Amazon has announced the final release of Bottlerocket , a specialized distribution for running and efficiently managing containers.
Bottlerocket (by the way, this is the name for small home-made blackpowder rockets) is not the first OS for containers, but it is likely that it will become widespread thanks to default integration with AWS services. Although the system is focused on Amazon's cloud, open source allows you to build it anywhere: locally on a server, on a Raspberry Pi, in any competing cloud, and even in a containerless environment.
It is quite a worthy replacement for the CoreOS distribution that Red Hat has buried.
In general, Amazon Web Services already has Amazon Linux, which recently came out in its second version: it's a general-purpose distribution that can be run in a Docker container or with Linux KVM hypervisors, Microsoft Hyper-V, and VMware ESXi. It has been optimized to run on the AWS cloud, but with Bottlerocket, everyone is encouraged to upgrade to a new system that is safer, more modern, and uses fewer resources.
AWS Announces Bottlerocket in March 2020... She immediately recognized that this was not the first "Linux for containers", citing CoreOS, Rancher OS and Project Atomic as sources of inspiration. The developers wrote that the operating system is "the result of lessons we have learned over the long run of production services at Amazon scale, and the experience we have gained over the past six years on how to run containers."
Extreme minimalism
Linux has been stripped of everything that is not needed to run containers. This design, according to the company, reduces the attack surface.
This means fewer packages are installed on the base system, which makes it easier to maintain and update the OS, and also reduces the likelihood of problems due to dependencies, and reduces resource use. Basically, everything here works inside separate containers, and the base system is practically bare.
Amazon has also removed all shells and interpreters, eliminating the risk of users using them or accidentally escalating privileges. The base image lacks a command shell, SSH server, and interpreted languages like Python for the sake of minimalism and security. Administrator tools have been moved to a separate service container, which is disabled by default.
System management is provided in two ways: via API and orchestration.
Instead of a package manager that updates individual pieces of software, Bottlerocket downloads a complete file system image and reloads into it. If the download fails, it automatically rolls back, and a workload failure can trigger a manual rollback (command via API).
Framework TUF (the Update of The Framework) downloads updates based on the images in the alternative or "unmount" sections. Two disk partitions are allocated for the system, one of which contains the active system, and the update is copied to the second. In this case, the root partition is mounted in read-only mode, and the partition
/etcis mounted with the file system in the tmpfs RAMand restores its original state after restart. Direct modification of configuration files is /etcnot supported: to save the settings, use the API or move the functionality into separate containers.
API update scheme
Safety
Containers are created by standard Linux kernel mechanisms - cgroups, namespaces and seccomp, and SELinux is used in "enforcing" mode as a system of forced access control, that is, for additional isolation .
By default, policies are enabled for sharing resources between containers and the kernel. Binaries are protected by flags to prevent users or programs from executing them. And if anyone has made it to the filesystem, Bottlerocket offers a tool to check and track any changes made.
The "verified boot" mode is implemented through the device-mapper-verity function ( dm-verity), which checks the integrity of the root partition at boot time. AWS describes dm-verity as "a feature of the Linux kernel that provides integrity checking to prevent malware from running on the OS, such as overwriting the underlying system software."
The system also has an eBPF (extended BPF, developed by Alexey Starovoitov ), which allows replacing kernel modules with safer BPF programs for low-level system operations.
| Execution model | User defined | Compilation | Safety | Failure mode | Access to resources | |
| User | task | Yes | any | user rights | interrupt execution | system call, fault |
| Core | task | no | static | no | panic core | straight |
| BPF | event | Yes | JIT, CO-RE | verification, JIT | error message | limited helpers |
Differing BPF from regular user-level or kernel-level code, an
AWS source stated that Bottlerocket “adopts an operating model that further enhances security by preventing administrator privileges from connecting to production servers” and “is suitable for large distributed systems where control is limited. above each individual host ".
An administrator container is provided for system administrators. But AWS doesn't think that admins will often have to work inside Bottlerocket: "The act of logging into a separate Bottlerocket instance is intended for infrequent operations: advanced debugging and troubleshooting," the developers write .
The Rust language
The OS tooling on top of the kernel is mostly written in Rust. This language by its nature reduces the chances of unsafe memory access and also eliminates race conditions between threads .
If the default build flags are applied
--enable-default-pieand --enable-default-sspto enable the randomization of address space of the executable files ( position-independent of executable , PIE) and protection against stack overflow.
For packets to C / C ++ further includes flags
-Wall, -Werror=format-security, -Wp,-D_FORTIFY_SOURCE=2, -Wp,-D_GLIBCXX_ASSERTIONSand -fstack-clash-protection.
Besides Rust and C / C ++, some packages are written in the Go language.
Integration with AWS services
The difference from similar container operating systems is that Amazon has optimized Bottlerocket to run on AWS and integrate with other AWS services.
The most popular container orchestrator is Kubernetes, so AWS has implemented integration with its own Enterprise Kubernetes Service (EKS). Orchestration tools come in a separate bottlerocket-control-container , which is enabled by default and managed through the API and AWS SSM Agent.
It will be interesting to see if Bottlerocket takes off given the failure of some of these initiatives in the past. For example, Vmware's PhotonOS went out of business, and RedHat bought CoreOS and closed the project that was considered a pioneer in the field.
The integration of Bottlerocket into AWS services makes this system unique in its own way. This is perhaps the main reason why some users may prefer Bottlerocket to other distributions such as CoreOS or Alpine. The system was originally designed to work with EKS and ECS, but again, this is not necessary. First, Bottlerocket can be built independently and used, for example, as a hosted solution. Secondly, EKS and ECS users will still have OS choice.
Bottlerocket's source code is published on GitHub under the Apache 2.0 license. Developers are already responding to bug reports and feature requests .
Advertising
VDSina offers VDS with daily payment . It is possible to install any operating system, including from your own image. Each server is connected to an Internet channel of 500 Megabits and is protected from DDoS attacks for free!
