A new release of the Linux distribution Bottlerocket 1.15.0 has been published, developed in collaboration with Amazon to ensure the efficient and secure launch of isolated containers. The distribution utilizes Rust for its tools and control components, and is distributed under the MIT and APACHE 2.0 licenses. Bottlerocket supports launching on Amazon ECS, VMware, and AWS EKS Kubernetes, as well as offering the flexibility to use various orchestration tools and Runtime for containers (source).
Bottlerocket is designed to provide an atomic and automatically updated system image that consists of the Linux kernel and a minimal system environment necessary for container deployment. Key components of the distribution include Systemd, GlibC library, Buildroot for assembly, GRUB bootloader, network configurator Wicked, Runtime for insulated Container containers, Kubernetes orchestration platform, AWS authenticator, and agent Amazon ECS (source).
The management and orchestration tools for containers are delivered through a separate control container, which is secured and controlled via an API and AWS SSM AGENT (source). The base system image does not include a command shell, SSH server, or interpreted languages like Python or Perl. Administrator and debugging tools are provided in a separate service container, which is disabled by default (source).
Bottlerocket distinguishes itself from similar distributions, such as Fedora CoreOS and Centos/Red Hat Atomic Host, with its primary focus on maximum security. It aims to strengthen system protection against potential threats, complicate the exploitation of vulnerabilities in the OS components, and enhance container isolation. The distribution leverages Linux kernel mechanisms like cgroups, namespace, and seccomp for container isolation. Additionally, SELinux is used for further isolation in “Enforcing” mode (source).