Amazon company about the final release β a specialized distribution for running containers and effectively managing them.
Bottlerocket (by the way, this is how small homemade black powder rockets are called) is not the first OS for containers, but it is likely that it will become widespread due to default integration with AWS services. Although the system is focused on the Amazon cloud, the open source code allows you to build it anywhere: locally on a server, on a Raspberry Pi, in any competing cloud, and even in a containerless environment.
This is a completely worthy replacement for the CoreOS distribution that Red Hat buried.
In fact, Amazon Web Services already has Amazon Linux, which was recently released in version XNUMX, a general-purpose distribution that can be run in a Docker container or with Linux KVM, Microsoft Hyper-V, and VMware ESXi hypervisors. It has been optimized to run on the AWS cloud, but with the release of Bottlerocket, everyone is encouraged to upgrade to a new system that is more secure, modern, and consumes less resources.
AWS announced Bottlerocket . She immediately acknowledged that this was not the first "Linux for Containers", citing CoreOS, Rancher OS, and Project Atomic as inspirations. The developers wrote that the operating system is "the result of lessons we've learned from running Amazon-scale production services for a long time and the experience we've had over the past six years on how to run containers."
Extreme minimalism
Linux has been stripped of everything not needed to run containers. This design, according to the company, reduces the attack surface.
This means that fewer packages are installed on the base system, which makes it easier to maintain and update the OS, and also reduces the likelihood of problems due to dependencies, reducing resource usage. Basically, everything here works inside separate containers, and the underlying system is practically bare.
Amazon has also removed all shells and interpreters, eliminating the risk of them being used or users accidentally escalating privileges. For the sake of minimalism and security, the base image does not include a command shell, an SSH server, or interpreted languages ββlike Python. Administrator tools are placed in a separate service container, which is disabled by default.
The system is managed in two ways: through the API and orchestration.
Instead of a package manager that updates individual pieces of software, Bottlerocket downloads a complete file system image and reboots into it. In the event of a boot failure, it is automatically rolled back, and a workload failure can trigger a manual rollback (command via API).
Framework (The Update Framework) downloads image-based updates to alternate or "unmounted" partitions. Two disk partitions are allocated for the system, one of which contains the active system, and the update is copied to the second. In this case, the root partition is mounted in read-only mode, and the partition /etc mounted with an in-memory file system and restores the original state after a restart. Direct modification of configuration files in /etc not supported: to save settings, you should use the API or move the functionality to separate containers.
API Upgrade Scheme
Security
Containers are created by standard mechanisms of the Linux kernel - cgroups, namespaces and seccomp, and are used as a forced access control system, that is, for additional isolation in "enforcing" mode.
Policies are enabled by default to share resources between containers and the core. The binaries are flagged to prevent users or programs from executing them. And if anyone gets to the file system, Bottlerocket offers a tool to check and track any changes that have been made.
The βverified bootβ mode is implemented through the device-mapper-verity function (), which checks the integrity of the root partition at boot time. AWS describes dm-verity as "a feature in the Linux kernel that provides integrity checking to prevent malware from running on the OS, such as overwriting core system software."
The system also has a filter. (extended BPF, ) that allows you to replace kernel modules with safer BPF programs for low-level system operations.
Execution model
User defined
Compilation
Security
Failure Mode
Access to resources
User
a task
Yes
Any
user rights
interrupt execution
system call, fault
Core
a task
no
static
no
kernel panic
straight
GMP
event
Yes
JIT, CO-RE
verification, JIT
error message
limited helpers
The difference between BPF and regular user or kernel level code,
AWS said Bottlerocket "employs an operating model that further enhances security by preventing connections to production servers with administrative privileges" and is "suitable for large distributed systems where control over each individual host is limited."
An administrator container is provided for system administrators. But AWS doesn't think an admin will often need to work inside Bottlerocket: "The act of logging into a separate Bottlerocket instance is intended for infrequent operations: advanced debugging and troubleshooting," developers.
Rust language
The OS toolkit on top of the kernel is mostly written in Rust. This language is by nature and .
Flags are applied by default when building --enable-default-pie ΠΈ --enable-default-ssp to enable address space randomization of executable files (, PIE) and stack overflow protection.
For C/C++ packages, additional flags are included -Wall, -Werror=format-security, -Wp,-D_FORTIFY_SOURCE=2, -Wp,-D_GLIBCXX_ASSERTIONS ΠΈ -fstack-clash-protection.
Besides Rust and C/C++, some packages are written in Go.
Integration with AWS services
The difference from similar container operating systems is that Amazon has optimized Bottlerocket to run on AWS and integrate with other AWS services.
The most popular container orchestrator is Kubernetes, so AWS has implemented integration with its own Enterprise Kubernetes Service (EKS). Orchestration tools come in a separate control container , which is enabled by default and managed through the API and AWS SSM Agent.
It will be interesting to see if Bottlerocket takes off given the failure of some similar initiatives in the past. For example, PhotonOS from Vmware turned out to be unclaimed, and RedHat bought CoreOS and , who was considered a pioneer in the field.
The integration of Bottlerocket with AWS services makes this system unique in its own way. Perhaps this is the main reason why some users may prefer Bottlerocket to other distributions such as CoreOS or Alpine. The system was originally designed to work with EKS and ECS, but we repeat that this is not necessary. First, Bottlerocket can and use, for example, as a hosted solution. Secondly, EKS and ECS users will still have the choice of OS.
The Bottlerocket source code is published on GitHub under the Apache 2.0 license. The developers have already .
As advertising
VDSina offers . It is possible to install any operating system, including from your own image. Each server is connected to an Internet channel of 500 Mbps and is protected from DDoS attacks for free!
Source: habr.com