Amazon Web Services (AWS) has announced that its Bottlerocket, an open-source Linux based operating system especially designed to run containers, is now available for general public. Bottlerocket enhances the security and operations of users’ containerized infrastructure. Back in March 2020, the Seattle-based cloud giant had first announced Bottlerocket. With the Linux-based OS, AWS wants to cater to the need of an operating system that provides the ability to manage thousands of hosts running containers via automation.
Technology Behind the Scene
The purpose of creating Bottlerocket is to host containers in Amazon infrastructure. It natively runs in Amazon Elastic Kubernetes Service (EKS), AWS Fargate, and Amazon Elastic Container Service (ECS). Bottlerocket is essentially a Linux 5.4 kernel with just enough added from the user-land utilities to run containers. It is primarily written in Rust, hence it is optimized to run both — Docker and Open Container Initiative (OCI) images.
Bottlerocket is a self-contained container OS, and users will find it familiar if they have past experience of using Red Hat versions of Linux. It has been combined with container orchestrators such as Amazon EKS to manage and orchestrate updates. Users can also add support for other orchestrators by building variants of the operating system in order to add necessary orchestration agents or custom components to the build.
Bottlerocket’s way of approaching security is to minimize the attack surface for protection against outside attackers. It minimizes the potential impact on the system and provides inter-container isolation.
In case of isolated containers, Bottlerocket employs container control groups (cgroups) and kernel namespaces to create isolation between containers running on the systems. The use of eBPF (enhanced Berkely Packet Filter) can further isolate containers and verify container code that demands low-level system access. Moreover, the secure mode of eBPF prohibits pointer arithmetic traces I/O, and restricts the kernel functions that the container accesses.
The attack surface is shrunken by running all the services in containers. If a container might be compromised, it’s highly unlikely that the entire system will be breached, thanks to the container isolation. It automatically updates when running the Amazon-supplied edition of Bottlerocket through a Kubernetes operator with the installed OS.
Built To Scale
Besides enhancing container security, Bottlerocket can manage large and distributed environments at scale, and have automatic updates. Since Bottlerocket runs as a standalone OS, it also integrates with any container orchestrators to automate the patching of hosts and improve manageability. The AWS-provided builds are specifically designed for Amazon EKS and Amazon ECS (in preview).
AWS has also launched Bottlerocket as an open-source project on GitHub, allowing users to customize the integration with orchestrators and container runtimes, and produce their builds. GitHub will host all the design documents, code, build tools, and tests. Moreover, developers can also contribute to Bottlerocket’s source-code with the help of GitHub workflows.
Additionally, AWS has said that ISV partners can quickly validate their software before users can get their hands on to the latest version of Bottlerocket.