The release of Bottlerocket 1.2.0 Linux distribution is available, developed with the participation of Amazon to efficiently and securely run isolated containers. The toolkit and control components of the distribution are written in Rust and distributed under the MIT and Apache 2.0 licenses. It supports running Bottlerocket on Amazon ECS, VMware, and AWS EKS Kubernetes clusters, as well as creating custom builds and editions that allow for different orchestration and runtime tools for containers.
The distribution provides an atomically and automatically updated indivisible system image that includes the Linux kernel and a minimal system environment that includes only the components needed to run containers. The environment includes the systemd system manager, the Glibc library, the Buildroot build tool, the GRUB bootloader, the wicked network configurator, the containerd isolated container runtime, the Kubernetes container orchestration platform, the aws-iam-authenticator, and the Amazon ECS agent.
The container orchestration tools come in a separate management container that is enabled by default and managed through the API and AWS SSM Agent. The base image lacks a command shell, an SSH server, and interpreted languages ββ(for example, no Python or Perl) - administrative and debugging tools are moved to a separate service container, which is disabled by default.
The key difference from similar distributions such as Fedora CoreOS, CentOS/Red Hat Atomic Host is the primary focus on providing maximum security in the context of strengthening system protection against possible threats, complicating the exploitation of vulnerabilities in OS components and increasing container isolation. Containers are created using the regular mechanisms of the Linux kernel - cgroups, namespaces and seccomp. For additional isolation, the distribution uses SELinux in "enforcing" mode.
The root partition is mounted in read-only mode, and the partition with /etc settings is mounted in tmpfs and restored to its original state after a restart. Direct modification of files in the /etc directory, such as /etc/resolv.conf and /etc/containerd/config.toml, is not supported - you must use the API or move the functionality into separate containers to permanently save settings. For cryptographic verification of the integrity of the root partition, the dm-verity module is used, and if an attempt to modify data at the block device level is detected, the system reboots.
Most system components are written in Rust, which provides memory-safe tools to avoid vulnerabilities caused by addressing a memory area after it has been freed, dereferencing null pointers, and buffer overruns. When building, the compilation modes "--enable-default-pie" and "--enable-default-ssp" are used by default to enable executable address space randomization (PIE) and protection against stack overflows through canary label substitution. For packages written in C/C++, the "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" and "-fstack-clash" flags are additionally included -protection.
In the new release:
- Added support for container image registry mirrors.
- Added the ability to use self-signed certificates.
- Added option to configure hostname.
- Updated the version of the default administrative container.
- Added topologyManagerPolicy and topologyManagerScope settings for kubelet.
- Added support for kernel compression using the zstd algorithm.
- Provided the ability to download virtual machines in VMware format OVA (Open Virtualization Format).
- Updated distribution variant aws-k8s-1.21 with support for Kubernetes 1.21. Support for aws-k8s-1.16 has been dropped.
- Updated package versions and dependencies for the Rust language.
Source: opennet.ru