Meet the Team: Zach Vidibor

The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

Zach is the Head of Enterprise Sales and is part of our remote team based in London, UK.

A Brief Bio

Although I was born and raised in Silicon Valley (Mountain View to be exact), my journey into technology was never one I planned. In my younger years I thought I would either be a professional mountain climber, a Navy SEAL, or a mechanical engineer...but somehow by the time I got to college I ended up studying political science and working at a radio station. And, not surprisingly, by the time I was finishing college, all I knew was I still didn’t know what I wanted to do. I ended up getting a sales job for a company called Ricoh, selling printers and copiers. Anyone who’s had a job like this before will know, it’s a very difficult ‘first sales job’ to have, and didn’t leave me thinking this was my future either. But, I had the good fortune of running into a very old family friend at a party and striking up a conversation about what I should do next. She was an early employee at LinkedIn and suggested I meet with some people over there who were building out their first inside sales org. Needless to say, I met some amazing people and this is where everything changed as they say. I’ve been in technology sales ever since. What I found out was that sales was something radically different than I had thought, and was something that I could find great satisfaction in. I’ve always been extremely passionate and interested in how things work, and I discovered sales was a path to getting behind the scenes and discovering how countless different businesses function. On top of that, I could bring in technology to help people fix, improve, and transform their businesses. That is what I ultimately fell in love with about technology and my career in sales.

Why did you join Bitnami and what excites you about working here?

Bitnami is exciting for me for so many reasons. First, I’ve always loved stories about companies that ‘punched above their weight’ so to speak. The companies that everyone’s heard of, but don’t realize how big of an impact they’ve had until you’re on the inside. As I began to peel back the layers I saw that while Bitnami was not a very large company it had incredible reach, partnerships, and influence. On top of that, all of the people that I met across the board were just downright impressive individuals. I know it’s cliche to say it’s the people, but it really was the case for me. I found a group of people that I wanted to learn from and build with. From a business standpoint I was fascinated by all of the unique skills and capabilities the company has, and the different areas this gives us an opportunity to be relevant in. From a technology standpoint, there were many things I found very interesting, but our work in Kubernetes was the most exciting to me. The company I was at prior to Bitnami relied heavily on Kubernetes - I saw up close the leverage and velocity it enabled for the business and knew I had to be involved with it in some capacity going forward.

What are you working on?

Right now I’m working on helping Bitnami bring all of our unique technology and expertise to the enterprise. Specifically I’m focused on our direct sales efforts, building alliances with partners, and our overall go-to-market strategy.

Enjoying the, "best meal of his life" while traveling with his wife!

What do you like to do for fun?

More than anything else, my wife and I love to travel and explore. We like to do that not only in far away places, but also find all those hidden gems right in our backyard. No matter where we are, I love to eat and cook... a lot. My most cherished possessions are probably my cast iron pan and Japanese knives if that gives you any idea. I also love to mountain bike and snowboard whenever I get the chance.

Interested in working with Bitnami and Zach? Apply for one of our open positions!

Security vulnerability in the PEAR download manager

The PEAR maintainers found a security breach in their server and published a security announcement about it. In this case, the PHP PEAR package manager (go-pear.phar) included malicious code and  the PEAR maintainers still in the process of analyzing it.

We would like to inform you that the "go-pear.phar" tool is not included in Bitnami solutions. All our solutions use PEAR from PHP source code that is not affected.

If you downloaded the go-pear.phar file after December 20th, 2018, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If the file hashes are different then you may have the infected file.

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.

APT security update - CVE-2019-3462

A new security vulnerability was discovered in the Advanced Package Tool, or APT, the high-level package manager for Debian, Ubuntu, and related Linux distributions.

The tool does not sanitize fields in HTTP redirections and so could be used for man-in-the-middle attacks that inject malicious content in the HTTP connection between APT and a mirror. You can find more information in the official announcement.

You can now disable redirects to prevent exploitation or upgrade the system’s package to a version that fixes the security issue:

• Upgrade the package

Run the following commands to install the latest version of the package:

    sudo apt-get -o Acquire::http::AllowRedirect=false update

    sudo apt-get -o Acquire::http::AllowRedirect=false install apt -y

The fixed versions are:

• Debian 8.x: Version 1.0.9.8.5 and later versions
• Debian 9.x: Version 1.4.9 and later versions
• Ubuntu 14.04: Version 1.0.1ubuntu2.19 and later versions
• Ubuntu 16.04: Version 1.2.29ubuntu0.1 and later versions

To check the current version of your APT package, please run this command:

    apt --version

• Disable redirect

In case you can not upgrade the APT package right now, use the following option when running any apt command:

    -o Acquire::http::AllowRedirect=false

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.

Drupal 8.6.7 and 7.63 critical security releases

Drupal has released new versions that fix critical security vulnerabilities. We strongly recommend that you upgrade your existing Drupal 7 and 8 sites.

This security release includes two vulnerabilities separated into two different advisories:

• SA-CORE-2019-001: An update of the third-party PEAR Archive_Tar library that recently released a security update. 
• SA-CORE-2019-002: A remote code execution vulnerability when performing file operations on an untrusted phar:// URI.

You can learn more about these vulnerabilities in the Drupal official announcements. It is suggested that you upgrade your Drupal application to Drupal 7.63 or later, and Drupal 8.6.7 or later. You can follow our documentation to learn how to upgrade your application to strengthen its security. We highly recommend creating a backup before performing the upgrade.

For new application deployments, including those made from the Bitnami Launchpad, we released Drupal 7.63 and 8.6.7 versions for containers, installers, virtual machines, cloud images, and Multi-Tier solutions. We also updated the Drupal based solutions (CiviCRM and OpenAtrium). These include all the necessary fixes to address the vulnerabilities listed above. If you deploy Bitnami any of those applications and it is not yet updated to the latest version, you will need to upgrade by following our documentation.

If you have further questions about this security issue, please post to our community forum, where we will be happy to help.

Automattic, the Expert Behind WordPress, Partners with Bitnami to Bring the Official WordPress Image to AWS Marketplace

Authored by Kevin Franklin, Director of Business Development

WordPress powers 33% of the internet. With over 45,000 themes and plugins, it is the world’s most popular content management system.

Every month, WordPress certified and published by Bitnami on AWS is launched tens of thousands of times. When a user launches an application certified by Bitnami, they are confidently launching the most up-to-date and secure version of the application. Bitnami’s expertise in packaging reliable, secure solutions means they will have the best possible WordPress user experience available on any cloud marketplace.

We are delighted to announce that Automattic, the expert in WordPress and creator of WordPress.com, has partnered with Bitnami to provide the official WordPress image to the AWS Marketplace. The Official WordPress image, “WordPress Certified by Bitnami and Automattic,” is now available on AWS Marketplace.

This new marketplace listing includes the Jetpack plugin giving users access to additional professional themes, performance improvements, scanning, site activity and marketing tools. The listing also includes the new Gutenberg editor.

WordPress Certified by Bitnami and Automattic is the first step in supporting WordPress in the AWS Marketplace. Soon, you’ll see tutorials, webinars and other materials to help you get even more out of your WordPress implementation.

Stay tuned for more updates about this partnership by following us on twitter or LinkedIn!

Official WordPress listing on AWS Marketplace

Supporting Enterprise Architectures with Azure Database Services

Authored by Michael Murphy, Product Marketing Manager

Bitnami supports Microsoft enterprise customers in multi-tier environments in numerous ways, and actively works with the Azure Database Services team to provide enterprise solutions and promote best practices across our portfolio of products and projects. In light of the recent announcement regarding the availability of two new Bitnami packaged solutions pre-configured with Azure Database for MariaDB, I wanted to write this accompanying blog post to provide a bit more detail. Not only about the new offerings, but also about how Bitnami supports Azure Database Services across our product and project portfolio. Here’s how we make it easy for you to add Azure Database Services to your applications and projects.

Open source applications in the Azure Marketplace

As a long time Microsoft partner, Bitnami provides a wide range of pre-packaged, easy to deploy open-source applications and development stacks to the Azure Marketplace. ‘Bitnami Certified’ has become synonymous with ‘trusted, secure, and easy to deploy’. Many of these are multi-tier solutions.

What we just announced extends this support for enterprise architectures. We worked with the Azure Database Services team to further simplify the deployment of two of the most popular and widely deployed applications, WordPress and Drupal. While both of these applications have long been packaged and available from Bitnami in the Azure Marketplace, these new packages offer the applications pre-configured as a multi-tier solution that include Azure Database for MariaDB support.

These packages take the complexity out of configuring what would typically be a sophisticated configuration setup. Deploying one of these applications is now as easy as scrolling through the Azure Marketplace, selecting the offering, and clicking ‘launch’.

Launching one of these application packages lets you leverage the stability and security of Bitnami’s production grade application package while harnessing the power of a fully managed Azure Database, allowing you to scale quickly and reach global distribution without worrying about costly downtime.

Your applications with Stacksmith on Azure and AKS

Stacksmith, from Bitnami, is a product for packaging your own multi-tier applications. Stacksmith lets you enforce best practices during packaging, including your configuration requirements for the use of Azure Database Services, including CosmosDB and Azure Database for MariaDB.

Stacksmith provides reference architectures for Java Tomcat, .NET Core and other Linux applications that include Azure Database Service configuration with an ARM Template out-of-the-box. These architectures are customizable to your requirements, or you can define your own best practices and deployment policies. Stacksmith then codifies them into the packaging process, ensuring that your best practices for using Azure Database Services, including their settings for geo-redundancy, retention policies, tagging and networking configuration are included. Once defined, Stacksmith can apply and maintain these policies and best practices over time across your application portfolio, applying them every time the application is packaged or updated.

Doing so simplifies the process via automation, and enables you to implement and enforce database best practices for your applications. And since Stacksmith includes multi-format support, you can utilize a single packaging process to create artifacts and their database configurations for deployment to Azure and / or AKS / Kubernetes.

Check out the video below for a quick demo: 

Containers / Kubernetes applications on AKS

There are numerous ways Bitnami helps enterprise customers connect database services on AKS. As I mentioned above - Stacksmith can be used to package your applications for multi-tier deployments to your Kubernetes clusters.

You can also use Kubeapps with Open Service Broker for Azure and Stacksmith, in the following way. Kubeapps is an open source project with a web-based graphical user interface that helps you to discover Kubernetes applications and deploy them to your Kubernetes cluster on AKS. Microsoft has partnered with Bitnami to integrate Kubeapps with Open Service Broker for Azure, to allow you to create and present Helm charts that leverage Azure-native PaaS services as part of the architecture. For example, you can deploy your application tier on AKS and an Azure Database Services backend, getting the best of both worlds - a highly scalable application with a highly available database. To maintain your application with this database configuration to ensure it stays up to date and secure over time, you can use Stacksmith. You can read more about Open Service Broker for Azure here.

As you can see, we have been busy supporting our enterprise customers and continue to expand the scope of this support to make it ever easier to set-up and deploy complex environments that leverage first party Azure services.

To learn more, register for the “Create an Application-Centric DevOps Experience with Stacksmith and Azure OSS Database Services” webinar with Andrea Lam, Product Manager of Azure Database for MySQL/MariaDB at Microsoft, on January 29th at 9:00 am PST.

Systemd journald security vulnerabilities

Three security vulnerabilities have been found in the systemd package, a system and service manager used in most major Linux distributions.

These new vulnerabilities can lead to memory corruption attacks (CVE-2018-16864 and CVE-2018-16865) and an out of bounds error that can leak data (CVE-2018-16866). You can learn more about these vulnerabilities in the official announcement.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is currently working on packaging the updated solutions, and will make these new versions available through our catalog and our cloud partner marketplaces .

The different Linux distributions published the patched version of the systemd package, so you can update them easily by using your system’s package manager. The patched versions are the following:

• Ubuntu 16: 229-4ubuntu21.15
• Debian 9: 232-25+deb9u7
• Oracle Linux 7: 219-62.0.4.el7_6.2
• RedHat 7: 219-62.el7_6.2
• CentOS 7: 219-62.el7_6.2

If you have further questions about this security issue, please post to our community forum and we will be happy to help you.

Jenkins security release: Script Security sandbox bypass

The Jenkins security team has published a Jenkins Security Advisory announcing a new vulnerability in some Jenkins plugins. This vulnerability bypasses the Jenkins sandbox protection in the Script Security Plugin and Pipeline Plugins, which allows an attacker to execute arbitrary code on the Jenkins primary node.

It is strongly recommended that you update your Jenkins’ plugins to their latest versions. You can follow our documentation to learn how to upgrade them. Below is the list of affected plugins and the versions you should upgrade to:

• Pipeline: Declarative Plugin should be updated to version 1.3.4.1
• Pipeline: Groovy Plugin should be updated to version 2.61.1
• Script Security Plugin should be updated to version 1.50

You can find more information about the Jenkins security announcement in the Jenkins Security Advisory.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team has already updated our different solutions with the new versions of each plugin and we are working on updating the different marketplaces as soon as possible.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum and we will be happy to help you.

How Stacksmith helps to package, optimize and maintain your application in a consistent way

Authored by Jota Martos, Engineer 

Building an application from scratch requires a huge effort from the developers of the application. Apart from defining the pre-requisites (language, runtime to use...), it is the time you spend in writing the code and building, packaging and deploying the solution. If your application will support different platforms, you will also need to spend time building a system that meets these additional needs, and that requires knowledge and time to integrate into your system. 

On the other hand, there are cases in which you will use a commercial or Open Source application that does not require code changes but does require changes in the way it’s deployed and configured. In these cases, automating the process to package and deploy the application so it meets your needs can deliver key benefits to your business. 

These benefits include time saving from the reduced effort it takes to incorporate your changes (and not just once, but every time the application package needs updating), and it improves the consistency and quality of what you produce by minimizing human intervention and the possibility of human errors. That’s why you need to put a system in place to automatically package and deploy it every time you integrate a new change in your application.

Many organizations that are evaluating what this means look to Continuous Integration and Continuous Deployment tools (CI/CD) to solve the problem. These tools are often either overly prescriptive - they only work with particular application runtimes or cloud targets, for example - or overly flexible, requiring substantial customization for them to work in your specific environment. 

While these tools are right for many situations, they won’t be right for all. For those situations that don’t require a fully automated CI/CD software delivery process, there is still an opportunity to gain many of the benefits they can deliver without having to implement a full CI/CD strategy. By packaging the application code and configuration as deploy-ready artifacts, images, and associated deployment templates, and delivering that application in an automated, repeatable way, you can obtain the transformational effect and long-term maintenance benefits typically only achieved with CI/CD tools. Here is how it can be done.

The importance of automating the application packaging and delivery process

The process of packaging and deploying your application is time-consuming so increasing productivity when performing these tasks is always a good idea. Automating these tasks allows teams to focus more on the development of applications and less on the system details of delivering it to computing environments.

Some of the benefits are: 

• Teams can test the changes easily and frequently, which leads to a better performance. Because the process is automated, it is easy to validate even a small change in the application by packaging and testing your solution with the changes. 
• Automating the delivery provides a repeatable and reliable way to promote application changes - not only for the production environment, but also for the development, test or any other environment that the team uses when deploying an application.

Bitnami Stacksmith is a tool that automates and optimizes the packaging of your applications for deployment to cloud and container platforms. It also includes many more features such as multi-platform support, security checks or methods to upgrade or downgrade and maintain your application.

Stacksmith only needs the files of your already-built application (for example a .tar.gz file or your Node.js application) and it will package it for the cloud or container platform you select. Stacksmith provides a consistent, reproducible, and automated way to package your applications. 

In addition, Stacksmith can be integrated with your CI/CD pipeline. After the application itself has been built and tested, the build output can be passed to your CD tool for the deployment of the updated version of the application to the staging environment. This Bitnami blog post has some examples on how to integrate Stacksmith with other services.

Not only packaging automation: Other benefits of Stacksmith

Target different platforms in a single process

Stacksmith lets you package your applications for multiple platforms. This means you can package your software for AWS and Azure with just a few clicks. When you package for AWS, Stacksmith creates an AWS CloudFormation template for you, along with an Amazon Machine Image (AMI) that contains all the necessary dependencies for your application. When packaging for Azure, Stacksmith creates an Azure Resource Manager template for you and a managed virtual machine image. If your focus is Kubernetes / containers, Stacksmith also lets you create container images and Helm Chart that can be deployed to the container services of those platforms.  

Stacksmith also allows you to create different applications depending on the target and the files and scripts you want to package. For example, you can configure the AWS solution to use the “Java Tomcat Application with DB (MySQL)” architecture, yet configure Stacksmith to use PostgreSQL when packaging for other platforms.



Security

One of the goals of Stacksmith is to maintain your application by keeping it secure and up-to-date. To accomplish this, Stacksmith documents the components that were installed when packaging your application, then continuously checks for updates and known security vulnerabilities for any of these components. All this information is shown in the “System Packages” section of the build you select.



Here you will also find alerts about security issues affecting these components and information on how to repackage the application.

This ensures a smooth process for upgrading your application, making it easy to repackage a fixed version of the application and update existing deployments to fix any security issues.

Upgrades, downgrades, and maintenance

Stacksmith allows you to update your application at any time by uploading new files, and it also supports downgrades for when you wish to return an application to a previous state. To illustrate this, I am going to update the application by providing new files and packaging a new version of it:  

1. From the “Applications” dashboard of your project, select the application you want to update. 
2. Click “Edit configuration”.
3. Provide the new files of the application and add a version number for the new build. 

This feature is extremely useful for those users who don’t have any automation in place because it gives them the opportunity to easily package any other version of the application in just a few clicks. Stacksmith will save the information about all the packages it has been generating, all the previous versions, and the new ones that will be accessible through its dashboard. 

When editing the configuration, you can also perform other tasks, such as changing the template you wish to use (in case you want to change the database the application uses, for example) or the target platforms (you can add or remove support for AWS or Kubernetes in the different versions you build).

Once Stacksmith has built an updated version of your application, it can be used  to update the existing out-of-date one.

Stacksmith's built-in stack templates are designed to make it easy to update the application in mind. In most cases, the upgrade or downgrade can be done with zero downtime for your application. This is because Stacksmith lets you use the cloud-native load balancing and other mechanisms available on each platform. In the case of AWS, Stacksmith leverages Elastic Load Balancers and Auto-Scaling Groups to achieve this goal.

In order to update an existing deployment, you only need to copy the CloudFormation template HTTPS URL, go to AWS CloudFormation console, choose the ‘Update Stack’ option, and provide the new template URL.

Automation is the key

This article explains how Bitnami Stacksmith is a really useful tool to package your application, regardless of the source of your application files or how automated your current process to package your application is. It will provide a consistent and reproducible way to package your applications, and  leads to better quality and reliability of your application.

With Stacksmith, your application can be packaged for multiple platforms in just a few clicks. Once you provide your application files, the system will package the application and make it accessible in the platforms you select. Stacksmith automates ongoing maintenance, keeping your applications secure and up-to-date by applying the latest security patches as well as the latest configuration and other internal updates you integrated into the application. 

Try Stacksmith Public for free now for your Open Source projects, or enroll into one of the other Stacksmith plans to experience all the benefits of Stacksmith.

Try Stacksmith Public

Have questions about how Stacksmith can fit with the CI/CD tools you currently use? Contact us at enterprise@bitnami.com.