The release of the new version of the Linux distribution "Bottlerocket 1.1.0" which is developed with the participation of Amazon to run isolated containers efficiently and safely.
The distribution and control components are written in the Rust language and are distributed under the MIT and Apache 2.0 licenses. It supports running Bottlerocket on Amazon ECS and AWS EKS Kubernetes clusters, as well as custom versioning and patching that enables different container orchestration and runtime tools.
The distribution provides an automatically and atomically updated indivisible system image which includes the Linux kernel and a minimal system environment that includes only the components necessary to run containers.
The environment uses systemd system manager, Glibc library, Buildroot, GRUB bootloader, a runtime for containerd, Kubernetes platform containers, AWS-iam-authenticator, and the Amazon ECS agent.
Container orchestration tools are shipped in a separate management container that is enabled by default and managed through the AWS SSM Agent and API. The base image lacks a command shell, SSH server, and interpreted languages (for example, without Python or Perl): Administrator tools and debugging tools are moved to a separate service container, which is disabled by default.
The key difference from similar distributions such as Fedora CoreOS, CentOS / Red Hat Atomic Host is the primary focus on providing maximum security in the context of hardening the system against potential threats, which makes it difficult to exploit vulnerabilities in operating system components and increases container isolation. Containers are created using the standard Linux kernel mechanisms: cgroups, namespaces, and seccomp.
The root partition is mounted read-only and the / etc config partition is mounted in tmpfs and restored to its original state after reboot. Direct modification of files in the / etc directory, such as /etc/resolv.conf and /etc/containerd/config.toml, to permanently save settings, use the API, or move functionality to separate containers, is not supported.
Main new features of Bottlerocket 1.1.0
In this new version of the distribution has been included in Linux kernel 5.10 in order to be able to use it in new variants together with the two nNew versions of the aws-k8s-1.20 and vmware-k8s-1.20 distributions are compatible with Kubernetes 1.20.
In these variants, as well as in the updated version of aws-ecs-1, a lock mode is involved that is set to "integrity" by default (blocks the ability to make changes to the running kernel from user space). Removed support for aws-k8s-1.15 based on Kubernetes 1.15.
In addition, Amazon ECS now supports awsvpc network mode, which allows you to assign independent internal IP addresses and network interfaces for each task.
Added configurations to manage various Kubernetes configurations TLS bootstrap, including QPS, group limits, and Kubernetes cloudProvider settings to allow use outside of AWS.
In boot container it is provided with SELinux to restrict access to user data, as well as a split to SELinux policy rules for trusted subjects.
Of the other changes that stand out from the new version:
- Kubernetes cluster-dns-ip can now be made optional to support use outside of AWS
- Parameters changed to support a healthy CIS scan
- The resize2fs utility was added.
- Stable machine ID generated for VMware and ARM KVM guests
- Enabled kernel lockdown mode of "integrity" for preview variant of aws-ecs-1
- Remove default service startup timeout override
- Prevent boot containers from restarting
- New udev rules for mounting CD-ROM only when media is present
- AWS region support ap-northeast-3: Osaka
- Pause container URI with standard template variables
- Ability to get DNS IP from cluster when available
Finally, if you are interested in being able to know more about this new released version or are interested in the distribution, you can consult the details in the following link.