Recently the launch was announced of the new version of the Linux distribution "Bottlerocket 1.7.0", developed with the participation of Amazon, to run isolated containers efficiently and securely.
For those new to Bottlerocket, you should know that this is a distribution that provides an automatically atomically up-to-date indivisible system image that includes the Linux kernel and a minimal system environment that includes only the components necessary to run containers.
The environment uses systemd system manager, Glibc library, the Buildroot build tool, the GRUB boot loader, the container sandbox runtime, the Kubernetes container orchestration platform, the aws-iam authenticator, and the Amazon ECS agent.
The container orchestration tools come in a separate management container that is enabled by default and managed through the AWS SSM agent and API. The base image lacks a command shell, SSH server, and interpreted languages (for example, Python or Perl): administration and debugging tools are moved to a separate service container, which is disabled by default.
The key difference from similar distributions such as Fedora CoreOS, CentOS / Red Hat Atomic Host is the main focus on providing maximum security in the context of strengthening the protection of the system against possible threats, which complicates the exploitation of vulnerabilities in the components of the operating system and increases the isolation of the container.
Containers are created using the usual Linux kernel mechanisms: cgroups, namespaces, and seccomp. For additional isolation, the distribution uses SELinux in "application" mode.
The root partition is mounted read-only and the partition with the /etc configuration is mounted in tmpfs and restored to its original state after reboot. Direct modification of files in the /etc directory, such as /etc/resolv.conf and /etc/containerd/config.toml, is not supported; to save the configuration permanently, you must either use the API or move the functionality to separate containers.
For cryptographic verification of the integrity of the root partition, the dm-verity module is used, and if an attempt to modify data at the block device level is detected, the system is rebooted.
Most of the system components are written in Rust, which provides memory-safe tools to prevent vulnerabilities caused by addressing a memory area after it has been freed, dereference null pointers, and buffer overflows.
When compiling, the "–enable-default-pie" and "–enable-default-ssp" compile modes are used by default to enable executable address space ( PIE ) randomization and stack overflow protection via of canary tag substitution.
What's new in Bottlerocket 1.7.0?
In this new version of the distribution that is presented, one of the changes that stands out is that when installing RPM packages, it is provided to generate a list of programs in JSON format and mount it to the host container as the /var/lib/bottlerocket/inventory/application.json file to get information about available packages.
Also featured in Bottlerocket 1.7.0 is the updating the “admin” and “control” containers, as well as package versions and dependencies for Go and Rust.
On the other hand, highlights updated versions of packages with third-party programs, also fixed tmpfilesd configuration issues for kmod-5.10-nvidia and when installing tuftool dependency versions are linked.
Finally for those who are Interested in learning more about it about this distribution, you should know that the toolkit and distribution control components are written in Rust and are distributed under the MIT and Apache 2.0 licenses.
bottlerocket supports running Amazon ECS, VMware, and AWS EKS Kubernetes clusters, as well as creating custom builds and editions that enable different orchestrations and runtime tools for containers.
You can check the details, In the following link.