional change for the sake of security.
Will Echo's mariadb image help us achieve FedRAMP?
Yes. The hard parts of FedRAMP - managing vulnerabilities, applying fixes, and using FIPS-validated cryptography - are baked into Echo images, including STIG-hardened configuration and ConMon/POA&M-ready reporting.
.avif)
