Dear Cloud Foundry community,

 

End of April is approaching fast so here's your update regarding production readiness of Bionic stemcells.

 

TL;DR Bionic 0.28 is considered production ready for selected IaaS layers and will be the basis for a 1.x release of the stemcell.

 

Context

We've created a GitHub project providing more transparency and insight into the current community stemcell process: https://github.com/orgs/cloudfoundry/projects/4 Follow this if you're interested in more detailed progress and want to get involved.

 

What is the current state?

• We at SAP consider Bionic 0.28 is production ready: We're rolling it out to all our production envs right now. There's one caveat, though: We can only vouch for production readiness on the IaaS layers we're running ourselves: AWS, GCP, Azure, AliCloud. Please note there are no issues known to us preventing you from using this stemcell on other IaaS layers, so our recommendation similar to the situation two weeks ago: please test the stemcell in your CF installations and provide feedback!
• We're moving stemcell pipelines from infrastructure managed by VMware to a community owned GCP project. Shoutout to our colleagues at VMware for maintaining this so long on behalf of the community and helping us to transfer this!
• Bionic 0.28 is essentially the base for a 1.x release of the stemcell. Currently there are no functional changes planned before promoting, the necessary work is mostly dealing with pipeline internals. The GitHub issue for the road towards 1.x is https://github.com/cloudfoundry/bosh-linux-stemcell-builder/issues/157

 

Feedback?

Please reply to this mail on the list and/or send us a message in #bosh-bionic on Cloud Foundry slack. Don’t hesitate to DM me or send me a mail if you want to reach out privately.

 

Warm regards

Marco

 

PS If you're lacking context on what this mail is all about, see https://lists.cloudfoundry.org/g/cf-dev/message/9290

Thanks Marco for the update and to all contributors for their efforts to reach production readiness for bionic stemcell. I wonder whether the security advisories shared at [1] would in the future similarly be shared with the cloud foundry community for bionic based stemcell vulnerabilities (in addition to the existing current bionic-based rootfs vulnerabilities).

[1] https://www.cloudfoundry.org/foundryblog/security-advisory/

Thanks,

Guillaume.

On Wed, Apr 28, 2021 at 5:43 PM Marco Voelz via lists.cloudfoundry.org <marco.voelz=sap.com@...> wrote:

Dear Cloud Foundry community,

 

End of April is approaching fast so here's your update regarding production readiness of Bionic stemcells.

 

TL;DR Bionic 0.28 is considered production ready for selected IaaS layers and will be the basis for a 1.x release of the stemcell.

 

Context

We've created a GitHub project providing more transparency and insight into the current community stemcell process: https://github.com/orgs/cloudfoundry/projects/4 Follow this if you're interested in more detailed progress and want to get involved.

 

What is the current state?

• We at SAP consider Bionic 0.28 is production ready: We're rolling it out to all our production envs right now. There's one caveat, though: We can only vouch for production readiness on the IaaS layers we're running ourselves: AWS, GCP, Azure, AliCloud. Please note there are no issues known to us preventing you from using this stemcell on other IaaS layers, so our recommendation similar to the situation two weeks ago: please test the stemcell in your CF installations and provide feedback!
• We're moving stemcell pipelines from infrastructure managed by VMware to a community owned GCP project. Shoutout to our colleagues at VMware for maintaining this so long on behalf of the community and helping us to transfer this!
• Bionic 0.28 is essentially the base for a 1.x release of the stemcell. Currently there are no functional changes planned before promoting, the necessary work is mostly dealing with pipeline internals. The GitHub issue for the road towards 1.x is https://github.com/cloudfoundry/bosh-linux-stemcell-builder/issues/157

 

Feedback?

Please reply to this mail on the list and/or send us a message in #bosh-bionic on Cloud Foundry slack. Don’t hesitate to DM me or send me a mail if you want to reach out privately.

 

Warm regards

Marco

 

PS If you're lacking context on what this mail is all about, see https://lists.cloudfoundry.org/g/cf-dev/message/9290

The community's vulnerability management team was just discussing that last week, and I believe plans to coordinate with the Bionic stemcell folks to make that happen. +Paul Warren who has been leading the vuln mgmt team to confirm.

Chip Childers

Executive Director

Cloud Foundry Foundation

On Sun, May 2, 2021 at 4:42 PM Guillaume Berche <bercheg@...> wrote:

Thanks Marco for the update and to all contributors for their efforts to reach production readiness for bionic stemcell. I wonder whether the security advisories shared at [1] would in the future similarly be shared with the cloud foundry community for bionic based stemcell vulnerabilities (in addition to the existing current bionic-based rootfs vulnerabilities).

[1] https://www.cloudfoundry.org/foundryblog/security-advisory/

Thanks,

Guillaume.

On Wed, Apr 28, 2021 at 5:43 PM Marco Voelz via lists.cloudfoundry.org <marco.voelz=sap.com@...> wrote:

Dear Cloud Foundry community,

 

End of April is approaching fast so here's your update regarding production readiness of Bionic stemcells.

 

TL;DR Bionic 0.28 is considered production ready for selected IaaS layers and will be the basis for a 1.x release of the stemcell.

 

Context

We've created a GitHub project providing more transparency and insight into the current community stemcell process: https://github.com/orgs/cloudfoundry/projects/4 Follow this if you're interested in more detailed progress and want to get involved.

 

What is the current state?

• We at SAP consider Bionic 0.28 is production ready: We're rolling it out to all our production envs right now. There's one caveat, though: We can only vouch for production readiness on the IaaS layers we're running ourselves: AWS, GCP, Azure, AliCloud. Please note there are no issues known to us preventing you from using this stemcell on other IaaS layers, so our recommendation similar to the situation two weeks ago: please test the stemcell in your CF installations and provide feedback!
• We're moving stemcell pipelines from infrastructure managed by VMware to a community owned GCP project. Shoutout to our colleagues at VMware for maintaining this so long on behalf of the community and helping us to transfer this!
• Bionic 0.28 is essentially the base for a 1.x release of the stemcell. Currently there are no functional changes planned before promoting, the necessary work is mostly dealing with pipeline internals. The GitHub issue for the road towards 1.x is https://github.com/cloudfoundry/bosh-linux-stemcell-builder/issues/157

 

Feedback?

Please reply to this mail on the list and/or send us a message in #bosh-bionic on Cloud Foundry slack. Don’t hesitate to DM me or send me a mail if you want to reach out privately.

 

Warm regards

Marco

 

PS If you're lacking context on what this mail is all about, see https://lists.cloudfoundry.org/g/cf-dev/message/9290

We have fully tested the 0.28 stemcell using the vSphere CPI with the following deployments/releases and everything appears to be fully functioning:

cf-deployment
logsearch-boshrelease
logsearch-for-cloudfoundry
prometheus-boshrelease

We still need a new release of smb-volume-release to fix https://github.com/cloudfoundry/smb-volume-release/issues/16 but I've updated the notes with our temporary work-around and we'll go to production with a dev release for now.  Thanks to everyone involved for keeping the open source version of CF secure.

Aaron