Written by Nicholas Aronne and Michael Poore, VMware Tanzu.
What do you get when you combine the largest repository of pre-configured images that has millions of downloads with the largest open-source automation framework and configuration management solution?
It sounds like the setup for a joke. One of those where someone walks into a bar and asks that question before delivering a punchline to the unsuspecting bartender. It’s not a joke though, it’s a real question and there’s a real answer! One that we will cover in the rest of this article.
The use of open-source software (OSS) is increasing, says research by International Data Corporation (IDC) analysts. But despite its growing adoption, security concerns and packaging complexities remain major hurdles for enterprises looking to use OSS. It’s also important to note that open-source doesn’t equal free-software. The EULA / terms may prohibit certain uses of the software and there will be a cost of ownership and maintaining OSS solutions that isn’t immediately apparent.
Before we get too off-topic though, let’s introduce Bitnami Application Catalog and see how it helps with some of these challenges.
Bitnami Application Catalog
Bitnami is the leader in application packaging and provides the largest catalog of click-to-deploy applications and development stacks. And it’s free to use! You can quickly and easily select single VMs, multi-tier VMs, container images or Kubernetes Helm charts for over 250 OSS applications and deploy them on your own servers or to any of the major cloud environments.
Millions of deployments occur every month from the catalog and it is regularly updated and scanned to prevent those new deployments from introducing security vulnerabilities. So, not only can the packaging and deployment efforts be minimized by using the Bitnami Application Catalog, but many of the security concerns are addressed as well.
Post-deployment the question arises: how do we efficiently manage these OSS applications and images?
Enter Salt, a compelling option for streamlined management.
Salt
Salt is an open-source automation framework and configuration management tool that can help reduce costs by improving the efficiency and reliability of IT operations. Salt can automate and cut down on the time spent completing common IT tasks, such as:
- Installing and upgrading software
- Configuring and maintaining devices
- Deploying applications and services
Although it can be used in an agentless manner, the real power of Salt comes from the remote execution topology it employs whereby many of the tasks are delegated to the individual devices or workloads (known as “Minions”) to complete rather than being processed centrally. Not only does this architecture scale very well, it’s easier to secure and maintain. Over 20,000 systems download or upgrade Salt from the repository every day!
Salt also boasts an impressive roster of modules to extend its capabilities beyond core functions as well as a collection of formulas to give users an easy place to start and build from.
Using Salt, one could manage the lifecycle of a deployed Bitnami image. You could, for example:
- Apply OS updates
- Apply package updates
- Configure or reconfigure core OS settings (NTP, DNS, etc.)
- Rotate credentials
Unless the deployed images are transient and there for a few hours or days, some of these tasks will inevitably become necessary. Using Salt, they can be orchestrated at a greater scale than by hand.
What’s New
Now that we’ve introduced you to Bitnami Application Catalog and Salt, let’s explore what happens when you combine them because that’s exactly what has happened. (Spoiler: the world does not end.)
Quietly, and without too much fanfare until now, Bitnami have embedded the Salt Minion into every single OVA and cloud image in the Bitnami Application Catalog. It’s deactivated by default so it has to be enabled to be used and should be pointed at a Salt Master, but you don’t have to install it yourself! Instructions for how to complete these simple activation steps can be found in the Bitnami documentation.
That’s it! That’s all that has changed! Except that now you can more easily use Salt to manage images deployed from the Bitnami Application Catalog alongside any other workloads and devices in your IT estate, all with open-source software (OSS).
For the Enterprise
There are enterprise level solutions available for both Bitnami and Salt when organizations need dedicated support, additional features, or they have to scale to very large and complex estates. We will briefly touch on what these enterprise solutions are and what additional benefits they bring.
VMware Tanzu Application Catalog
Tanzu Application Catalog is a cloud service that offers some additional capabilities over Bitnami Application Catalog to enhance security and compliance, including:
- Choice of base images
- Refresh of catalog triggered by component updates and critical CVE fixes
- VMware support (vs. community support)
- Private repository (vs. public repository)
- App-specific customization
Tanzu Application Catalog allows development teams to consume OSS applications they need through a superior self-service experience and build software more quickly. In parallel, platform engineering teams can seamlessly enforce compliance, security, and operational best practices to meet the stringent security requirements of enterprise IT.
Find out more about VMware Tanzu Application Catalog on our product pages.
VMware Tanzu Salt
Tanzu Salt uses Salt OSS as a foundation and adds a number of extra capabilities, such as:
- Centralized management of Salt Masters and Salt Minions.
- Centralized management of Salt states, pillar data, and other configuration.
- Evaluating and remediating workload configurations against recognized industry benchmarks (CIS).
- Evaluating and remediating workloads against published vulnerabilities. This can include updating deployed Bitnami images if you don’t want to deploy new versions.
For the final point above, we can look at a recent example. By coincidence as we were writing this article a vulnerability was identified in a common open-source library called ‘XZ’. Luckily it was caught before it was merged into any stable Linux releases, but had it come to light later and made its way into production workloads the story would have been very different. Organizations would be scrambling to determine if they were exposed to this vulnerability or not.
With Tanzu Salt, updates to vulnerability definitions are regularly updated. These definitions, or integrations with the likes of Tenable, Qualys, and Carbon Black, can be used to identify vulnerable workloads in minutes. Not hours, not days, just minutes. And remediation, which in the case of CVE-2024-3094 involves not using versions 5.6.0 or 5.6.1 of the XZ library, would be simple to push out rapidly and at scale.
Find out more about VMware Tanzu Salt (formerly VMware Aria Automation Config and VMware Aria Automation for Secure Hosts) on our product pages.
Summary
Whilst it may not be a pithy punchline that will have you rolling on the floor laughing, the answer to the question at the start of the article is that by including the open-source Salt Minion by default in their OVAs and cloud images, Bitnami are providing a compliance benefit to thousands of users every month.
It’s not laugh-out-loud funny, but it should put a smile on your face anyway!