AWS has pulled the covers off Bottlerocket, a new Linux-based operating system for hosting and running containers on virtual machines or bare metal hosts.
According to AWS chief evangelist Jeff Barr, the project “reflects much of what we have learned over the years” and supports Docker images and others conforming to the Open Container Initiative image format.
AWS’s new offering apparently applies updates in a single step which contrasts with the usual package-wise approach and lends itself better to automation via the container orchestrators it also integrates with. Should an update fail, leaving the system unable to reboot to the new image, Bottlerocket is said to automatically roll back, while workload failures can trigger workflows for manual rollbacks.
The project only comes with the essentials for running containers. This is meant to reduce the startup time of the OS as well as its resource needs, and keep the attack surface of the project minimal.
On the topic of security, Bottlerocket’s file system “is primarily read-only, and [..] integrity-checked at boot time via dm-verity”. Bottlerocket images also don’t include a SSH server or shells out-of-the-box, but come with special containers for that.
There’s a control container, for example, running inside a separate containerd instance, which runs the AWS SSM agent for commands and shell sessions. An administrative container with a SSH server is also available, but since it is disabled by default, users will have to activate it before being allowed to log in with their EC2-registered SSH credentials. Control and admin containers can be replaced by custom containers if needed.
Bottlerocket is currently in the public preview phase, with Amazon Machine Images being available for EC2. The project’s source code along with a getting started guide can be found on GitHub.
Needless to say, Bottlerocket isn’t the only OS purpose-build for hosting containers out there. Rancher for example has offered RancherOS for almost five years, and made the further reduced, and therefore more comparable to Bottlerocket, k3OS available only last year. The project was also meant to help with management overhead and updating and is based on the company’s lightweight Kubernetes distribution k3s.