Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
showkath_naseem
Product and Topic Expert
Product and Topic Expert
3,085

Courtesy:


I recently came across a helpful blog post by Veli, Beyhan regarding the deprecation of the Cloud Foundry cflinuxfs3 stack and the need to migrate to cflinuxfs4. This inspired me to share my own experience with updating the stack for CAP application, NodeJS, and Java on SAP BTP. In this blog post, I will provide a simple, step-by-step guide on how to update your stack to latest cflinuxfs4 and secure your application against potential vulnerabilities.



Introduction:


As an application owner on SAP BTP CF platform, you might have received a warning: ⚠️




Importance of Migration: Why Application Owners Should Update to the Latest Cloud Foundry Stack




  • If you're running a Cloud Foundry application on SAP BTP, you may have noticed a message in the Cloud Foundry cockpit warning that the cflinuxfs3 stack will soon be deprecated. This means that if you don't migrate to the latest cflinuxfs4 stack, you could be exposing your application to potential security vulnerabilities.

  • Keeping your stack up-to-date is critical for ensuring the security and stability of your application. Stacks receive regular updates to address Common Vulnerabilities and Exposures (CVEs), and failing to update could leave your application open to known vulnerabilities.

  • In this blog post, i would like to walk you through the steps to update your SAP BTP Cloud Foundry application to the cflinuxfs4 stack, so you can stay ahead of any security risks and ensure your application is running on a stable, supported platform.



Reference:




Background on Build Packs and Stacks in SAP BTP Cloud Foundry:


Buildpacks


 

Buildpacks in SAP BTP CF platform are responsible for transforming your application source code into a runnable application. They examine your apps to determine what dependencies to download and how to configure the apps to communicate with bound services. Buildpack contains the runtime environment, the application code, and any dependencies that the application needs to run.


When you push an app, SAP BTP Cloud Foundry automatically detects an appropriate buildpack for it, which is used to compile or prepare your app for launch.



Types of Build Packs:



  1. Online Buildpacks: These require an internet connection to download dependencies such as language interpreters and compilers.

  2. Offline Buildpacks: These are packaged with their dependencies and do not require an internet connection when used to deploy Cloud Foundry apps.



  • Clients can use online buildpacks by pinning them in their manifest.yml file, but this is not recommended unless necessary, as it increases the risk of security vulnerabilities.

  • Using offline buildpacks can make platform assurance activities, such as verifying the use of reliable and secure buildpacks, easier.


What is Stack?


On the other hand, each buildpack, in your deployment, is associated with a stack. You can see this when you run:



cf buildpacks

There is a stack column in the output that shows a corresponding stack for each buildpack.



A stack provides the operating system and system-level libraries that are required to run the application. It is responsible for managing the system resources that the application uses, such as CPU, memory, and file system. A stack typically includes an operating system distribution and a set of system libraries that the application can use.


Buildpacks and stacks work together to provide a complete environment for application deployment. When an application is pushed to Cloud Foundry, the system first selects a stack that matches the application's runtime requirements. Then, it uses a buildpack to package the application for deployment on that stack.



Which Build Packs can be updated to the Stack?


Since build packs are designed for specific programming languages, frameworks, or runtimes, any build pack-based application running on the SAP BTP CF platform will be affected by this update and needs to be updated to the new stack, as described below.


Note: Please note that some build packs are not currently available to support cflinuxfs4.


For the latest information, please refer to the 'What's New for SAP Business Technology Platform'.


You can learn more about stacks here.





So far, in this blog post, I have discussed the basics of Cloud Foundry Build Packs, Stacks, and the significance of keeping them up-to-date for security reasons such as (CVEs). Now, it's time to discuss your action items and how to update your SAP BTP Cloud Foundry applications to the latest cflinuxfs4 stack.

Your Action Items:


To avoid using deprecated stacks that may expose your app to security vulnerabilities, you need to change the stack of your application from cflinux3 to cflinux4. There are two ways to do this:

Procedure: Three Ways to Update the BTP Cloud Foundry Stack:



  • Programmatically

  • via BTP Cockpit

  • via CF CLI


Approach #1) Programmatically:



  • Add the "stack: cflinuxfs4" parameter in

    MTA.yaml



  • Redeploy the application



Example for your reference: CAP Node JS mta.yaml file




manifest.yml


If your project contains manifest.yml then add stack attribute specifies the stack.

 



Approach #2) BTP Cockpit UI to switch the stack:



  • Users can easily migrate to a new stack through the UI on their own

  • To update the stack, application owners need to manually upgrade the stack to cflinux4 in a development space first

  • This allows the application owner to verify that the application won't face any issues when the stack is automatically updated.


Step 1:


Step 2:


Step 3:




 

Approach #3) Command-line Interface (CLI):


If you have a requirement to migrate a single or a large number of apps to a new stack, Stack Auditor is a cf CLI plug-in that provides commands for listing apps and their stacks, and migrating apps to a new stack.



Prerequisites : Stack Auditor Installation


You must have Stack Auditor installed before proceeding.
To learn how to install Stack Auditor on your local system (MAC, Windows, Linux), or SAP Business Application Studio, please refer to my other blog post, "A Step-by-Step Guide: How to Install Stack Auditor"




  • Change Stacks for a Single App:
    cf change-stack APP-NAME STACK-NAME

    • APP-NAME is the app that you want to move to a new stack.
    • STACK-NAME is the stack you want to move the app to.
    For example:



    cf change-stack my-app cflinuxfs4


  • Change Stacks for All Apps in a Space:
    If you have a requirement to migrate a single or a large number of apps to a new stack, Stack Auditor also allows you to migrate all apps in a space to a new stack. For example, using jq, you can write a script to find all apps in a space and migrate them from cflinuxfs3 to cflinuxfs4 in preparation to upgrade your deployment to a version that does not contain cflinuxfs3:


cf audit-stack --json | jq -r 'map(select(.stack == "cflinuxfs3")) | .[] |"cf target -o \(.org) -s \(.space) && cf change-stack \(.name) cflinuxfs4"' | xargs -i{} bash -c {}

For more information on CF CLI Stack Auditor Plug-In, visit Cloud Foundry Stack Auditor Plug-In.



Recommendation:



  • The old, unsupported stack cflinuxfs3 remains available for a limited amount of time, but is scheduled to be removed from the SAP BTP, Cloud Foundry environment eventually.

  • So Action Item is migrate all your applications running on cflinuxfs3 to cflinuxfs4 to avoid the risk of application downtimes that could be caused by the CF stack switch with automatic update.

  • While the automatic update is an option, it's not recommended by SAP because it will restart your apps and cause downtime.

  • If there are any code changes that are incompatible with the new stack, they may go unnoticed until the automatic update occurs.

  • To avoid surprises, it's better to add the update to your automation to migrate stack to latest version before Force Migration.

  • You need to validated that your apps are working with the new stack and cflinuxfs4 buildpack.

  • If an application cannot run on cflinuxfs4, it will be switched back to cflinuxfs3 automatically.


Deadline for Migration:



To avoid any downtime for your application, it is recommended that you migrate to cflinuxfs4 before the "Force Migration" ETA. If you fail to do so, the "Force Migration" will cause a brief downtime for your application.


Conclusion:


In conclusion, to keep your app secure, it's important to switch from the outdated cflinuxfs3 stack to the newer cflinuxfs4 stack. This will help protect your app from security risks. We suggest using buildpacks to ensure added security and testing your app with the new cflinuxfs4 buildpack.


For more information on CF changing stacks, visit Cloud Foundry, and to know more about changing stacks from cflinuxfs3 to cflinuxfs4, visit 'Release Notes'.




Request for Feedback and Support:


Thanks for reading! If you found this post helpful, please consider ‘'Like' ,'Share' it with your network. Your support helps me create more valuable content. I welcome any feedback or suggestions - feel free to comment . Don't forget to 'Follow' me for more content like this.
Your support means a lot to me!

About me :


LinkedIn > Showkath


1 Comment