containers news products security Tanzu Build Service

Secure and Up-to-Date Containers with VMware Tanzu Build Service 1.2

Enterprise adoption of containers has surged. According to the 2020 CNCF survey, the number of organizations running in excess of 5,000 containers in production has more than doubled, to 23 percent from 11 percent in 2016. 

But in a world of rapidly scaling container usage, the container build systems that were designed to work well for individual developers tend to break down. It’s not enough to just build out a few containers; enterprises need to keep them secure and up to date in order to deliver value in a timely and compliant manner. Enterprises also need a build solution that integrates seamlessly into their existing CI/CD pipelines. VMware Tanzu Build Service 1.2, now generally available, is packed with features that address these build challenges at scale.

Here are the highlights of what’s new in this release:

  • Dependency Updater resource, which enables automated upgrades of all Tanzu Build Service dependencies

  • Integration with Microsoft Azure DevOps 

  • Support for Python applications

  • A uniform configuration interface for buildpacks

Let’s delve into the details of how the Tanzu Build Service 1.2 release makes the process of maintaining and securing containers better.

Introducing Dependency Updater resource

DevSecOps teams work tirelessly to keep their container images up to date and secure. Until now, the uptick model for dependency updates—OS stack images and buildpacks themselves—required operators of Tanzu Build Service to manually update the product’s dependency supply chain to trigger rebuilds, or to write CI/CD tooling themselves to automate the upgrade process. Delivering on its mission of end-to-end container build automation, Tanzu Build Service 1.2 extends automation functionality to include the management of dependencies that the product uses to execute container builds.

The two primary dependencies for Tanzu Build Service are buildpacks and OS stack images; the Tanzu engineering team continuously patches these resources for updates and enhancements and then releases them on the VMware Tanzu Network. Until now, DevSecOps teams needed to constantly monitor the Tanzu Network for such updates or write CI/CD tooling to automate the consumption of dependencies. But that model tends to break as the fleet footprint and dependency complexity increases. As a result, downloading and deploying these upgrades becomes a formidable challenge.

With this release, dependency tracking and adherence to updated policies become distant memories. The newly introduced Dependency Updater resource brings simplicity and operational efficiency to the dependency upgrade process. It monitors the Tanzu Network for newer versions of dependencies and automatically downloads and upgrades them on the customer's ClusterStore and ClusterStack resources. Tanzu Build Service customers can now automatically stay up to date with the latest buildpacks and stacks.

This automated dependency updater provides a major improvement to an enterprise’s container security posture. Let’s say there is a vulnerability in OpenSSL that affects several apps using a particular OS image. The fix in the form of a new version of the ClusterStack resource shows up on the Tanzu Network within 48 hours of the upstream patch. The always-vigilant dependency updater will promptly pull the latest OS version images into the customer’s ClusterStack resource (a must-have for the repair aspect of the three R’s of enterprise security). This update will then cascade to all builder/ClusterBuilder resources that reference the now-modified ClusterStack resource. This change is then picked up by all image configurations that require the aforementioned builders/ClusterBuilders; Rebases will initiate the update. The result? All previously vulnerable layers in the container images and the compliance nightmare are reduced.

The benefits of the Dependency Updater resource extend beyond security to developer productivity. The auto updater also helps seamlessly stream in the latest buildpack versions to customers’ build environments, enabling developers to have access to the latest feature additions and enhancements, like new language runtime features from upstream. 

Tanzu Build Service plugs into Microsoft Azure DevOps 

News flash for Azure DevOps: It’s time to embrace the industry-leading buildpack-based build system! This groundbreaking buildpack technology is now readily available for integration with the Azure DevOps build/release pipeline. The latest Build Service 1.2 release supports the building of source code in Azure DevOps Git. Tanzu Build Service now easily fits into the Azure DevOps CI/CD pipeline and Azure DevOps can benefit from all the Build Service goodies out-of-the-box, including automated container creation and governance.

Support for Python applications

Python is hot. According to the RedMonk language rankings, it’s now the second-most popular language after Javascript. As such, we’re excited to welcome Python to the happy buildpacks family! 

OMG, did you hear about the Python Buildpack?!?

With this latest release, Python developers can build their apps using PIP, Pipenv, and the Miniconda package manager. And support for the Poetry package manager is just around the corner. Upgrade to the latest version of the Tanzu Build Service dependencies and kick-start your Python containerization journey with this new buildpack!

Uniform configuration interface for buildpacks

As averred by The Twelve-Factor App methodology, strict separation of config from code is a rule enshrined in the DevOps pantheon. The need for such separation is paramount to creating highly maintainable code for web services of all sizes and scale. With that in mind, all buildpacks now support a Uniform configuration interface to enable

  • setting application start commands through a Procfile

  • CA certs service bindings

  • adding image labels to container images 

  • embedding environment variables on the container image

And when there’s a need to follow the chain of custody, DevOps teams can also tag container images with OCI pre-defined annotation keys, such as image authors.

Take the next step

Ready to start building containers? Download an evaluation copy of Tanzu Build Service. Want to dive into the release a bit more? Check out the links below to get up to speed on the newest capabilities.