Tuesday, December 10, 2024

Announcing General Availability of Bitnami Premium

Today the Bitnami team, part of VMware Tanzu, is thrilled to make two announcements. The first is that Bitnami Premium, a new commercial upgrade to the Bitnami Application Catalog containers and Helm charts, is now Generally Available. Second, we are kicking off a new endeavor with Arrow Electronics to facilitate a streamlined Bitnami Premium purchase and support experience.

A new commercial version of Bitnami open source containers and Helm charts

Enterprises that love Bitnami can now purchase a Bitnami Premium subscription from Arrow Electronics and consume the containers and Helm charts right in Docker Hub. Bitnami Premium users will get access to private Docker Hub repositories with the same containers and Helm charts they are used to, plus new commercial features including:

Enterprise support for all 500+ Bitnami Premium packages
All LTS branches of all Bitnami application packages maintained up-to-date
Unlimited pulls of all Bitnami Premium containers and Helm charts from Docker Hub
Secure software supply chain metadata including Software Bills of Material (SBOMs), SLSA 3 pipeline validation with in-toto attestations, Notation and Cosign signatures, Build-time CVE and anti-virus scan reports, and more.

Alongside the launch of Bitnami Premium, we are making some changes to how we deliver the Bitnami Application Catalog:

Unlimited pulls from Docker Hub will no longer be available. Free Bitnami Application Catalog containers and charts will be subject to the same limits as any other Docker Hub repos starting ~~December 16th, 2024~~ January 6th, 2025. Pulls of Bitnami Premium containers and Helm charts will not count towards your Docker Hub pull limits or overages.
UPDATE: We’ve received a lot of feedback from the community on the impact of this update. We have decided to shift to a gradual implementation, starting with a 3-hour test December 16th, followed by a 12-hour test on December 19th. The permanent change is now scheduled for January 6th, 2025.
Long-term-support (LTS) branches of the software we package will no longer be maintained in the free Bitnami Application Catalog. To continue receiving updates for LTS branches of packages, you will have to upgrade to Bitnami Premium.
We are improving Bitnami Application Catalog users’ supply chain security through additional integrity checks in our Helm chart installation process. These checks enable users to be aware when they are using containers that were not created and tested by Bitnami.

These changes enable us to deliver a premium Bitnami experience to our enterprise users who will benefit from support and security metadata, but who do not need the extensive customization that is core to our other commercial offering called Tanzu Application Catalog (TAC). We are committed to continue delivering free Bitnami Application Catalog content to our community of developers and other open source project maintainers over the long term.

Read on to learn more about Bitnami Premium and the coming changes to the free Bitnami Application Catalog content.

New goodness in Bitnami Premium

Bitnami Premium is a new version of the content packaged by Bitnami that is sold through Arrow Electronics. You can connect to an Arrow salesperson if you have any questions or want to purchase access. Once you buy Bitnami Premium, you will be given access to the Bitnami Premium registries in Docker Hub. You can then return to Docker Hub where you will have access to the Bitnami Premium containers, Helm charts, and software supply chain metadata from the new /bitnamiprem and /bitnamichartsprem orgs. These private repos are what enable you to pull without limits or caps. You will also see containers for all LTS branches continuously maintained up-to-date: for example, you will see PostgreSQL containers for versions 12, 13, 14, 15, 16, and 17; while in the free Bitnami catalog, you will only find version 17.

A middle ground between free Bitnami Application Catalog and Tanzu Application Catalog customized packages.

In Bitnami Premium, all of the applications are built on Debian just as they are in the free Bitnami library. You get the entire library of containers and Helm charts kept up-to-date with the latest changes anywhere in each app from the OS to the application code itself. You can consume the content through Docker Hub where you’ve already been pulling it to date. However, in the Bitnami Premium registries, you will also find important software supply chain security metadata delivered as OCI artifacts alongside the containers and Helm charts. This metadata is useful for enterprises that need third-party open source software to be compliant with policies around auditability, supply chain integrity, and time to remediation of vulnerabilities.

Supply chain security and integrity: Bitnami Premium containers and Helm charts are built on an SLSA 3 pipeline, with attestations and signatures serving as proof that the software you’re deploying in your clusters is what you expect and has not been tampered with.
Software bills of material (SBOMs): At both the Helm chart and container levels, SBOMs give you fine-grained insight into the contents of every package. This will make it far easier to continuously validate the integrity of software supply chains and to track and triage vulnerabilities as they are discovered and patched.
Build time CVE scans, anti-virus scans, and more: also included with Bitnami Premium content are Trivy CVE scan results and ClamAV scan results that satisfy requirements for, among other things, doing business with the US Federal government. You will also find the results of Bitnami’s automated functional tests that run as part of every artifact update, trigger information that specifies why the latest update was released, and more.

Bitnami Premium differs from Tanzu Application Catalog in that, just like our free Bitnami content, it is a one-size-fits-all library of containers and Helm charts all built on Debian. Tanzu Application Catalog gives you the ability to customize your artifacts along many different dimensions. Some of the key differences include:

Private delivery: TAC containers and Helm charts are delivered directly to your private registries, or are hosted in a private registry maintained by us that you can pull from.
Choose a Linux distro or use your own “golden image”: TAC gives you the ability to choose among four supported Linux distros: Debian, Ubuntu, RedHat UBI, or VMware’s own PhotonOS. All of the software packages on these distributions are maintained up-to-date and are tested to work in multiple Kubernetes environments as part of the release process. You can also use your own golden image: we’ll build and maintain the artifacts on top of it. For customers that need it, PhotonOS includes FIPS OpenSSL, is STIG-compliant, and includes zero/minimal CVES with VEX statements to triage any remaining ones.
App-specific customization: With TAC, you can inject your own customizations such as user settings, certificates, or plugins into our SLSA 3 pipeline, so the artifacts you receive are truly promotable to production environments.
Software knowledge graph: This keeps track of all your software dependencies at the individual package level. It continuously scans them for vulnerabilities, and organizes them into a searchable graph database so you can see in real-time which versions of which apps are affected and patched. It also includes useful information such as open source licenses, package management ecosystem data, and more.
UI and API: TAC includes access to a user interface where you can add and remove applications from your catalog, and interact with the software knowledge graph to see at-a-glance details about your software. The TAC API enables you to build information from the software knowledge graph into your pipelines to ensure you are keeping your applications up-to-date with the latest patched applications.

For a side-by-side comparison between Bitnami Application Catalog, Bitnami Premium, and Tanzu Application Catalog, check out this feature matrix.

Continuing our long tradition of partnerships

Since Bitnami’s beginning over a decade ago, our many partnerships have propelled us to be a leading publisher of open source software. Bitnami cloud images drive billions of compute hours annually for our hyperscale cloud partners, for example, and our containers and Helm charts are pulled hundreds of millions of times per month from our partners at Docker Hub.

We now begin our newest endeavor with Arrow Electronics. Arrow is a global leader in IT distribution. Arrow is known for its ability to help businesses navigate the complexities of modern IT landscapes, providing the tools, technology, and expertise needed to drive digital transformation and operational efficiency.

Arrow will sell Bitnami Premium access through its website. Bitnami users interested in purchasing Bitnami Premium will find a streamlined process to pay, share their Docker Hub user identification, and gain access to the private Bitnami Premium repos in Docker Hub. Bitnami Premium customers can add and remove users through Arrow's support team, as well as submit tickets for enterprise support jointly delivered by the software packaging experts at Arrow and Bitnami.

What changes are coming for the free Bitnami library?

Pull limits for free Bitnami content

Beginning December 16th, 2024, the Bitnami Application Catalog will use standard Docker Hub pull rate limits for Bitnami apps. Enterprise customers will be able to access the full Bitnami library in Bitnami Premium, purchased through the Arrow and consumed right in Docker Hub, with no rate limits or restrictions. Note that we are not changing any licenses for our packages, meaning that projects can continue to bundle our Helm charts and containers in their own application packages.

Long Term Support version updates

Many open source projects we publish packages for have multiple LTS versions supported by their communities. Currently, Bitnami maintains all of these LTS versions up-to-date. Starting December 10th, 2024, we will only continue updating the latest version available for apps in the free Bitnami Application Catalog. This will enable OSS projects and individual/small businesses to continue using the latest versions of Bitnami applications. Bitnami Premium customers who need to continue pulling up-to-date versions of LTS branches can access them in the Bitnami Premium repo in Docker Hub.

Supply chain integrity check in Bitnami Helm charts

Bitnami has invested hundreds of thousands of developer hours in constructing a world-leading pipeline to build, monitor, update, and test open source software in multiple Kubernetes environments. For these Helm charts to perform as intended and to leverage the many built-in security features, they need to deploy the Bitnami containers they were designed to work with. Therefore, we are adding new checks in the deployment process to ensure that the containers they were designed to deploy are the ones being deployed.

Keep an eye out for more updates

We are excited to deliver an enhanced experience for Bitnami Premium users, but this is just the beginning. We will continue to build on the value that all of our Bitnami community members, both free and paid, realize through our many years of experience publishing high-quality open source software packages for the world’s developers.

Keep abreast of our blog for new updates and features, and be sure to check to follow us on X (formerly Twitter) and LinkedIn.

Monday, October 28, 2024

Bitnami Helm charts moving to OCI

In January 2022, we announced the general availability of Helm charts in OCI registries, coinciding with the release of Helm version 3.8.0. In January 2023, Bitnami began populating and distributing the largest and most up-to-date Open-Source catalog of Helm charts in OCI format in Docker Hub.

Since then, the adoption of the Bitnami Helm charts in OCI format has proliferated. Because charts stored in container registries follow OCI standards, developers can use many of the same tools for Helm charts that they use with container images. This makes integrating Helm into automated pipelines easier and uses modern infrastructure-as-code and deployment techniques like GitOps.

We would like to go further and help the Helm community to continue adopting the OCI distribution format. Starting November the 18th, 2024, Bitnami Helm charts will default to OCI. All the charts will remain Open Source and publicly available at https://hub.docker.com/u/bitnamicharts.

Why OCI Format?

1. Standardization and Interoperability

The OCI format offers a standardized way to package and distribute container images and related artifacts. This standardization fosters interoperability across different tools and platforms, making it easier for developers and operators to collaborate. By adopting OCI, Helm charts can seamlessly integrate with existing container ecosystems, enhancing compatibility with tools like Docker and container registries.

2. Enhanced Security

The OCI format promotes best practices for image signing and verification, allowing users to validate the integrity of their deployments. By adopting OCI, the Bitnami Helm charts leverage these security features. This ensures that the charts we publish are trustworthy and resilient against vulnerabilities.

3. Improved Distribution

With OCI-compliant registries becoming increasingly prevalent, moving to the OCI format allows for more efficient distribution of Helm charts. Users can store and manage Helm charts alongside container images in a single repository, simplifying workflows and reducing the complexity of multi-repository management.

4. Future-Proofing Our Ecosystem

The cloud-native landscape is dynamic, with new technologies and practices constantly emerging. By transitioning to the OCI format, Bitnami Helm charts are delivered in a way that sets developers up for success in this ever-changing environment.

The move to OCI format is more than just a technical shift; it’s an opportunity for the Helm community to enhance its capabilities, improve security, and simplify our workflows.

What will happen to the current index.yaml stored at charts.bitnami.com?

In order to guarantee a smoother transition, the index.yaml will continue existing as an OCI artifact in Docker Hub. Any users who still use the helm repo add command can continue using this approach to maintain backward compatibility. The Helm tooling manages this in a transparent manner.

The index.yaml will change the “URL” option to point to the new OCI versions of Helm charts:

urls:

- - https://charts.bitnami.com/bitnami/airflow-18.3.2.tgz

+ - oci://registry-1.docker.io/bitnamicharts/airflow:18.3.2

Users should not see any change for deploying Helm charts. The requirement is to use a Helm CLI greater than 3.8.0 to deploy them.

What will happen to the Bitnami Helm charts in tgz format?

The Bitnami Helm charts in tgz format will no longer be updated. Previous versions since 2023 are available at Docker Hub and it is easy to get the tgz format via Helm command:

$ helm pull oci://registry-1.docker.io/bitnamicharts/airflow –version 18.3.2

Older versions will continue to be available at the same URL for 6 months to ensure a smooth transition. Do not hesitate to contact us for any questions or suggestions at https://github.com/bitnami/charts/issues.

Thursday, September 26, 2024

Bitnami applications unaffected by recently announced CUPS server vulnerabilities

Several critical vulnerabilities for UNIX systems targeting the CUPS server were discovered and disclosed today. The researcher who discovered them published a technical report at https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

The vulnerabilities are listed below:

- CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.

- CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.

- CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.

- CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

The impact is very high because a possible attacker can replace a printer resulting in arbitrary remote command execution (RCE).

Are Bitnami applications affected? Are Tanzu Application Catalog applications affected? No.

No applications packaged by Bitnami or our enterprise version VMware Tanzu Application Catalog are affected: none of our containers, Helm charts, OVAs or Cloud Images ship the CUPS server or packages. For OVAs and Cloud Images, even the server is not installed by default, the firewall does not expose the CUPS default port.

Monday, July 1, 2024

regreSSHion: Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)

The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. This vulnerability has been assigned CVE-2024-6387.

The vulnerability, caused by a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems, presenting a significant security risk. This race condition affects sshd in its default configuration.

The Bitnami catalog is based on Debian, according to the Debian security tracker:

Debian 11 (bullseye) is not affected.
Debian 12 (bookworm) is affected up to version 1:9.2p1-2+deb12u3.

SSH server is installed and running in OVAs and Cloud Images for AWS, Google, and Azure Marketplaces. Bitnami Helm charts and container images are not affected. The Bitnami team is working on releasing new versions in all the Marketplaces.

See below some details about how the bundled SSH package can be upgraded to a patched version:

Fix/Mitigation

By default, OVAs and Cloud Images include the unattended-upgrades package that will try to install security updates automatically daily. However, it is possible to force the execution of the cronjob manually.

First of all, verify you are running an affected version of the openssh package as shown below

$ sudo dpkg -l | grep ssh

ii libssh2-1:amd64 1.10.0-3+b1 amd64 SSH2 client-side library

ii openssh-client 1:9.2p1-2+deb12u2 amd64 secure shell (SSH) client, for secure access to remote machines

ii openssh-server 1:9.2p1-2+deb12u2 amd64 secure shell (SSH) server, for secure access from remote machines

ii openssh-sftp-server 1:9.2p1-2+deb12u2 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines

ii ssh 1:9.2p1-2+deb12u2 all secure shell client and server (metapackage)

In case you are affected, force the unattended-upgrade execution by running the command below

$ sudo apt-get update && sudo unattended-upgrade -d

This will log new information into the /var/log/unattended-upgrades/unattended-upgrades.log and /var/log/unattended-upgrades/unattended-upgrades-dpkg.log files, where you can check if the OpenSSH service has been updated and the new version it has installed

$ grep -i ssh /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

Preparing to unpack .../1-openssh-sftp-server_1%3a9.2p1-2+deb12u3_amd64.deb ...

Unpacking openssh-sftp-server (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...

Preparing to unpack .../2-openssh-server_1%3a9.2p1-2+deb12u3_amd64.deb ...

Unpacking openssh-server (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...

Preparing to unpack .../3-openssh-client_1%3a9.2p1-2+deb12u3_amd64.deb ...

Unpacking openssh-client (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...

Preparing to unpack .../5-ssh_1%3a9.2p1-2+deb12u3_all.deb ...

Unpacking ssh (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...

Setting up openssh-client (1:9.2p1-2+deb12u3) ...

Setting up openssh-sftp-server (1:9.2p1-2+deb12u3) ...

Setting up openssh-server (1:9.2p1-2+deb12u3) ...

After that, you can check the new version has been installed

$ sudo dpkg -l | grep ssh

ii libssh2-1:amd64 1.10.0-3+b1 amd64 SSH2 client-side library

ii openssh-client 1:9.2p1-2+deb12u3 amd64 secure shell (SSH) client...

ii openssh-server 1:9.2p1-2+deb12u3 amd64 secure shell (SSH) server...

ii openssh-sftp-server 1:9.2p1-2+deb12u3 amd64 secure shell (SSH) sftp...

ii ssh 1:9.2p1-2+deb12u3 all secure shell client and server (metapackage)

From the client side you can check the server is returning the updated package information by running the next command

$ ssh -v <user>@<ip-address> 2>&1 | grep -i openssh

OpenSSH_9.6p1, LibreSSL 3.3.6

debug1: Local version string SSH-2.0-OpenSSH_9.6

debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u3

debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u3 pat OpenSSH* compat 0x04000000

If you have any questions about this process, please create an issue in our GitHub repository. We will be happy to help!

Updates

[July 13, 2024, 10:05 AM (UTC)]:

130 out of 132 (98%) OVAs released
131 out of 133 (98%) AWS Images released
79 out of 81 (98%) Azure Images released
83 out of 84 (99%) Google Images released

[July 11, 2024, 05:37 AM (UTC)]:

130 out of 132 (98%) OVAs released
131 out of 133 (98%) AWS Images released
78 out of 81 (96%) Azure Images released
82 out of 84 (98%) Google Images released

[July 9, 2024, 06:12 AM (UTC)]:

129 out of 132 (98%) OVAs released
130 out of 133 (98%) AWS Images released
77 out of 81 (95%) Azure Images released
82 out of 84 (98%) Google Images released

[July 3, 2024, 11:30 AM (UTC)]:

129 out of 132 (98%) OVAs released
129 out of 133 (98%) AWS Images released
76 out of 81 (94%) Azure Images released
76 out of 84 (91%) Google Images released

Wednesday, May 22, 2024

Enhancing the Bitnami Helm Charts Experience: Changelog, tags, and validation images

Bitnami has recently rolled out several initiatives aimed at enhancing the user experience with Helm charts. These improvements focus on better traceability and smoother integrations. Read on to discover the latest updates:

Improved Changelog and Tagging System

One major initiative is the enhancement of change traceability for Bitnami Helm charts. This has been achieved by introducing a CHANGELOG.md file for every Helm chart and implementing git tags for every new version.

Automated Changelog Updates

With every pull request (PR) merge a new CHANGELOG.md file is automatically updated to list the changes included in that specific release. This automation is powered by the conventional-changelogs-cli, eliminating the need for contributors to perform this step manually.

For example, here is what a typical CHANGELOG.md file looks like. These files are excluded from the Helm charts themselves, as specified in the .helmignore file. Starting today, you will see CHANGELOG.md files gradually being rolled out to every Bitnami Helm chart as new releases are produced.

Consistent Version Tagging

In addition to the changelog updates, every chart change now results in a commit tag formatted as “APP/VERSION”. An example of such a tag can be seen here: spark/9.0.4.

These enhancements are designed to assist users during the upgrade process and improve compatibility with automation tools like Renovate and GitHub Dependabot.

In the following example, we have a Helm chart (Airflow) with three dependencies: bitnami/redis, bitnami/postgresql, and bitnami/common. We will use Renovate to automatically detect and create Pull Requests every time there is a new version of these dependencies.

apiVersion: v2
appVersion: 2.9.1
dependencies:
- condition: redis.enabled
  name: redis
  repository: oci://registry-1.docker.io/bitnamicharts
  version: 19.2.0
- condition: postgresql.enabled
  name: postgresql
  repository: oci://registry-1.docker.io/bitnamicharts
  version: 15.2.0
- name: common
  repository: oci://registry-1.docker.io/bitnamicharts
  version: 2.19.3
name: airflow
version: 18.1.1

Following the official Renovate installation instructions we enabled the automation in the repository

In the automated PR, we can see that it detected our helm chart:

Once this is merged, after some time we will see PRs like the following:

Checking its contents, we can see that the changelog is included in the PR description:

Warning on Replacing Default Images

We have introduced a new validation that displays warnings when default images bundled in the Helm chart are replaced. This is to let users know when the images from a Helm chart have been altered

Each Helm chart is meticulously designed, tested, and validated using a specific set of Bitnami container images across multiple platforms. Replacing these default containers can introduce several risks:

Degraded Security and Performance: Non-Bitnami containers may not have the same security features and optimizations, leading to potential vulnerabilities and performance issues.
Broken Chart Features: The Helm chart’s functionality might rely on specific configurations or tools available only in the original Bitnami containers.
Missing Environment Variables: Substituted containers may lack critical environment variables necessary for the Helm chart to function correctly.
Security: A malicious threat actor could have switched the container images and redistributed the artifact as a legit Bitnami Helm chart.

When deploying a Helm chart, if the images that Bitnami has built the Helm chart with are replaced, a warning will appear in the console to alert the user of these potential risks. We understand that some users might need to switch the container images that Bitnami has verified, but at the same time, we believe making users aware of this change is important for the reasons above.

Branch size reduction

Bitnami has recently reduced the size of certain branches related to index.yaml, as outlined in this GitHub Issue. Previously, Helm charts were distributed using the index.yaml method, which has since been replaced by OCI through DockerHub. You can find the OCI Helm charts here.

Despite the shift to OCI, index.yaml was maintained for backward compatibility. However, the sheer number of releases and commits generated by our automated test and release pipeline caused these branches to balloon in size:

index: 2.23 GiB
archive-full-index: 987.42 MiB

This significant size increase resulted in longer clone times and made life difficult for those users looking to contribute fixes or improvements.

To address this issue, we implemented automation to squash all commits in the index-related branches. This drastic size reduction has yielded the following results:

index: 840.41 KiB
archive-full-index: 1.89 MiB

These changes significantly improve the contribution experience, making it easier and faster for our community to collaborate and contribute.

If you want to use Bitnami packages in production environments for mission-critical use cases, check out Tanzu Application Catalog—an enterprise version of Bitnami with several exclusive features that include base OS customization, app-level customization, Vulnerability Exploitability eXchange (VEX), SBOM, SLSA L3, and more.