Amazon company
The distribution provides a Linux kernel and a minimal system environment that includes only the components needed to run containers. Among the packages involved in the project, the systemd system manager, the Glibc library, and the assembly toolkit are noted
Buildroot, GRUB bootloader, network configurator
The distribution is upgraded atomically and is delivered as an indivisible system image. Two disk partitions are allocated for the system, one of which contains the active system, and the update is copied to the second. After the update is deployed, the second partition becomes active, and in the first one, until the next update arrives, the previous version of the system is saved, to which, in case of problems, you can roll back. Updates are installed automatically without administrator involvement.
A key difference from similar distributions such as Fedora CoreOS, CentOS/Red Hat Atomic Host is the primary focus on providing
The root partition is mounted in read-only mode, and the partition with /etc settings is mounted in tmpfs and restored to its original state after a restart. Direct modification of files in the /etc directory, such as /etc/resolv.conf and /etc/containerd/config.toml, is not supported - you must use the API to permanently save the settings or move the functionality into separate containers.
Most system components are written in Rust, which provides memory-safe tools to avoid vulnerabilities caused by addressing a memory area after it has been freed, dereferencing null pointers, and buffer overruns. When building by default, the compilation modes "--enable-default-pie" and "--enable-default-ssp" are used to enable randomization of the address space of executable files (
For packages written in C/C++, additional flags are included
"-Wall", "-Werror=format-security", "-Wp, -D_FORTIFY_SOURCE=2", "-Wp, -D_GLIBCXX_ASSERTIONS", and "-fstack-clash-protection".
Container orchestration tools come in a separate
Source: opennet.ru