Amazon Web Services Inc. today announced the general availability of Bottlerocket, an open-source Linux distribution it has developed specifically for running software containers.
Popular Linux distributions are designed to run not only containers, which enable applications to be run in multiple computing environments, but also a range of other workloads. Because they support a large number of use cases, they have a large number of components that can be difficult to manage.
When developing Bottlerocket, AWS left out many standard Linux components and kept only the ones necessary to run container-based workloads, creating an operating system that it says is both easier to manage and more secure. The extra security stems from the fact that Bottlerocket’s smaller code base leaves fewer potential weak points for hackers to exploit.
Moreover, AWS put in place a number of additional safeguards to help block threats. The cloud giant’s engineers have written large parts of Bottlerocket in the Rust language, which is less prone to buffer overflow exploits than the C language in which the Linux kernel is mainly written.
AWS has also hardened Bottlerocket against so-called persistent threats. Persistent threats, also known as persistent malware, are a type of malicious program that obtains access to key components of an operating system and exploits those components to hide its tracks.
Bottlerocket mitigates the risk from such attacks by making use of a Linux kernel feature called dm-verity. The feature detects parts of the operating system that may have been changed without permission, which is a reliable way of spotting hidden persistent malware.
“Bottlerocket also enforces an operating model that further improves security by discouraging administrative connections to production servers,” AWS product manager Samartha Chandrashekar elaborated in a blog post. Administrator accounts often have broad access to cloud instances, which makes them a target for hackers. “The act of logging into an individual Bottlerocket instance is intended to be an infrequent operation for advanced debugging and troubleshooting.”
The other way Bottlerocket aims to make it easier to run containers is by simplifying operating system updates. Deploying operating system changes to a container environment running mission-critical applications is risky because issues with the rollout can cause downtime. With this in mind, AWS has built a feature called atomic updates into Bottlerocket that it says allows administrators to undo an operating system change safely if it causes errors.
“Updates to Bottlerocket can be applied and rolled back in an atomic manner, which makes them easy to automate, reducing management overhead and reducing operational costs,” Chandrashekar detailed.
Bottlerocket is available on GitHub.