Software

OSes

Amazon teases Bottlerocket, its take on Linux specifically for running containers

Rust and dual-partition sets for security, efficiency, and automated updates


Amazon Web Services has begun previewing Bottlerocket, a new open-source Linux distribution designed for running containers.

There are two main ideas behind Bottlerocket. The first is to make it easier to automate OS updates by applying them in a single step, rather than package by package. According to AWS, this will also improve uptime "by minimizing update failures and enabling easy update rollbacks."

The second part of the rationale is to strip down the OS so it only contains what is needed to run containers.

The new OS is on GitHub along with more information and build tools. The GitHub repositories include an update operator for Kubernetes (K8s), and AWS primarily has K8s in mind for Bottlerocket usage. The Bottlerocket charter spells out the four tenets behind development – secure, open, small and simple.

Bottlerocket has two identical sets of partitions. When you update Bottlerocket, it is the inactive partition that gets the update. Then the partition table is changed to swap the active and inactive partition sets. If the boot fails, then it automatically rolls back, as controlled by the Signpost utility. The update is image-based, hence the "single step." There is also provision for update waves, where groups of Bottlerocket hosts are scheduled to update at different times. A description of the update process is here. It uses a CNCF (Cloud Native Computing Foundation) project called The Update Framework.

There is no SSH server, normally used to enable secure login, nor is there even a shell in the base Bottlerocket image. This is to improve security. To get a shell, you use a special control container, which is enabled by default, to start an admin container, which is disabled by default. In the admin container you can run a root shell using the command sheltie, though even then the system "will prevent most changes from persisting over a restart".

AWS makes extensive use of Rust for Bottlerocket. "Almost all first-party components are written in Rust. Rust eliminates some classes of memory safety issues, and encourages design patterns that help security," says the description. Third-party components include the Linux kernel, GRUB patched to support the partition swapping, containerd for running containers, K8s, and the AWS IAM authenticator. The system for building Bottlerocket itself uses Rust and Docker.

According to the charter, Bottlerocket is open and "not a Kubernetes distro, nor an Amazon distro". That said, the project is focused on AWS and EKS (Elastic Kubernetes Service), though we are assured that "there is nothing that limits Bottlerocket to EKS or AWS". The suggested path for trying it out is to set up an EKS cluster.

Google also has an container-optimised OS based on the Chromium OS project, used for Chrome OS. There is a reference to "ChromeOS-style GTP priority bits" in the documentation for Signpost so it looks as if there are some similarities. On Microsoft's Azure Kubernetes Service "the VM image for the nodes in your cluster is currently based on Ubuntu Linux or Windows Server 2019", according to the docs, though you can also select your own. It is a less impressive pitch than that of Google and now AWS.

Paying close attention to the OS used for K8s node images makes perfect sense for security, reliability and efficiency. ®

Send us news
6 Comments

Brave's homegrown search claims to protect your privacy but there's a long way to go if it's to challenge the big G

Ad-free now but not forever

The Brave browser will now default to the company's own search engine, claimed to preserve privacy, while a new Web Discovery Project aims to collect search data again with privacy protection.

The Brave web browser is based on the Google-sponsored Chromium engine but with features designed to prevent tracking, as well as an unusual reward system using its own cryptocurrency, the Basic Attention Token (BAT). Brave search will now be the default on new installs for desktop, Android, and iOS. Existing Brave users will keep their current default unless they choose to change it.

Brave Search was released in beta in June and uses technology called Tailcat, acquired from the failed German Cliqz project, which also sought to provide a Google-free index.

Continue reading

NHS Digital exposes hundreds of email addresses after BCC blunder copies in entire invite list to 'Let's talk cyber' event

It's like rai-iiiiiin on your wedding day

NHS Digital has scored a classic Mail All own-goal by dispatching not one, not two, not three, but four emails concerning an infosec breakfast briefing, each time copying the entirety of the invite list in on the messages.

The first email sent yesterday morning thanked participants for "registering for NHS Digital's Full Digital Breakfast: Let's talk cyber, scheduled for Thursday 21 October 2021, 8:00-9:00am."

Apparently Neil Bennett, CISO at NHS Digital, and Phil Huggins, National CISO at NHS X, "along with guest speakers, will have a conversation about the ongoing protection and how an increasingly digitised world means we must be super vigilant and cyber secure, where cyber hygiene is essential in protecting patients."

Continue reading

Hitting underground pipes and cables costs the UK £2.4bn a year. We need a data platform for that, says government

Atkins wins £23m deal to build National Underground Asset Register

The UK government has awarded management consultancy Atkins a £23m contract to help it get to grips with accidental damage to underground pipes and cables, which is costing £2.4bn a year.

The Geospatial Commission, an independent expert committee within the Cabinet Office, has awarded the work to help it build "a secure data exchange platform providing a comprehensive, trusted and secure digital map of where buried assets are located."

Documents attached to a competitive tender notice point out that when digging up roads or attempting any other subterranean engineering, workers suffer the considerable difficulty of finding out what other human-made structures might be down there.

Continue reading

Lunar rocks brought to Earth by China's Chang'e 5 show Moon's volcanoes were recently* active

* Just a couple of billion years

The Moon remained volcanically active much later than previously thought, judging from fragments of rocks dating back two billion years that were collected by China's Chang’e 5 spacecraft.

The Middle Kingdom's space agency obtained about 1.72 kilograms (3.8 pounds) of lunar material from its probe that returned to Earth from the Moon in December. These samples gave scientists their first chance to get their hands on fresh Moon material in the 40 years since the Soviet Union's Luna 24 mission brought 170 grams (six ounces) of regolith to our home world in 1976.

The 47 shards of basalt rocks retrieved by Chang'e 5 were estimated to be around two billion years old using radiometric dating techniques. The relatively young age means that the Moon was still volcanically active up to 900 million years later than previous estimates, according to a team of researchers led by the Chinese Academy of Sciences (CAS).

Continue reading

Centre for Computing History apologises to customers for 'embarrassing' breach

Website patched following phishing scam, no financial data exposed

Updated The Centre for Computing History (CCH) in Cambridge, England, has apologised for an "embarrassing" breach in its online customer datafile, though thankfully no payment card information was exposed.

The museum for computers and video games said it was notified that a unique email address used to book tickets via its website "has subsequently received a phishing email that looked like it came from HSBC."

"Our investigation has revealed that our online customer datafile has been compromised and the email addresses contained within are now in the hands of spammers," says the letter to visitors from Jason Fitzpatrick, CEO and trustee at CCH dated 19 October.

Continue reading

Ancient with a dash of modern: We joined the Royal Navy to find there's little new in naval navigation

Following the Fleet Navigating Officers' course

Boatnotes II The art of not driving your warship into the coast or the seabed is a curious blend of the ancient and the very modern, as The Reg discovered while observing the Royal Navy's Fleet Navigating Officers' (FNO) course.

Held aboard HMS Severn, "sea week" of the FNO course involves taking students fresh from classroom training and putting them on the bridge of a real live ship – and then watching them navigate through progressively harder real-life challenges.

"It's about finding where the students' capacity limit is," FNO instructor Lieutenant Commander Mark Raeburn told The Register. Safety comes first: the Navy isn't interested in having navigators who can't keep up with the pressures and volume of information during pilotage close to shore – or near enemy minefields.

Continue reading

Darmstadt, we have a problem – ESA reveals its INTEGRAL space telescope was three hours from likely death

Gamma ray-spotting 'scope was spinning uncontrollably and unable to make 'leccy until dramatic rescue

The European Space Agency (ESA) revealed on Monday that its 19-year-old International Gamma-Ray Astrophysics Laboratory (INTEGRAL) had a near-death experience last month when failure of a small yet significant part caused it to spin uncontrollably and prevented its solar panels from generating power.

According to ESA's blog, one of the scope's three active 'reaction wheels' – flywheels that help to stabilise attitude – turned off without warning. Absent the reaction wheel's energy, INTEGRAL rotated dangerously.

The ESA activated Emergency Safe Attitude Mode, but that was ineffective because a July 2020 failure had left the geriatric satellite's thrusters inoperable.

Continue reading

When it comes to ransomware, every second hurts

Fortinet seeks to make EDR easy for non-specialists

Sponsored For the longest time it seemed that modern endpoint detection and response (EDR) was getting on top of the worst malware, only for that certainty to evaporate in a single day in June 2017 thanks to a strange malware event remembered as the NotPetya attack.

A lot of virtual ink has flowed on the origins of NotPetya but the most important aspect of its behaviour for anyone involved in endpoint defence EDR was the stunning speed with which it turned entire networks of computers into boxes uselessly pushing warm air. The word ‘fast’ gets bandied around a lot in malware incidents but for once this was no hyperbole, reportedly downing an entire Ukrainian bank in 45 seconds and a network running part of the country’s transit system in a third of that time.

That means the infection unfolded in roughly 15 seconds to less than a minute. As with the equally swift WannaCry infection which had encrypted at least 200,000 computers in 150 countries only weeks earlier, this was far faster than EDR systems of the time - and the teams fielding the alerts generated by them - could possibly react. Security Operations Centre (SoC) teams couldn’t even ask employees to turn their computers off.

Continue reading

Facebook may soon reveal new name – we're sure Reg readers will be more creative than Zuck's marketroids

We've kicked things off with the most splendidly evil fictional corporations, feel free to share your ideas

POLL Consumer tech outlet The Verge today reports that Facebook may soon reveal a new name.

Apparently Zuck wants to create an umbrella brand – a bit like Google did when it created Alphabet as its parent company. The Social Network™ is also keen to reflect its shift to "the metaverse", as signalled by its plan to hire 10,000 new workers to build some version of shared virtual reality.

Facebook has clammed up about its plans.

Continue reading

Sir Clive Sinclair inspired me and 'whole load of others' at Arm, says CEO Simon Segars

But of course chief exec's first computer was an Acorn

Like so many of us in tech, Arm CEO Simon Segars has his own computing origins story, which he shared during a speech on Tuesday at the Arm DevSummit developer conference.

British-born Segars' interest in computing started at age 14, when he'd go to a shop that had a Sinclair ZX81 computer on display, on which he wrote simple programs, learning about concepts like variables and loops.

"It was expensive at £70, we weren't about to buy one … and [it was] primitive by today's standards. It had a 3Mhz, 8-bit microprocessor and a whole 1KB of memory," Segars said.

Continue reading

Crims target telcos' Linux and Solaris boxes, which don't get enough infosec love

CrowdStrike says 'LightBasin' gang avoids Windows, and knows that telco networks run on badly-secured *nix

A mysterious criminal gang is targeting telcos' Linux and Solaris boxes, because it perceives they aren't being watched by infosec teams that have focussed their efforts on securing Windows.

Security vendor CrowdStrike claims it's spotted the group and that it "has been consistently targeting the telecommunications sector at a global scale since at least 2016 … to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata." The gang appears to understand telco operations well enough to surf the carrier-to-carrier links that enable mobile roaming, across borders and between carriers, to spread its payloads.

CrowdStrike principal consultant Jamie Harries and senior security researcher Dan Mayer named the group "LightBasin", but it also goes by the handle "UNC1945".

Continue reading