Amazon teases Bottlerocket, its take on Linux specifically for running containers

Rust and dual-partition sets for security, efficiency, and automated updates

6 Got Tips?

Amazon Web Services has begun previewing Bottlerocket, a new open-source Linux distribution designed for running containers.

There are two main ideas behind Bottlerocket. The first is to make it easier to automate OS updates by applying them in a single step, rather than package by package. According to AWS, this will also improve uptime "by minimizing update failures and enabling easy update rollbacks."

The second part of the rationale is to strip down the OS so it only contains what is needed to run containers.

The new OS is on GitHub along with more information and build tools. The GitHub repositories include an update operator for Kubernetes (K8s), and AWS primarily has K8s in mind for Bottlerocket usage. The Bottlerocket charter spells out the four tenets behind development – secure, open, small and simple.

Bottlerocket has two identical sets of partitions. When you update Bottlerocket, it is the inactive partition that gets the update. Then the partition table is changed to swap the active and inactive partition sets. If the boot fails, then it automatically rolls back, as controlled by the Signpost utility. The update is image-based, hence the "single step." There is also provision for update waves, where groups of Bottlerocket hosts are scheduled to update at different times. A description of the update process is here. It uses a CNCF (Cloud Native Computing Foundation) project called The Update Framework.

There is no SSH server, normally used to enable secure login, nor is there even a shell in the base Bottlerocket image. This is to improve security. To get a shell, you use a special control container, which is enabled by default, to start an admin container, which is disabled by default. In the admin container you can run a root shell using the command sheltie, though even then the system "will prevent most changes from persisting over a restart".

AWS makes extensive use of Rust for Bottlerocket. "Almost all first-party components are written in Rust. Rust eliminates some classes of memory safety issues, and encourages design patterns that help security," says the description. Third-party components include the Linux kernel, GRUB patched to support the partition swapping, containerd for running containers, K8s, and the AWS IAM authenticator. The system for building Bottlerocket itself uses Rust and Docker.

According to the charter, Bottlerocket is open and "not a Kubernetes distro, nor an Amazon distro". That said, the project is focused on AWS and EKS (Elastic Kubernetes Service), though we are assured that "there is nothing that limits Bottlerocket to EKS or AWS". The suggested path for trying it out is to set up an EKS cluster.

Google also has an container-optimised OS based on the Chromium OS project, used for Chrome OS. There is a reference to "ChromeOS-style GTP priority bits" in the documentation for Signpost so it looks as if there are some similarities. On Microsoft's Azure Kubernetes Service "the VM image for the nodes in your cluster is currently based on Ubuntu Linux or Windows Server 2019", according to the docs, though you can also select your own. It is a less impressive pitch than that of Google and now AWS.

Paying close attention to the OS used for K8s node images makes perfect sense for security, reliability and efficiency. ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

It's Azure thing: Software AG hoists application integration platform into Microsoft's cloud

Google's next, warns chief product officer

Google's cloud-wrangling Anthos completes bridge to Amazon Web Services, Azure waits in the wings

Meanwhile, Chocolate Factory to donate its Istio toolkit to vendor-neutral open-source foundation

Google becomes third major cloud vendor to tie the knot with VMware

More cloud polygamy for Dell EMC's Virtzilla

HashiCorp Cloud Platform unveiled – but in private beta for AWS only

Kubernetes? 'A huge set of workloads get excluded' by it, says HashiCorp

Long after Linux, Windows Server Containers finally arrive on Microsoft's Azure Kubernetes Service

Generally available, but will never reach parity with Linux on Kubernetes

Double downtime: Azure DevOps, Google cloud users put the kettle on

Put it all on the cloud, they said…

Changing of the guard at Cloud Foundry: CTO made executive director, VMware veep becomes chairman of the board

Focus to be 'evolving the technology to a Kubernetes-based platform'

Scaling up Azure Service Fabric Linux Clusters using Ubuntu Xenial? Not so fast, friend

Workaround needed if you suddenly run into trouble with latest Linux OS update

VMware, Dell level up their combined on-prem cloud with much more computing grunt

VMware Cloud on Dell EMC now offers full-rack rigs and gruntier hosts

VMware now officially supported on Azure. We repeat: VMware now supported on Azure

Dell World 'Member when Microsoft tried this in 2017? It didn’t go well...

Tech Resources

Ransomware Playbook

Ransomware is a unique security threat where most of the security team’s effort is spent on prevention and response because once ransomware is detected, it's too late.

Latency is the New Outage

More organizations are tying their future success to digital and online business.

SANS 2019 Threat Hunting Survey

Threat hunting is a proactive approach to identifying signs of an attack, as opposed to the reactive approach security operations centre analysts follow.

Network Detection & Response for MITRE ATT&CK Framework

Read the white paper for a high-level view of how enterprise NDR with ExtraHop Reveal(x) detects and enables investigation of a broad range of the TTPs catalogued by MITRE ATT&CK!