Amazon company
Bottlerocket (by the way, this is how small homemade black powder rockets are called) is not the first OS for containers, but it is likely that it will become widespread due to default integration with AWS services. Although the system is focused on the Amazon cloud, the open source code allows you to build it anywhere: locally on a server, on a Raspberry Pi, in any competing cloud, and even in a containerless environment.
This is a completely worthy replacement for the CoreOS distribution that Red Hat buried.
In fact, Amazon Web Services already has Amazon Linux, which was recently released in version XNUMX, a general-purpose distribution that can be run in a Docker container or with Linux KVM, Microsoft Hyper-V, and VMware ESXi hypervisors. It has been optimized to run on the AWS cloud, but with the release of Bottlerocket, everyone is encouraged to upgrade to a new system that is more secure, modern, and consumes less resources.
AWS announced Bottlerocket
Extreme minimalism
Linux has been stripped of everything not needed to run containers. This design, according to the company, reduces the attack surface.
This means that fewer packages are installed on the base system, which makes it easier to maintain and update the OS, and also reduces the likelihood of problems due to dependencies, reducing resource usage. Basically, everything here works inside separate containers, and the underlying system is practically bare.
Amazon has also removed all shells and interpreters, eliminating the risk of them being used or users accidentally escalating privileges. For the sake of minimalism and security, the base image does not include a command shell, an SSH server, or interpreted languages ββlike Python. Administrator tools are placed in a separate service container, which is disabled by default.
The system is managed in two ways: through the API and orchestration.
Instead of a package manager that updates individual pieces of software, Bottlerocket downloads a complete file system image and reboots into it. In the event of a boot failure, it is automatically rolled back, and a workload failure can trigger a manual rollback (command via API).
Framework /etc
mounted with an in-memory file system /etc
not supported: to save settings, you should use the API or move the functionality to separate containers.
API Upgrade Scheme
Security
Containers are created by standard mechanisms of the Linux kernel - cgroups, namespaces and seccomp, and are used as a forced access control system, that is, for additional isolation
Policies are enabled by default to share resources between containers and the core. The binaries are flagged to prevent users or programs from executing them. And if anyone gets to the file system, Bottlerocket offers a tool to check and track any changes that have been made.
The βverified bootβ mode is implemented through the device-mapper-verity function (
The system also has a filter.
Execution model
User defined
Compilation
Security
Failure Mode
Access to resources
User
a task
Yes
Any
user rights
interrupt execution
system call, fault
Core
a task
no
static
no
kernel panic
straight
GMP
event
Yes
JIT, CO-RE
verification, JIT
error message
limited helpers
The difference between BPF and regular user or kernel level code,
AWS said Bottlerocket "employs an operating model that further enhances security by preventing connections to production servers with administrative privileges" and is "suitable for large distributed systems where control over each individual host is limited."
An administrator container is provided for system administrators. But AWS doesn't think an admin will often need to work inside Bottlerocket: "The act of logging into a separate Bottlerocket instance is intended for infrequent operations: advanced debugging and troubleshooting,"
Rust language
The OS toolkit on top of the kernel is mostly written in Rust. This language is by nature
Flags are applied by default when building --enable-default-pie
ΠΈ --enable-default-ssp
to enable address space randomization of executable files (
For C/C++ packages, additional flags are included -Wall
, -Werror=format-security
, -Wp,-D_FORTIFY_SOURCE=2
, -Wp,-D_GLIBCXX_ASSERTIONS
ΠΈ -fstack-clash-protection
.
Besides Rust and C/C++, some packages are written in Go.
Integration with AWS services
The difference from similar container operating systems is that Amazon has optimized Bottlerocket to run on AWS and integrate with other AWS services.
The most popular container orchestrator is Kubernetes, so AWS has implemented integration with its own Enterprise Kubernetes Service (EKS). Orchestration tools come in a separate control container
It will be interesting to see if Bottlerocket takes off given the failure of some similar initiatives in the past. For example, PhotonOS from Vmware turned out to be unclaimed, and RedHat bought CoreOS and
The integration of Bottlerocket with AWS services makes this system unique in its own way. Perhaps this is the main reason why some users may prefer Bottlerocket to other distributions such as CoreOS or Alpine. The system was originally designed to work with EKS and ECS, but we repeat that this is not necessary. First, Bottlerocket can
The Bottlerocket source code is published on GitHub under the Apache 2.0 license. The developers have already
As advertising
VDSina offers
Source: habr.com