Few days ago Amazon released the release of the first significant version of Bottlerocket 1.0.0, which is a specialized Linux distribution designed to run isolated containers efficiently and safely.
The operating system It is tailored to run on Amazon ECS and AWS EKS Kubernetes clusters. Tools are provided to create your own assemblies and patches, which can be used by other container runtime, kernel, and orchestration tools.
The distribution provides a Linux kernel and minimal system environment, which includes only the components required to run containers.
Among the packages involved in the project were the systemd system manager, the Glibc to library, the Buildroot assembly tools, the GRUB network wicked bootloader configurator, the runtime for isolated containers in container, the orchestration platform Kubernetes Container Authenticator aws-iam-authenticator agent and Amazon ECS.
The layout is atomically updated and presented as an indivisible system image. Two disk partitions are assigned for the system, one of which contains the active system and the update is copied to the second.
Once the update is implemented, the second section is activated, and in the first, until the next update arrives, the previous version of the system is saved, to which it can be reverted in case of problems. Updates are installed automatically without administrator intervention.
The key difference from similar distributions such as Fedora CoreOS, CentOS / Red Hat Atomic Host is the main focus on ensuring maximum security in the context of strengthening protection of the system against possible threats, complicating the exploitation of vulnerabilities in the components of the operating system and increasing the isolation of containers.
Containers are created using standard Linux kernel mechanisms: cgroups, namespaces, and seccomp. For additional isolation, the distribution uses SELinux in "application" mode and the dm-verity module is used for cryptographic verification of the integrity of the root partition.
If an attempt to modify data is detected at the block device level, the system reboots.
The root partition is mounted read-only and the / etc configuration partition is mounted in tmpfs and restored to its original state on reboot.
Direct modification of files in the / etc directory is not supported, like /etc/resolv.conf and /etc/containerd/config.toml, to permanently save the configuration, use the API, or move the functionality to separate containers.
Most of the system components are written in the Rust language, which provides a means for safe memory manipulation to avoid vulnerabilities caused by accessing a memory area after it is freed, dereferencing null pointers, and overflowing the buffer limits.
When compiling, the "–enable-default-pie" and "–enable-default-ssp" compilation modes are used by default to enable randomization of the executable address space (PIE) and to protect against stack overflow using the replacement of Canary labels.
For packages written in C / C ++, the flags "-Wall", "-Werror = format-security", "-Wp, -D_FORTIFY_SOURCE = 2", "-Wp, -D_GLIBCXX_ASSERTIONS" and "-fstack-clash - protection".
Orchestration tools From containers are shipped in a separate management container which is enabled by default and managed through the AWS SSM agent and API.
The base image lacks a command shell, SSH server, and interpreted languages (for example, no Python or Perl) - the administrator tools and debugging tools are moved to a separate services container, which is disabled in a way default.
Get Bottlerocket 1.0.0
Both the distribution as well as the distribution control components are written in Rust and are distributed under the MIT and Apache 2.0 licenses. The project is being developed on GitHub and is available for community participation.
The system deployment image is generated for the x86_64 and Aarch64 architectures.
For more information, you can consult the following link.