AWS has made its AWS Bottlerocket operating system, developed for containers, generally available. The special open-source operating system should make container management safer and easier.
AWS Bottlerocket should distinguish itself from the traditional Linux-based business operating systems. The business operating systems are designed to run applications and a lot of other workloads in (multiple) cloud environments. This means that these operating systems have a lot of functionality that often makes the management of these operating systems complex.
Difference with traditional Linux operating systems
The big difference with AWS Bottlerocket is that this Linux operating system focuses exclusively on running software containers. This eliminates a lot of the functionality that traditional Linux operating systems have.
Therefore, in the development of AWS Bottlerocket, a lot of standard Linux components have been omitted and only those components that are necessary for running container-based workloads have been retained. In this way, according to AWS, a Linux-based container operating system was created that is both more secure and easier to manage.
AWS Bottlerocket has several security components at its disposal. It prevents hackers from misusing the narrower code base of the container operating system.
The container operating system also uses Security-Enhanced Linux (SELinux) in enforcing mode to increase the separation or isolation between the containers and the operating system. The enforcing mode is used in addition to the standard Linux kernel technology to provide isolation between the individual container workloads, such as control groups (cgroups), namespaces, and seccomp.
AWS Bottlerocket is written in the programming language Rust which makes it less sensitive to buffer overflows in memory. This prevents hackers from exploiting memory errors.
Protection against persistent malware
The container operating system is protected against so-called persistent threats, which access certain key components of an operating system to disguise its presence.
AWS Bottlerocket reduces the risks of persistent malware using the Device-mapper’s verity target (dm-verity) feature of the Linux kernel. Dm-verity detects parts of the Linux operating system that have been changed without permission. This may indicate persistent malware.
Furthermore, AWS Bottlerocket enforces an operating model that improves the security of the operating system by discouraging administrative connections to production servers. Extensive access to cloud instances, makes this highly susceptible to attacks. In AWS Bottlerocket, this access is limited. Access to individual Bottlerocket instances is only intended for advanced debugging and troubleshooting.
On an operational level, functionality is added in AWS Bottlerocket for managing nodes at scale and automatically updating nodes in clusters. It is important to be able to update, because changes to the operating system can potentially lead to downtime.
In AWS Bottlerocket this is prevented by atomic updates. This allows its administrators to safely reverse the updates in case of errors without consequences. This leads to less overhead and cost savings in management.
Use container orchestration platform
In addition to AWS Bottlerocket, AWS recommends using a container orchestration platform for automated patching of hosts. This improves operational costs, management and uptime. It does not matter which orchestration platform this is.
AWS Bottlerocket is an open-source project and is now available through GitHub.