AWS recently made AWS Bottlerocket generally available after its announcement a few months ago. While a slimmed-down OS to more efficiently run containers is not a new idea, we expect AWS Bottlerocket to take off (pun intended) given its native integration with popular AWS services and focus on security. These core benefits allow teams to focus more on driving business benefits, such as better resource utilization and cost management than alternative solutions.
What is AWS Bottlerocket?
An operating system specifically designed to run containers, AWS Bottlerocket is a lightweight Linux distribution built with only the software and services containers require. And it is one of the few Amazon Machine Images (AMI) developed and provided by AWS that is open source, available on GitHub — with a public roadmap.
AWS Bottlerocket benefits
Being open source gives clients the flexibility to add customizations or create custom Variants to meet their specific needs. Variants take Bottlerocket and package it with different combinations of software, and file systems, depending on the particular use case. Even AWS has its own Variants. For example, AWS has an ECS Variant and a Kubernetes Variant of Bottlerocket.
Bottlerocket does come with support by AWS, which can help address gaps in support for some teams. This support makes AWS Bottlerocket especially beneficial for companies running containers in a production environment that needs official support as the AWS-provided builds of Bottlerocket are covered under AWS Support plans. Indeed, the first major release will receive security and bug fix updates for three years.
In addition, two of the most significant benefits of Bottlerocket are its integration with other AWS services and its focus on security. Let's examine each of these:
Optimized for integration into AWS services, Bottlerocket enables teams to easily troubleshoot issues by providing an admin container to install and use debugging tools like sosreport, traceroute, strace, tcpdump. Businesses also benefit from increased uptime of their containers by integrating with AWS EKS orchestration; Bottlerocket performs updates by draining containers on hosts being updated and places them on other vacant hosts in the cluster. In the event of a failure, the update can be safely rolled back by the orchestrator. Note that Bottlerocket's ECS integration is currently in preview.
To deploy, operators can launch Bottlerocket just like any other AMI, and it can be managed via AWS Systems Manager using the remote API. For administration, users can SSH into the Admin container with the keys provided when the instance was launched.
While the slimmed-down OS creates a thinner attack surface, Amazon follows a "Security First" approach in several other ways. First, it has removed all shells and interpreters, eliminating the risk of them being exploited or by users escalating privileges by escape. Second, it enables Security-Enhanced Linux (SELinux) policies to enforce by default. These policies help keep separation between the containers and the kernel. If a user were to somehow break into the filesystem, Bottlerocket leverages a dm-verify tool to validate and track any changes made. Last, the binaries are secured with hardened flags to keep users or programs from executing them.
AWS Bottlerocket advantages
While similar container host operating systems — such as CoreOS, RancherOS, or Talos — already exist, these OSs are very minimal in that they ship with only the absolute required software to run containers and don’t include package managers — making it difficult to add/remove packages and perform upgrades.
To address the issue with upgrading, Amazon based Bottlerocket’s transactional upgrades on The Update Framework (TUF), which downloads an image-based upgrade to alternate or "unmounted" partitions. Then a tool called updog toggles the partition priority and can even fall back on failure. This framework allows the OS to be upgraded in one step without a reboot or the risk of package-by-package upgrades having issues and leaving the OS in an unknown state. Upgrades can be triggered automatically using Kubernetes Operator or manually via the API.
In addition, all of these container operating systems (including Bottlerocket) come with read-only filesystems to mitigate users or programs from making changes that could break something in the underlying operating system. In addition to this, however, AWS Bottlerocket features
isolation of container runtimes. One container runtime is the one known by kubelet, where all the pods will land when started, and the other is known as a Host container, used to control the host. This container can be one of two other types of containers, decided by the user: either a Control container used for remote API access or the Admin container, used for deep debugging and exploration.
Avoiding the metadata weeds
Amazon leverages metadata heavily in the configuration of the different settings needed by Bottlerocket. We can get pretty deep in the weeds talking about this subject. Still, the use of metadata addresses several challenges found in a secure, optimized container operating system running in the cloud.
As container popularity continues to grow, Amazon saw a need for a Linux distribution that would address its customer’s security and operations needs . Leaving aside the debate as to whether a new distribution was needed or not, AWS Bottlerocket does bring several unique features to market that can increase the security of container environments with the added benefit of AWS service integration. And, importantly, Bottlerocket helps companies achieve these advantages at scale.
Can we help your organization develop a container strategy and implement the tools and frameworks necessary to achieve containerization at scale? Talk to our container consulting team today.
Post Date: 10/15/2020