Bottlerocket is a free and open source Linux-based operating system intended for hosting containers.
The release of new version of Bottlerocket 1.15.0, a version in which various changes, improvements and, above all, updates to the different system packages have been implemented, in addition to the fact that from this version onwards, support for secure boot is now offered on platforms that use UEFI boot, among other things.
For those who do not know about Bottlerocket, you should know that this is a distribution that provides an indivisible system image atomicly and automatically updated that includes the Linux kernel and a minimal system environment that includes only the components necessary to run containers.
The environment uses systemd system manager, Glibc library, the Buildroot build tool, the GRUB boot loader, the container-isolated container runtime, the Kubernetes container orchestration platform, the aws-iam authenticator, and the Amazon ECS agent.
The key difference from similar distributions such as Fedora CoreOS, CentOS / Red Hat Atomic Host is the main focus on providing maximum security in the context of strengthening the protection of the system against possible threats, which complicates the exploitation of vulnerabilities in the components of the operating system and increases the isolation of the container.
Main new features of Bottlerocket 1.15.0
In this new version of Bottlerocket 1.15.0 that is presented, a large number of updates have been implemented, of which those of the Linux kernel, which has been updated to version 6.1, systemd which has been updated to version 252, nvidia-container-toolkit to 1.13.5, containerd to version 1.6.23, glibc to version 2.38, among others.
Regarding the internal changes that this version of Bottlerocket 1.15.0 offers, the support for secure boot in platforms using U bootEFI, systemd-networkd and systemd-resolved for host networks and XFS as a file system for local storage for new installations. It is worth mentioning that these features are enabled by default on new installations and that existing installations will continue to use older kernels, wicked for host networking, and EXT4 as the file system for local storage.
In addition to this, new distribution options have been proposed with support for Kubernetes 1.28, that use UEFI Secure Boot, systemd-networkd and XFS, which is now obsolete support for versions based on previous Kubernetes 1.27.
Other changes that stand out in this new version are that added “apclient report” command to generate a CIS report (Internet Security Center) that evaluates the security of the configuration. An agent is also included to verify the system's compliance with CIS requirements.
Of the other changes that stand out from this new version:
- The SeccompDefault setting was added to variants based on Kubernetes 1.25 and newer.
- Added aws-iam-authenticator to k8s variants
- The contents of the control and administration containers have been updated.
- Resource limit settings have been added to the default configuration for OCI containers.
- Intel VMD driver enabled
- A new distribution variant "aws-ecs-2" is proposed for Amazon Elastic Container Service (Amazon ECS), which uses UEFI Secure Boot, systemd-networkd, and XFS.
- All Amazon ECS distributions now include support for AppMesh.
- The “metal-*” distribution variants (Bare Metal, to run on conventional hardware) include the Intel VMD driver and add the linux-firmware and aws-iam-authenticator packages.
- Bottlerocket SDK v0.34.1 Update
- Twoliter is used to allow working on builds outside the tree. Most tools have moved to Twoliter
- Limit only concurrency when creating RPM
Last but not least, it is also mentioned that the functionality to apply a patch for log4j (CVE-2021-44228) has been removed in which the corresponding configuration, settings.oci-hooks.log4j-hotpatch-enabled is still available for backwards compatibility. However, it has no effect beyond printing a deprecation warning in the system logs.
finally if you are interested in knowing more about it, you can check the details in the following link