Launch of the linux distribution, Bottlerocket 1.8.0, developed with the participation of Amazon to run isolated containers efficiently and securely. The new version features a number of updates, improvements, and bug fixes.
For those new to Bottlerocket, you should know that this is a distribution that provides an automatically atomically up-to-date indivisible system image that includes the Linux kernel and a minimal system environment that includes only the components necessary to run containers.
The environment uses systemd system manager, Glibc library, the Buildroot build tool, the GRUB boot loader, the container sandbox runtime, the Kubernetes container orchestration platform, the aws-iam authenticator, and the Amazon ECS agent.
The container orchestration tools come in a separate management container that is enabled by default and managed through the AWS SSM agent and API. The base image lacks a command shell, SSH server, and interpreted languages (for example, Python or Perl): administration and debugging tools are moved to a separate service container, which is disabled by default.
The key difference from similar distributions such as Fedora CoreOS, CentOS / Red Hat Atomic Host is the main focus on providing maximum security in the context of strengthening the protection of the system against possible threats, which complicates the exploitation of vulnerabilities in the components of the operating system and increases the isolation of the container.
Main new features of Bottlerocket 1.8.0
In this new version of Bottlerocket 1.8.0, it is highlighted that the contents of the containers have been updated administrative and control, as well as that the runtime for isolated containers has been upgraded to the containerd 1.6.x branch.
Another change that stands out in this new version is that the background processes that coordinate the work of the containers are restarted after changes in the certificate store.
In addition to that, now the ability to set kernel boot parameters is provided via the Boot Configuration section and the ability to generate a network configuration using the netdog utility has been provided (generate-net-config command has been added).
It is also highlighted that the smartpqi driver has been implemented for devices Microchip Smart Storage in kernel 5.10 and that a new distribution “aws-ecs-1-nvidia” has been proposed for Amazon Elastic Container Service (Amazon ECS) and comes with NVIDIA drivers.
Support for Microchip Smart Storage and MegaRAID SAS storage devices has been added, and support for Ethernet cards based on Broadcom chips has been improved.
Moreover, option to ignore empty blocks has been enabled by verifying the integrity of the root partition using dm-verity, plus the ability to statically bind hostnames in /etc/hosts has been provided.
New distribution options with support for Kubernetes 1.23 are proposed, in addition to reducing the startup time of pods in Kubernetes by disabling the configMapAndSecretChangeDetectionStrategy mode and adding new kubelet configurations: provider ID and podPidsLimit.
Of the other changes that stand out from this new version:
- Improved Kubernetes pod startup times when disabling them
- Added a new setting to configure the kubelet provider-id setting
- Added a new setting to configure the podPidsLimit kubelet setting
- Allow a list of IP addresses in settings.kubernetes.cluster-dns-ip
- Set the default value for settings.kubernetes.cloud-provider metal variants to an empty string
- Added c7g instance data for calculating max pods on AWS variants
- Updated versions of packages and dependencies for Go and Rust languages, as well as versions of packages with third-party programs. Bottlerocket SDK has been updated to version 0.26.0.
Finally if you are interested in knowing more about it, you can check the details in the following link