UPDATED 16:11 EST / AUGUST 31 2020

CLOUD

AWS launches its Bottlerocket container operating system into general availability

Amazon Web Services Inc. today announced the general availability of Bottlerocket, an open-source Linux distribution it has developed specifically for running software containers.

Popular Linux distributions are designed to run not only containers, which enable applications to be run in multiple computing environments, but also a range of other workloads. Because they support a large number of use cases, they have a large number of components that can be difficult to manage.

When developing Bottlerocket, AWS left out many standard Linux components and kept only the ones necessary to run container-based workloads, creating an operating system that it says is both easier to manage and more secure. The extra security stems from the fact that Bottlerocket’s smaller code base leaves fewer potential weak points for hackers to exploit.

Moreover, AWS put in place a number of additional safeguards to help block threats. The cloud giant’s engineers have written large parts of Bottlerocket in the Rust language, which is less prone to buffer overflow exploits than the C language in which the Linux kernel is mainly written.

AWS has also hardened Bottlerocket against so-called persistent threats. Persistent threats, also known as persistent malware, are a type of malicious program that obtains access to key components of an operating system and exploits those components to hide its tracks. 

Bottlerocket mitigates the risk from such attacks by making use of a Linux kernel feature called dm-verity. The feature detects parts of the operating system that may have been changed without permission, which is a reliable way of spotting hidden persistent malware.

“Bottlerocket also enforces an operating model that further improves security by discouraging administrative connections to production servers,” AWS product manager Samartha Chandrashekar elaborated in a blog post. Administrator accounts often have broad access to cloud instances, which makes them a target for hackers. “The act of logging into an individual Bottlerocket instance is intended to be an infrequent operation for advanced debugging and troubleshooting.”

The other way Bottlerocket aims to make it easier to run containers is by simplifying operating system updates. Deploying operating system changes to a container environment running mission-critical applications is risky because issues with the rollout can cause downtime. With this in mind, AWS has built a feature called atomic updates into Bottlerocket that it says allows administrators to undo an operating system change safely if it causes errors.  

“Updates to Bottlerocket can be applied and rolled back in an atomic manner, which makes them easy to automate, reducing management overhead and reducing operational costs,” Chandrashekar detailed.

Bottlerocket is available on GitHub

Image: AWS

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU