Five Things To Know About Bottlerocket, AWS’ New Container-Optimized Linux
AWS introduced Bottlerocket to power containerized workloads running on its own managed container services, and everywhere else.
Security and Updates
Beyond integrations with AWS-native services, Bottlerocket offers some unique benefits, especially around security and ease of updating the software.
Updates aren’t presented package by package, with all the steps that process introduces, Ulander said, but instead come “whole hog.”
“For a container host operating system, you don’t want it to be super flexible and have multiple packages,” he told CRN.
Thompson said Flux7 is pleased to see AWS and its developer community followed a security-first approach when developing the container OS.
“Amazon removed all shells and interpreters, eliminating the risk of them being exploited or by users accidentally escalating privileges,” Thompson told CRN.
By default, policies are enabled to enforce separation between the containers and the kernel. Binaries are secured with hardened flags to keep users or programs from executing them. And if a user can break into the filesystem, Bottlerocket offers a tool to validate and track any changes made, Thompson said.
To improve the process of installing updates, Amazon leveraged TUF (The Update Framework), which downloads image-based upgrades to alternate or “unmounted” partitions, Thompson said.
Another tool toggles the partition priority and can even fall back on failure, he said. “This allows the OS to be upgraded at one step without a reboot or the risk of package by package upgrades having issues and leaving the OS in an unknown state.”
Updates can also be triggered automatically using a Kubernetes operator or manually via the API, Thompson noted.