Amazon Web Services Inc. recently announced the official launch of Bottlerocket, an open-source Linux distribution exclusively designed for running software containers. Popular Linux distributions are developed to run not only containers that allow applications to run in multiple computing environments but also a number of other workloads.
When designing Bottlerocket, AWS left out several traditional Linux components and retained only those needed to run container-based workloads, providing an operating system that is supposed to be both easier to handle and more stable. The extra protection comes from the fact that Bottlerocket’s reduced codebase leaves less possible bugs for hackers to manipulate.
In addition, AWS has implemented a range of new protections to further combat attacks. Cloud giant technologists have written huge portions of the Bottlerocket in the Rust language, which is less susceptible to buffer overflow vulnerabilities than the C language in which the Linux kernel is usually written.
Even AWS has protected Bottlerocket from so-called persistent threats. Persistent threats, also known as persistent malware, are a kind of destructive software that achieves access to key operating system components and hacks certain components to cover its traces.
By using a Linux kernel feature termed as dm-verity, Bottlerocket minimizes the risk from these attacks. The function identifies areas of the operating system that may have been altered without authorization, which is a safe way to find persistent malware tucked away.
The other manner in which Bottlerocket tries to make containers easy to run is by simplifying changes to operating systems. Deploying changes to the operating system in a container environment that runs mission-critical applications is dangerous because difficulties with the deployment will cause downtimes. With this in mind, AWS has developed into Bottlerocket a feature called atomic updates which says, it allows supervisors to securely rectify an operating system change if it makes mistakes.
By making it easy to handle nodes and simplify node changes within the cluster, Bottlerocket increases operations and manageability on the scale. In comparison to general-purpose Linux distributions intended to support bundled programs in a range of configurations, Bottlerocket is intended for running containers. Alerts to other general-purpose Linux distributions are implemented package-by-package, and the dynamic dependencies between their packages will lead to errors, making the process difficult to automate.
Comparatively, general-purpose operating systems have the ability to customize each instance differently as required for its workload, making the management of conventional Linux software more complicated. In comparison, Bottlerocket upgrades can be implemented and re-rolled atomically, which makes them easy to process, decreases cost control, and improves operation.
Updates to Bottlerocket can be implemented and rolled back in an atomic way, making it easy to automate, reduce overhead management and reduce operating costs, said Samartha Chandrashekar, AWS product manager.
