This week’s news: OpenStack’s 2022 User Survey, Istio, Fedora, Backstage, and more

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news on the Radio Cloud Native podcast.

This week, Eric and Cloud Native & Coffee host John Jainschigg discussed:

• 2022 OpenStack User Survey

• Exploit identified and patched in Backstage

• Istio 1.16: Beta Gateway API, experimental HBONE

• Fedora Linux 37

• And other stories on the podcast, including GitHub's new method for privately reporting vulnerabilities in public repos, and much more

You can watch the entire episode below or download the podcast from Apple Podcasts, Spotify, or wherever you get your podcasts. If you'd like to tune into the next show live, follow Mirantis on LinkedIn to receive our announcement of the next broadcast.

Eric: The OpenInfra Foundation released their 2022 OpenStack User Survey. Their headline reads “OpenStack is More Alive Than Ever with 40 Million Cores in Production and Over 300 Public Cloud Data Centers Worldwide.” 

This year’s survey reflects data on more than 300 deployments and is based on feedback from over 400 respondents. The survey finds that… 

• The LOKI stack (Linux OpenStack Kubernetes Infrastructure) is being used more and more, with Kubernetes now deployed on more than 85% of OpenStack deployments. 

• OpenStack deployments now have 40 million compute cores in production, a 60% increase over 2021 and a 166% increase since 2020

• Hybrid cloud usage with OpenStack deployments rose from 77% to 80%

John: Spotify’s Backstage is now a CNCF incubating project. It’s a toolkit for building developer portals that pull together code, YAML code descriptions, human-readable documentation, a complete (though opinionated) build system (that you can replace if you like), and plugins that let you hook up tooling, observability, and other useful stuff – all in one sleek web interface. Five or six years ago, when ‘app catalogs’ were suddenly the focus of lots of attention on IaaS platforms mostly, people often opined “Wow, this would be really great if this were expanded and standardized and made more usable.” And Backstage has basically done this – creating a ‘one unified solution’ to encourage code reuse and support composability while enabling organizations to codify and require standards. Developers love Backstage – and it’s worth checking out their online demo (minimal, but quite informative), sample artifact repos, and the main codebase to see what Backstage does and what it requires to work.

But … there’s a cost to popularity. Oxeye security yesterday reported discovery of an exploit method that permits an attacker to run shell commands in a Backstage environment. The exploit built on earlier Oxeye work that showed how to use the Nunjucks javascript templating engine to enable shell command execution – a vulnerability that Backstage had already mitigated by implementing the popular vm2 sandbox engine in its core Scaffolder plugin. Oxeye’s new gambit uses Nunjucks again, this time to execute a vm2-specific sandbox escape, before repeating its old trick and executing code.

Spotify instantly patched the vulnerability, and released version 1.5.1 of the code yesterday. So very good on them, and on the project. Yuval Ostrovsky, Software Architect at Oxeye, also recommends that users of Backstage (and everything else in the world) should probably avoid using template engines like Nunjucks, which is notoriously easy to exploit, in favor of ‘logic-less’ template tools like Mustache, which don’t present the same vulnerabilities because they don’t permit flow control and make it impossible to mix logic and presentation together in templates.

Eric: Istio announced the release of version 1.16 this week. The new release brings the service mesh’s Gateway API implementation into beta, which is exciting—as the release blog says, “This is a significant step toward our goal of making the Gateway API the default API for traffic management in the future.”

Other new features include support for the OpenTelemetry tracing provider and experimental HBONE protocol support for container sidecars and ingress gateways. HBONE provides a way to create a network overlay environment that enables end-to-end security via mTLS, supports metadata, and is compatible with HTTP infrastructure. Here it’s being used specifically for tunneling with sidecars or ingress gateways.

Fedora released their Linux 37 yesterday in many versions for many platforms, and it looks like the usual dependable, solid job. They’ve added two new what they call ‘Editions,’ including a CoreOS/Atomic ultra-light, self-updating and rollbackable cloud image, and a more complete, general-purpose Cloud Edition.

Fedora’s Desktop Workstation includes version 43 of GNOME with a new security panel, and updated versions of many GNOME core applications, now ported to use GTK for graphics and sporting a new look. They’ve also updated their ‘spins,’ including Fedora Comp Neuro (for computational neuroscience) and LxQT, for a more lightweight desktop. And they make everything available for multiple CPU platforms, including ARM64, Power, and S390x.

The really small news – big news for some, though – is that Fedora 37 supports Raspberry Pi 4 out of the box, with graphics acceleration, increasing the number of fully modern Linuxes you can easily install and use on that platform.

Check out the podcast for more of this week's stories.