This topic provides an overview of Tanzu Stacks.

Overview

Stacks are container images that Tanzu Build Service uses to build and run applications. We provide stacks based on Ubuntu 18.04 (Bionic Beaver), Ubuntu 22.04 (Jammy Jellyfish), and Microsoft Windows Server Core LTSC 2019 with different use cases shown below.

Stack images are published to the Tanzu Network Registry. You can download stack images from the VMware Tanzu Network.

Ubuntu Stacks

These stacks are based on Ubuntu 18.04 (Bionic Beaver) and Ubuntu 22.04 (Jammy Jellyfish). Ubuntu is an open-source Linux distribution published by Canonical, who also provides commercial support and security updates.

The following Ubuntu stacks are supported in Tanzu Build Service:

• Bionic Tiny

  • Most Go apps
  • Java apps (as Tiny has no shell, some Apache Tomcat config options are not available, such as setting bin/setenv.sh)

• Bionic Base

  • Java apps and .NET Core apps
  • Go apps that require some C libraries
  • Node.js, Python, Web Servers or Ruby apps without native extensions

• Bionic Full

  • PHP, Node.js, Python, or Ruby apps with native extensions

• Jammy Tiny

  • Most Go apps
  • Java apps (as Tiny has no shell, some Apache Tomcat config options are not available, such as setting bin/setenv.sh)

• Jammy Base

  • Java apps and .NET Core apps
  • Go apps that require some C libraries
  • Node.js, Python, or Web Servers apps without native extensions

• Jammy Full

  • Node.js, or Python apps with native extensions

Security and Hardening Features

• By using Ubuntu 18.04/22.04 as the base image for our stacks, we benefit from all of the security provided by Canonical and Ubuntu. For more information, see the Canonical web site and the Ubuntu wiki.
• Our automatic monitoring and patching of CVEs means that our stacks are often updated within hours of Canonical's patches.
• The stack images are run as a dedicated non-root user when building and running applications.
• Each stack image has detailed metadata describing the image's components, such as the base operating system and packages.
• Each stack has separate images for building and running applications. The packages on the runtime image are curated to exclude compilers and other tools that might pose security risks.
• (For Jammy stacks) The build and run images have different user IDs. This means that sensitive files and dependencies installed at build-time cannot be corrupted at run-time by malicious app code.

FIPS Compliance

We provide a FIPS 140-2 compliant Bionic Base stack that contains compliant versions of libssl and openssl. To download the FIPS 140-2 compliant stack, see VMware Tanzu Network.

Note: Access to the FIPS 140-2 compliant stack tile is restricted. To request access, reach out to your Tanzu account representative.

For more information about FIPS compliance, see Compliance FAQs: Federal Information Processing Standards (FIPS).

Stack Updates

Stacks are rebuilt whenever a package is patched to fix a CVE. For more information about CVEs, see Common Vulnerabilities and Exposures (CVE). Stacks are also rebuilt weekly to ensure packages without CVEs are also up to date.

We aim to release stack updates that fix High and Critical CVEs within 2 business days of the patch release. For stack updates fixing Low and Medium CVEs, we aim to release within two weeks.

Note: Security scanning tools might report vulnerabilities in apps even when using the latest stack. This can occur when a CVE patch is not yet available upstream or if Canonical determines that the vulnerability is not severe enough to fix.

Stacks are backwards compatible. A stack can safely be upgraded to the most recent version within the major version line. If for some reason backwards compatibility is broken, it happens when a new major version is released.

Stack updates in Tanzu Build Service are efficient and do not break applications. When a stack is updated, each application that uses that stack is rebased on top of the new stack image. The application does not need to be rebuilt because the stack maintains application binary interface (ABI) compatibility.

Buildpack Support for Stacks

Except for the Windows Based Tanzu Buildpack for .NET Framework, all other buildpacks support the Ubuntu 18.04 (Bionic Beaver) stack. The team is working towards adding support for Ubuntu 22.04 (Jammy Jellyfish) stack for all these buildpacks. As of TAP 1.3, the Jammy stack supports the following buildpacks:

• Tanzu .NET Core Buildpack
• Tanzu Go Buildpack
• Tanzu Java Buildpack
• Tanzu Java Native Image Buildpack
• Tanzu Node.js Buildpack
• Tanzu Python Buildpack

Upgrading Stack for Apps

Users should be able to easily upgrade the stack for their apps from Ubuntu Bionic to Ubuntu Jammy stack for those apps that support both platforms. Note that if the underlying language framework itself does not support Ubuntu Jammy, such apps are not supported. .NET 3.1 apps are an example.

At this time, Ubuntu 22.04 (Jammy) is not the default stack. To upgrade your workload to use the new Ubuntu 22.04 Jammy Stack, users will need utilize the ClusterBuilders tiny-jammy, base-jammy, or full-jammy (e.g. --param clusterBuilder=base-jammy).

A possible issue you may encounter while upgrading apps to a newer stack, is the build platform erroneously reusing the old build cache. If you encounter such issues, try deleting & recreating the workload in TAP, or deleting & recreating the image in TBS.

Microsoft Windows Stacks

Tanzu Build Service currently supports the dotnet-framework stack.

• dotnet-framework
  • .NET Framework applications
  • .NET Core apps that have dependencies on the Windows Operating System

This stack is based on Microsoft Windows Server Core LTSC 2019

For this stack, see VMware Tanzu Stack Image for .NET Framework on Microsoft Windows Server Core

Security and Hardening Features

• By using Microsoft Windows Server Core LTSC 2019 as the base image for the dotnet-framework stack, we benefit from all of the security provided by Microsoft. For more information, see Microsoft's web site on its Server Core 2019 LTSC image
• The stack images are run as a dedicated non-Administrator user when running applications
• Each stack image has detailed metadata describing the image’s components, such as the base operating system and packages.
• Each stack has separate images for building and running applications. The packages on the runtime image are curated to exclude compilers and other tools that might pose security risks.

Scope of Support

VMware Support can assist in troubleshooting issues encountered using any of the stacks that are shipped as a part of Tanzu Build Service.

As detailed in Security and Hardening Features above, all stack images shipped within Tanzu Build Service are patched in response to upstream CVEs after they are patched by Canonical.

For more information about what Tanzu Build Service supports, see Scope of Support for Cloud Native Buildpacks.