Introducing Minimal Application Runtimes in Tanzu Application Catalog and Bitnami Premium

• This set of new minimal container images is available now and ready to use in the two commercial versions of Bitnami: Bitnami Premium built on Debian 12, and Tanzu Application Catalog (TAC) built on Photon OS. In this article we will be using the latter as an example.Why now and why these minimal container images are a good idea for your applications

Recently, we announced the general availability of Bitnami Premium, a new commercial upgrade to Bitnami, as well as a new partnership with Arrow Electronics who facilitate a streamlined purchasing process and support experience. Today we are happy to announce an expansion of our commercial offerings with a new set of optimized, performant, minimal, and highly secure application runtimes for the most popular programming languages.

This set of new minimal container images is available now and ready to use in the two commercial versions of Bitnami: Bitnami Premium built on Debian 12, and Tanzu Application Catalog (TAC) built on Photon OS. In this article, we will be using the latter as an example.

Why now and why these minimal container images are a good idea for your applications

Traditionally, Bitnami and hence TAC have focused on delivering high quality, more secure, and consistent Open Source Software applications. Developers and platform engineers know and value that the Bitnami packages are more secure, have tons of knobs and dials, and are very consistent even across multiple operating systems and formats.

Bitnami has always packaged programming language Software Development Kits (SDKs). Whether it was Java, Node.js, or .NET, developers knew our SDKs can be very solid and complete. For example, if your team needed to compile a Python package as part of your Node.js application, you were covered. This completeness comes from many years of serving the development community and their needs. But of course, with time these images grew in size, in contrast with the rest of the applications of the catalog that focus on products running in production and have been optimized over the years.

It is important to note that this situation is not unique to Bitnami. Ivan Velichko explains it better than me in his fantastic essay: Help, my Node image has Python. Official images have become the greatest common denominator for developer needs. That’s ok for development: these are good images for building your apps. But they can be really wrong for running your apps in production.

With the growing interest in our Bitnami Premium initiative, we had more and more customers asking if we had any optimized runtimes for the popular SDKs. We decided that it was time to start focusing on giving our users better runtime alternatives to crafting their own images or needing to rely on third parties to run their applications and ending up with catalog inconsistency. 

Explaining minimal application runtimes

Bitnami’s minimal application runtimes are optimized container images built on top of the essential packages that a container image needs to run on its host. This idea was coined years ago by Google as distroless, because the container images don’t come with a full-blown Linux distribution like Debian or Red Hat. They also leave out software that is useful for development or debugging but that is not needed for running an application in production. This software can be tools, unneeded OS libraries, package managers, documentation, header files, or even Operating System shells.

Bitnami’s minimal application runtimes ship with the bare minimal files needed to run the application on each SDK. The result is container images that:

• Are reduced in size: By removing unnecessary overhead, the container image contains only the application and its essential dependencies.
• Expose a smaller threat surface: The exclusion of non-essential files reduces potential security vulnerabilities and reduces the number of CVEs flagged by your scanner—today and tomorrow.
• Are simpler to maintain: With fewer components to update and manage, security patching and overall maintenance can be more efficient.
• Are more efficient: With reduced footprint, these images may lower your cloud bill while decreasing application startup time.

The structure of Tanzu Application Catalog minimal application runtimes

To build these minimal application runtimes we decided to start with a trimmed down Photon OS base image for TAC. In Bitnami Premium instead we start from a trimmed down version of Debian Bookworm. Note that in this article, we will focus on TAC. Photon OS is VMware’s enterprise grade security-hardened operating system that, being Open Source and built for cloud and edge applications, gives us a good starting point. From that base image, we remove everything unnecessary and create two base images: static and libgcc. If you have followed the container image ecosystem, this probably sounds very familiar to you. It just follows the same conventions set by Google’s popular distroless images. 

Once you dive into these images, you’ll find that the static minimal container is a scant 7 MB in size! That’s because it ships just the essentials needed: certificates, timezone data, network files and a basic structure for non-root configuration. On top of that, the libgcc variant adds C, C++ and the GCC runtime library, along with Photon’s FIPS-certified OpenSSL provider. You can check the full inventory from TAC minimal containers in our documentation. If we dig into this image on the TAC software knowledge graph, we’ll easily spot the few packages that this image ships with. 

Both images, static and libgcc are great for running your applications when there are no other SDKs needed. For example, this is a good option for C, C++, Rust and Golang languages or .NET Ahead-of-Time (AOT) bundles, amongst others. 

However, some other programming languages come with their own SDKs. This is the case of languages like Python, Java, .NET and others. Again, in a similar way to the official distroless images, we decided to build the higher-level SDKs on top of the libgcc image as the image below shows.

Using these minimal application runtimes

Ok, so we’ve learned why these minimal runtimes are a great deal and how they are structured. How do we use them though? Well, the idea is very simple: the container image used to develop the application should be a superset of the container image used at runtime. 

How this gets implemented largely depends on your platform. Whether you are using Tanzu Platform, ArgoCD, or GitHub Actions, the answer will be slightly different. To keep things very simple I will provide a sample that just uses Docker. In this case, what we would have to do is to set up a multi-stage build. For this, I’ve taken one of Bret Fisher’s great Node.js and Docker course examples and adapted it a little bit. 

## Stage 1 (production base)
# This gets our prod dependencies installed and out of the way
FROM bitnami/node:22 as base
EXPOSE 3000
ENV NODE_ENV=production
WORKDIR /opt
COPY package*.json ./

# we use npm ci here so only the package-lock.json file is used
RUN npm ci \
    && npm cache clean --force

## Stage 2 (development)
# This uses regular Bitnami which is heavy and has all we need
FROM base as dev
ENV NODE_ENV=development
ENV PATH=/opt/node_modules/.bin:$PATH
WORKDIR /opt
RUN npm install
WORKDIR /opt/app
CMD ["nodemon", "./bin/www", "--inspect=0.0.0.0:9229"]

## Stage 3 (copy in source for prod)
# Finally, copy the built code into the production image which is minimal
FROM tac-registry/node-min:22 as prod
WORKDIR /opt/app
COPY . .
CMD ["node", "./bin/www"]

As you see above, the result ends up being actually quite simple. The base and development images can be based on the regular Bitnami Node.js beefy container image. But for the production environment, we use the minimal application runtime from TAC. 

All that should work seamlessly, but what about the end result? Is the image smaller? Is it “safer”? Well, let’s look at those details next.

Comparing minimal application runtimes to Bitnami development and official images

In this section, we’re going to go through how these images compare to official images for each programming language and also to regular Bitnami development container images. Finally, in the next section, we will dig into one of these ecosystems in detail. 

Let’s start with the overall comparison.

While this data is from January 2025, and sizes will be slightly different once you read this article, at the time of writing we can see a drastic size reduction with TAC application runtimes versus the official images. Nothing less than 94%!! for Python or 92%!! for Ruby. Those are big numbers. But even for Microsoft’s .NET runtime which is actually quite good, we can see a 28% improvement in size.

Let’s focus now on vulnerabilities. We’ve run an OSS scanner,Trivy, against each of these images. If our theory is correct, we should see a considerable difference in the number of CVEs when comparing the official and Bitnami development container images with the new minimal application runtimes. Is that right? Let’s see.

And right it was. The image above is not missing a third column. It just happens that CVEs are 0 in most cases. So there is indeed a fantastic reduction in the CVE surface which these days is more critical for compliance than ever. 

But this test provided another interesting metric to highlight about Bitnami container images. Have you noticed that one CVE in Python? Well, that one was CVE-2024-12254 and it is particularly interesting because you won’t find that one in Python’s official image. Wait, what? 

Yes, that’s correct. This CVE was at that time affecting all container images, both official and not official, shipping Python 3.12 or beyond from upstream. That’s pretty much all containers out there, or at least those that don’t do patch-forking. Scanners do report this CVE on Bitnami containers because our images include a complete SBOM that has details of all the packages that we are installing on top of the operating system. On the other hand, most other images instead will just install Python binaries from a downloaded bundle or perhaps compile them from source, but they won’t include an SBOM reporting the packages they add. Therefore, OSS scanners end up unaware of the container image’s full contents.

Is that extra CVE a good thing then? Well, whereas platform engineers and engineering teams having to upgrade images will certainly be bothered, we believe it is. There is much ground for improvement with vulnerability scanners, but while that happens we think that being honest and complete about what gets installed in containers is very important to our customers – and that vulnerability is pending a fix from the upstream Python community. [Update: the CVE has since been fixed upstream, and all affected apps in free and commercial Bitnami catalogs have been updated with the patch.] That not only provides better compliance with better SBOMs but also could actually save teams from much trouble when that “hidden” CVE happens to be the next log4j.

Digging into one application runtime: Node.js

Finally, in the above comparison, we did go over official images and their Bitnami free alternatives and saw great improvements. However, we also mentioned why those images are focused on development and are likely not a good choice for running applications in production environments. Going through each language ecosystem and doing a deep analysis of all the container images more suitable for running workloads in production would be too lengthy. So, instead, I’m going to go and focus on just one platform, Node.js. I also think the results should extrapolate reasonably well to all the other platforms.

In the next diagram, we’re going to look at the size and CVE footprint of some of the most popular container images used today for Node.js applications. How did I come up with the list? Well for the sake of independence, rather than choosing the container images by myself, I decided to go with the list from Ivan Velichko’s Node.js container analysis post instead. By the way, if you haven’t checked his site, you should. It’s full of great material. 

In that post, Ivan goes into detail about why each of those container images is relevant and also gives an in-depth analysis on both size and CVE footprint. Naturally, Bitnami’s container image does not do well in that comparison. Which makes sense as it is very development focused. But, then, how does the new Node.js minimal runtime perform on that same benchmark? Well, let’s see.

Please, take as much time as needed to go through the infographic above. Looking at the data, TAC’s minimal container images did extraordinarily well. 

We can see a 12% size reduction in our minimal Node.js images versus the smallest image from that benchmark set, which is Chainguard’s. There’s also a staggering ~88% reduction versus the official image and significant reductions compared to all the other slimmed containers too. On the vulnerabilities front, all three Alpine, Chainguard, and TAC versions have zero CVEs reported by Trivy. So, all in all, the results are pretty good. 

Keep an eye out for more updates

We are excited to deliver these new minimal application runtimes to the TAC (Photon) Bitnami Premium (Debian 12) products. They provide a great alternative to application teams to run their applications in production with a lower footprint and minimal threat surface, while also maintaining the consistency and security standards that users from Bitnami are used to. Perhaps the greatest reason to use our minimal images over the alternatives, however, is that you get the Bitnami SDKs for development purposes which also provide great consistency across multiple language runtimes.

If you’d like to learn more about Bitnami Premium, you can visit our partner Arrow’s marketplace page. To read up on Tanzu Application Catalog, visit our webpage. To keep up with the latest on our minimal container images initiative and more, be sure to follow us on X (formerly Twitter) and Linkedin.

Announcing General Availability of Bitnami Premium

Today the Bitnami team, part of VMware Tanzu, is thrilled to make two announcements. The first is that Bitnami Premium, a new commercial upgrade to the Bitnami Application Catalog containers and Helm charts, is now Generally Available. Second, we are kicking off a new endeavor with Arrow Electronics to facilitate a streamlined Bitnami Premium purchase and support experience.

A new commercial version of Bitnami open source containers and Helm charts

Enterprises that love Bitnami can now purchase a Bitnami Premium subscription from Arrow Electronics and consume the containers and Helm charts right in Docker Hub. Bitnami Premium users will get access to private Docker Hub repositories with the same containers and Helm charts they are used to, plus new commercial features including:

• Enterprise support for all 500+ Bitnami Premium packages
• All LTS branches of all Bitnami application packages maintained up-to-date
• Unlimited pulls of all Bitnami Premium containers and Helm charts from Docker Hub
• Secure software supply chain metadata including Software Bills of Material (SBOMs), SLSA 3 pipeline validation with in-toto attestations, Notation and Cosign signatures, Build-time CVE and anti-virus scan reports, and more.

Alongside the launch of Bitnami Premium, we are making some changes to how we deliver the Bitnami Application Catalog:

• Unlimited pulls from Docker Hub will no longer be available. Free Bitnami Application Catalog containers and charts will be subject to the same limits as any other Docker Hub repos starting December 16th, 2024 January 6th, 2025. Pulls of Bitnami Premium containers and Helm charts will not count towards your  Docker Hub pull limits or overages.
  UPDATE: We’ve received a lot of feedback from the community on the impact of this update. We have decided to shift to a gradual implementation, starting with a 3-hour test December 16th, followed by a 12-hour test on December 19th. The permanent change is now scheduled for January 6th, 2025.
• Long-term-support (LTS) branches of the software we package will no longer be maintained in the free Bitnami Application Catalog. To continue receiving updates for LTS branches of packages, you will have to upgrade to Bitnami Premium.
• We are improving Bitnami Application Catalog users’ supply chain security through additional integrity checks in our Helm chart installation process. These checks enable users to be aware when they are using containers that were not created and tested by Bitnami.

These changes enable us to deliver a premium Bitnami experience to our enterprise users who will benefit from support and security metadata, but who do not need the extensive customization that is core to our other commercial offering called Tanzu Application Catalog (TAC). We are committed to continue delivering free Bitnami Application Catalog content to our community of developers and other open source project maintainers over the long term. 

Read on to learn more about Bitnami Premium and the coming changes to the free Bitnami Application Catalog content.

New goodness in Bitnami Premium

Bitnami Premium is a new version of the content packaged by Bitnami that is sold through Arrow Electronics. You can connect to an Arrow salesperson if you have any questions or want to purchase access. Once you buy Bitnami Premium, you will be given access to the Bitnami Premium registries in Docker Hub. You can then return to Docker Hub where you will have access to the Bitnami Premium containers, Helm charts, and software supply chain metadata from the new /bitnamiprem and /bitnamichartsprem orgs. These private repos are what enable you to pull without limits or caps. You will also see containers for all LTS branches continuously maintained up-to-date: for example, you will see PostgreSQL containers for versions 12, 13, 14, 15, 16, and 17; while in the free Bitnami catalog, you will only find version 17.

A middle ground between free Bitnami Application Catalog and Tanzu Application Catalog customized packages.

In Bitnami Premium, all of the applications are built on Debian just as they are in the free Bitnami library. You get the entire library of containers and Helm charts kept up-to-date with the latest changes anywhere in each app from the OS to the application code itself. You can consume the content through Docker Hub where you’ve already been pulling it to date. However, in the Bitnami Premium registries, you will also find important software supply chain security metadata delivered as OCI artifacts alongside the containers and Helm charts. This metadata is useful for enterprises that need third-party open source software to be compliant with policies around auditability, supply chain integrity, and time to remediation of vulnerabilities.

• Supply chain security and integrity: Bitnami Premium containers and Helm charts are built on an SLSA 3 pipeline, with attestations and signatures serving as proof that the software you’re deploying in your clusters is what you expect and has not been tampered with. 
• Software bills of material (SBOMs): At both the Helm chart and container levels, SBOMs give you fine-grained insight into the contents of every package. This will make it far easier to continuously validate the integrity of software supply chains and to track and triage vulnerabilities as they are discovered and patched.
• Build time CVE scans, anti-virus scans, and more: also included with Bitnami Premium content are Trivy CVE scan results and ClamAV scan results that satisfy requirements for, among other things, doing business with the US Federal government. You will also find the results of Bitnami’s automated functional tests that run as part of every artifact update, trigger information that specifies why the latest update was released, and more. 

Bitnami Premium differs from Tanzu Application Catalog in that, just like our free Bitnami content, it is a one-size-fits-all library of containers and Helm charts all built on Debian. Tanzu Application Catalog gives you the ability to customize your artifacts along many different dimensions. Some of the key differences include:

• Private delivery: TAC containers and Helm charts are delivered directly to your private registries, or are hosted in a private registry maintained by us that you can pull from. 
• Choose a Linux distro or use your own “golden image”: TAC gives you the ability to choose among four supported Linux distros: Debian, Ubuntu, RedHat UBI, or VMware’s own PhotonOS. All of the software packages on these distributions are maintained up-to-date and are tested to work in multiple Kubernetes environments as part of the release process. You can also use your own golden image: we’ll build and maintain the artifacts on top of it. For customers that need it, PhotonOS includes FIPS OpenSSL, is STIG-compliant, and includes zero/minimal CVES with VEX statements to triage any remaining ones.
• App-specific customization: With TAC, you can inject your own customizations such as user settings, certificates, or plugins into our SLSA 3 pipeline, so the artifacts you receive are truly promotable to production environments.
• Software knowledge graph: This keeps track of all your software dependencies at the individual package level. It continuously scans them for vulnerabilities, and organizes them into a searchable graph database so you can see in real-time which versions of which apps are affected and patched. It also includes useful information such as open source licenses, package management ecosystem data, and more.
• UI and API: TAC includes access to a user interface where you can add and remove applications from your catalog, and interact with the software knowledge graph to see at-a-glance details about your software. The TAC API enables you to build information from the software knowledge graph into your pipelines to ensure you are keeping your applications up-to-date with the latest patched applications.

For a side-by-side comparison between Bitnami Application Catalog, Bitnami Premium, and Tanzu Application Catalog, check out this feature matrix.

Continuing our long tradition of partnerships

Since Bitnami’s beginning over a decade ago, our many partnerships have propelled us to be a leading publisher of open source software. Bitnami cloud images drive billions of compute hours annually for our hyperscale cloud partners, for example, and our containers and Helm charts are pulled hundreds of millions of times per month from our partners at Docker Hub.

We now begin our newest endeavor with Arrow Electronics. Arrow is a global leader in IT distribution. Arrow is known for its ability to help businesses navigate the complexities of modern IT landscapes, providing the tools, technology, and expertise needed to drive digital transformation and operational efficiency.

Arrow will sell Bitnami Premium access through its website. Bitnami users interested in purchasing Bitnami Premium will find a streamlined process to pay, share their Docker Hub user identification, and gain access to the private Bitnami Premium repos in Docker Hub. Bitnami Premium customers can add and remove users through Arrow's support team, as well as submit tickets for enterprise support jointly delivered by the software packaging experts at Arrow and Bitnami.

What changes are coming for the free Bitnami library?

Pull limits for free Bitnami content

Beginning December 16th, 2024, the Bitnami Application Catalog will use standard Docker Hub pull rate limits for Bitnami apps. Enterprise customers will be able to access the full Bitnami library in Bitnami Premium, purchased through the Arrow and consumed right in Docker Hub, with no rate limits or restrictions. Note that we are not changing any licenses for our packages, meaning that projects can continue to bundle our Helm charts and containers in their own application packages.

Long Term Support version updates

Many open source projects we publish packages for have multiple LTS versions supported by their communities. Currently, Bitnami maintains all of these LTS versions up-to-date. Starting December 10th, 2024, we will only continue updating the latest version available for apps in the free Bitnami Application Catalog. This will enable OSS projects and individual/small businesses to continue using the latest versions of Bitnami applications. Bitnami Premium customers who need to continue pulling up-to-date versions of LTS branches can access them in the Bitnami Premium repo in Docker Hub.

Supply chain integrity check in Bitnami Helm charts

Bitnami has invested hundreds of thousands of developer hours in constructing a world-leading pipeline to build, monitor, update, and test open source software in multiple Kubernetes environments. For these Helm charts to perform as intended and to leverage the many built-in security features, they need to deploy the Bitnami containers they were designed to work with. Therefore, we are adding new checks in the deployment process to ensure that the containers they were designed to deploy are the ones being deployed. 

Keep an eye out for more updates

We are excited to deliver an enhanced experience for Bitnami Premium users, but this is just the beginning. We will continue to build on the value that all of our Bitnami community members, both free and paid, realize through our many years of experience publishing high-quality open source software packages for the world’s developers.

Keep abreast of our blog for new updates and features, and be sure to check to follow us on X (formerly Twitter) and LinkedIn.

Bitnami Helm charts moving to OCI

In January 2022, we announced the general availability of Helm charts in OCI registries, coinciding with the release of Helm version 3.8.0. In January 2023, Bitnami began populating and distributing the largest and most up-to-date Open-Source catalog of Helm charts in OCI format in Docker Hub. 

Since then, the adoption of the Bitnami Helm charts in OCI format has proliferated. Because charts stored in container registries follow OCI standards, developers can use many of the same tools for Helm charts that they use with container images. This makes integrating Helm into automated pipelines easier and uses modern infrastructure-as-code and deployment techniques like GitOps.

We would like to go further and help the Helm community to continue adopting the OCI distribution format. Starting November the 18th, 2024, Bitnami Helm charts will default to OCI. All the charts will remain Open Source and publicly available at https://hub.docker.com/u/bitnamicharts.

Why OCI Format?

1. Standardization and Interoperability

The OCI format offers a standardized way to package and distribute container images and related artifacts. This standardization fosters interoperability across different tools and platforms, making it easier for developers and operators to collaborate. By adopting OCI, Helm charts can seamlessly integrate with existing container ecosystems, enhancing compatibility with tools like Docker and container registries.

2. Enhanced Security

The OCI format promotes best practices for image signing and verification, allowing users to validate the integrity of their deployments. By adopting OCI, the Bitnami Helm charts leverage these security features. This ensures that the charts we publish are trustworthy and resilient against vulnerabilities.

3. Improved Distribution

With OCI-compliant registries becoming increasingly prevalent, moving to the OCI format allows for more efficient distribution of Helm charts. Users can store and manage Helm charts alongside container images in a single repository, simplifying workflows and reducing the complexity of multi-repository management.

4. Future-Proofing Our Ecosystem

The cloud-native landscape is dynamic, with new technologies and practices constantly emerging. By transitioning to the OCI format, Bitnami Helm charts are delivered in a way that sets developers up for success in this ever-changing environment.

The move to OCI format is more than just a technical shift; it’s an opportunity for the Helm community to enhance its capabilities, improve security, and simplify our workflows.

What will happen to the current index.yaml stored at charts.bitnami.com?

In order to guarantee a smoother transition, the index.yaml will continue existing as an OCI artifact in Docker Hub. Any users who still use the helm repo add command can continue using this approach to maintain backward compatibility. The Helm tooling manages this in a transparent manner.

The index.yaml will change the “URL” option to point to the new OCI versions of Helm charts:

   urls:

-    - https://charts.bitnami.com/bitnami/airflow-18.3.2.tgz

+   - oci://registry-1.docker.io/bitnamicharts/airflow:18.3.2

Users should not see any change for deploying Helm charts. The requirement is to use a Helm CLI greater than 3.8.0 to deploy them.

What will happen to the Bitnami Helm charts in tgz format?

The Bitnami Helm charts in tgz format will no longer be updated. Previous versions since 2023 are available at Docker Hub and it is easy to get the tgz format via Helm command:

    $ helm pull oci://registry-1.docker.io/bitnamicharts/airflow –version 18.3.2

Older versions will continue to be available at the same URL for 6 months to ensure a smooth transition. Do not hesitate to contact us for any questions or suggestions at https://github.com/bitnami/charts/issues.