Amazon company first major release of a dedicated Linux distribution , designed to efficiently and safely run isolated containers. The toolkit and control components of the distribution are written in Rust and licensed under MIT and Apache 2.0. The project is being developed on GitHub and is available for participation by community members. The system deployment image is generated for the x86_64 and Aarch64 architectures. The OS is adapted to run on Amazon ECS and AWS EKS Kubernetes clusters. tools and to create your own builds and editions that can use other orchestration tools, kernels and runtime for containers.
The distribution provides a Linux kernel and a minimal system environment that includes only the components needed to run containers. Among the packages involved in the project, the systemd system manager, the Glibc library, and the assembly toolkit are noted
Buildroot, GRUB bootloader, network configurator , runtime for isolated containers , the Kubernetes container orchestration framework, the aws-iam-authenticator, and the Amazon ECS agent.
The distribution is upgraded atomically and is delivered as an indivisible system image. Two disk partitions are allocated for the system, one of which contains the active system, and the update is copied to the second. After the update is deployed, the second partition becomes active, and in the first one, until the next update arrives, the previous version of the system is saved, to which, in case of problems, you can roll back. Updates are installed automatically without administrator involvement.
A key difference from similar distributions such as Fedora CoreOS, CentOS/Red Hat Atomic Host is the primary focus on providing in the context of strengthening the protection of the system against possible threats, complicating the exploitation of vulnerabilities in OS components and increasing the isolation of containers. Containers are created using the regular mechanisms of the Linux kernel - cgroups, namespaces and seccomp. For additional isolation, the distribution uses SELinux in the "enforcing" mode, and the module is used for cryptographic verification of the integrity of the root partition. . If an attempt to modify data at the block device level is detected, the system reboots.
The root partition is mounted in read-only mode, and the partition with /etc settings is mounted in tmpfs and restored to its original state after a restart. Direct modification of files in the /etc directory, such as /etc/resolv.conf and /etc/containerd/config.toml, is not supported - you must use the API to permanently save the settings or move the functionality into separate containers.
Most system components are written in Rust, which provides memory-safe tools to avoid vulnerabilities caused by addressing a memory area after it has been freed, dereferencing null pointers, and buffer overruns. When building by default, the compilation modes "--enable-default-pie" and "--enable-default-ssp" are used to enable randomization of the address space of executable files () and stack overflow protection via canary label substitution.
For packages written in C/C++, additional flags are included
"-Wall", "-Werror=format-security", "-Wp, -D_FORTIFY_SOURCE=2", "-Wp, -D_GLIBCXX_ASSERTIONS", and "-fstack-clash-protection".
Container orchestration tools come in a separate , which is enabled by default and controlled via and AWS SSM Agent. The base image lacks a command shell, SSH server, and interpreted languages ββ(for example, no Python or Perl) - admin and debugging tools are moved to , which is disabled by default.
Source: opennet.ru