This topic provides you with an overview of Tanzu Stacks.

Overview

Stacks are container images that Tanzu Build Service uses to build and run applications. VMware provides stacks based on Ubuntu 22.04 (Jammy Jellyfish), Ubuntu 18.04 (Bionic Beaver), UBI 8, and Microsoft Windows Server Core LTSC 2019 with different use cases shown below.

You can download stack images from the Broadcom Support Portal downloads page.

Ubuntu Stacks

These stacks are based on Ubuntu 22.04 (Jammy Jellyfish) and Ubuntu 18.04 (Bionic Beaver). Ubuntu is an open-source Linux distribution published by Canonical, who also provides commercial support and security updates.

The following Ubuntu stacks are available from the Broadcom Support Portal downloads page and are supported in Tanzu Application Platform and Tanzu Build Service:

  • Jammy Static: available under VMware Tanzu Static Stack for Ubuntu 22.04 on the Broadcom Support Portal.
    • Statically-linked applications (e.g. Go) with no dependencies on C libraries
    • The Jammy Static stack is only available in Tanzu Application Platform with the full profile and by setting enable_static_builder: true in your Tanzu Application Platform full dependencies profile.
  • Jammy Tiny: available under VMware Tanzu Tiny Stack for Ubuntu v22.04 in the Broadcom Support Portal.
    • Most Go apps
    • Java apps (as Tiny has no shell, some Apache Tomcat config options are not available, such as setting bin/setenv.sh)
  • Jammy Base: available under VMware Tanzu Base Stack for Ubuntu v22.04 in the Broadcom Support Portal.
    • Java apps and .NET Core apps
    • Go apps that require some C libraries
    • Node.js, Python, or Web Servers apps without native extensions
  • Jammy Full: available under VMware Tanzu Full Stack for Ubuntu v22.04 in the Broadcom Support Portal.
    • Node.js, or Python apps with native extensions
  • Bionic Tiny: available under Tiny Stack of Ubuntu Bionic for VMware Tanzu in the Broadcom Support Portal.
    • Most Go apps
    • Java apps (as Tiny has no shell, some Apache Tomcat config options are not available, such as setting bin/setenv.sh)
  • Bionic Base: available under Base Stack of Ubuntu Bionic for VMware Tanzu in the Broadcom Support Portal.
    • Java apps and .NET Core apps
    • Go apps that require some C libraries
    • Node.js, Python, Web Servers or Ruby apps without native extensions
  • Bionic Full: available Full Stack of Ubuntu Bionic for VMware Tanzu in the Broadcom Support Portal.
    • PHP, Node.js, Python, or Ruby apps with native extensions

Security and Hardening Features

  • By using Ubuntu v18.04 or v22.04 as the base image for stacks, you benefit from all of the security provided by Canonical and Ubuntu. For more information, see the Canonical web site and the Ubuntu wiki.
  • Automatic monitoring and patching of CVEs means that stacks are often updated within hours of Canonical's patches.
  • The stack images are run as a dedicated non-root user when building and running applications.
  • Each stack image has detailed metadata describing the image's components, such as the base operating system and packages.
  • Each stack has separate images for building and running applications. The packages on the runtime image are curated to exclude compilers and other tools that might pose security risks.

FIPS Compliance

You can download FIPS 140-2 compliant Bionic Base and 'Jammy Basestacks that contain compliant versions oflibsslandopenssl` from the Broadcom Support Portal:

Note

Access to the FIPS 140-2 compliant stack tile is restricted. To request access, reach out to your Tanzu account representative.

For more information about FIPS compliance, see Compliance FAQs: Federal Information Processing Standards (FIPS).

Stack Updates

Stacks are rebuilt whenever a package is patched to fix a CVE. For more information about CVEs, see Common Vulnerabilities and Exposures (CVE). Stacks are also rebuilt weekly to ensure packages without CVEs are also up to date.

We aim to release stack updates that fix High and Critical CVEs within 2 business days of the patch release. For stack updates fixing Low and Medium CVEs, we aim to release within two weeks.

Note

Security scanning tools might report vulnerabilities in apps even when using the latest stack. This can occur when a CVE patch is not yet available upstream or if Canonical determines that the vulnerability is not severe enough to fix.

Stacks are backwards compatible. A stack can safely be upgraded to the most recent version within the major version line. If for some reason backwards compatibility is broken, it happens when a new major version is released.

Stack updates in Tanzu Build Service are efficient and do not break applications. When a stack is updated, each application that uses that stack is rebased on top of the new stack image. The application does not need to be rebuilt because the stack maintains application binary interface (ABI) compatibility.

Buildpack Support for Stacks

Except for the Windows Based Tanzu Buildpack for .NET Framework, all other buildpacks support the Ubuntu 22.04 (Jammy Jellyfish) and Ubuntu 18.04 (Bionic Beaver) stacks.

Upgrading Stack for Apps

All Ubuntu v18.04 stacks reach End of General Support on October 31, 2023. Users are advised to migrate to stacks based on Ubuntu v22.04. As of the latest Tanzu Application Platform release, Stacks based on Ubuntu v22.04 (Jammy) are the default.

Users should be able to easily upgrade the stack for their apps from Ubuntu Bionic to Ubuntu Jammy stack for those apps that support both platforms. Note that if the underlying language framework itself does not support Ubuntu Jammy, such apps are not supported. .NET 3.1 apps are an example.

A possible issue you may encounter while upgrading apps to a newer stack, is the build platform erroneously reusing the old build cache. If you encounter such issues, try deleting and recreating the workload in Tanzu Application Platform, or deleting and recreating the image in Tanzu Build Service.

UBI 8 Stacks

These stacks are based on UBI 8. UBI is an open-source Linux distribution published by Red Hat, who also provides commercial support and security updates.

The following UBI stacks are supported in Tanzu Application Platform and Tanzu Build Service:

  • UBI 8 Standard: Available under VMware Tanzu Standard Stack for UBI 8 in the Broadcom Support Portal.
    • Java apps and .NET Core apps
    • Node.js and Web Server apps without native extensions

The UBI 8 Standard stack is only available in Tanzu Application Platform with the full profile and by setting enable_ubi_builder: true in your Tanzu Application Platform full dependencies profile.

Note for Java and UBI users

If you're using Tanzu Application Platform. make sure to add your Tanzu Application Platform workload manifest:

build:
  env:
  - name: SSL_CERT_FILE
    value: "/etc/pki/tls/certs/ca-bundle.crt"

Note for HTTPD and UBI users

The UBI HTTPD dependency does not come packaged with some of the additional libraries that are added as part of the Ubuntu package as they are not support by UBI 8. This may mean some HTTPD workflows that run on Ubuntu will not run on UBI.

Stack Updates

Stacks are rebuilt whenever a package is patched to fix a CVE. For more information about CVEs, see Common Vulnerabilities and Exposures (CVE). Stacks are also rebuilt weekly to ensure packages without CVEs are also up to date.

We aim to release stack updates that fix High and Critical CVEs within 2 business days of the patch release. For stack updates fixing Low and Medium CVEs, we aim to release within two weeks.

Note

Security scanning tools might report vulnerabilities in apps even when using the latest stack. This can occur when a CVE patch is not yet available upstream or if Red Hat determines that the vulnerability is not severe enough to fix.

Stacks are backwards compatible. A stack can safely be upgraded to the most recent version within the major version line. If for some reason backwards compatibility is broken, it happens when a new major version is released.

Stack updates in Tanzu Build Service are efficient and do not break applications. When a stack is updated, each application that uses that stack is rebased on top of the new stack image. The application does not need to be rebuilt because the stack maintains application binary interface (ABI) compatibility.

Microsoft Windows Stacks

Tanzu Build Service currently supports the dotnet-framework stack.

  • dotnet-framework: available under VMware Tanzu Stack Image for .NET Framework on Windows Server Core in the Broadcom Support Portal.
    • .NET Framework applications
    • .NET Core apps that have dependencies on the Windows Operating System

This stack is based on Microsoft Windows Server Core LTSC 2019

To download this stack, see VMware Tanzu Stack Image for .NET Framework on Windows Server Core on the Broadcom Support Portal.

Security and Hardening Features

  • By using Microsoft Windows Server Core LTSC 2019 as the base image for the dotnet-framework stack, we benefit from all of the security provided by Microsoft. For more information, see Microsoft's web site on its Server Core 2019 LTSC image
  • The stack images are run as a dedicated non-Administrator user when running applications
  • Each stack image has detailed metadata describing the image’s components, such as the base operating system and packages.
  • Each stack has separate images for building and running applications. The packages on the runtime image are curated to exclude compilers and other tools that might pose security risks.

Configuring Stacks

The stack used to build an app can be configured by selecting a different builder during a build. Each of the above stacks have a pre-built builder. Using a workload configuration the builder can be set through the clusterbuilder parameter.

An example of a workload file using a non-default builder looks as follows:

apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
  labels:
    apps.tanzu.vmware.com/workload-type: web
    app.kubernetes.io/part-of: sample-app
  name: sample-app
  namespace: default
spec:
  params:
  - name: clusterbuilder
    value: <builder>
  source:
    git:
      ref:
        branch: main
      url: https://sample-app
    subPath: .

To see a list of all available builders. Run the following command:

tanzu build-service clusterbuilder list

Scope of Support

VMware Support can assist in troubleshooting issues encountered using any of the stacks that are shipped as a part of Tanzu Build Service.

As detailed in Security and Hardening Features above, all stack images shipped within Tanzu Build Service are patched in response to upstream CVEs after they are patched by Canonical.

For more information about what Tanzu Build Service supports, see Scope of Support for Cloud Native Buildpacks.

Known Issues

For some versions of the Jammy Full stack before v0.1.72, Jammy Base stack before v0.1.36 and Jammy Tiny stack before v0.1.38, applications that require write permission to the app workspace directory fail with an operation not permitted error. Please update to the latest versions of Jammy stack if you encounter this issue. Bionic stacks are not affected.

This happens because the build and run images had different user IDs (UIDs), but this has been rectified. Since the above mentioned versions both build and run stack images have the same user ID of 1000.

Originally, different user IDs were set for build and run images as a securtiy tightening effort to prevent files and dependencies installed at build-time from being corrupted at run-time by malicious app code. However, this was found to be disruptive and hence reverted.

check-circle-line exclamation-circle-line close-line
Scroll to top icon