Amazon: Linux-based Bottlerocket is our new OS for hosting containers in the cloud

Open-source Bottlerocket from AWS aims to break the bottleneck of installing package updates on containerized apps.
Written by Liam Tung, Contributing Writer

Amazon Web Services (AWS) has released a public preview of a new Linux-based operating system that it has built specifically to run containers on virtual machines or bare-metal hosts in the cloud. 

The new OS for containers and the growing number of containerized applications promise to make the automation of package updates easier via container orchestration services like Amazon EKS. Amazon initially wants developers to use the Bottlerocket as a host OS in AWS EKS Kubernetes clusters.  

Bottlerocket OS only includes what's necessary to run containers to make it more efficient and more secure, according to AWS. 

The new Linux-based OS is in public preview for now and is scheduled for general availability later this year. 

SEE: The future of Everything as a Service (free PDF)

The bottleneck it aims to address results from the need to update application software packages within container images, which requires separate updates for the container and the host OS. 

"Instead of a package update system, Bottlerocket uses a simple, image-based model that allows for a rapid and complete rollback if necessary. This removes opportunities for conflicts and breakage, and makes it easier for you to apply fleet-wide updates with confidence using orchestrators such as EKS," explained AWS evangelist Jeff Barr

Bottlerocket supports Docker images and images based on the Open Container Initiative (OCI) image format, which ensures broad support for Linux containers.

The goal is similar to Red Hat's CoreOS Container Linux, which is being shuttered on May 26 as Red Hat develops Fedora CoreOS for running containerized workloads. Fedora CoreOS currently doesn't support Azure, DigitalOcean, Google Compute Engine and other Container Linux platforms.    

Barr highlights some of the areas where Bottlerocket has been pared back for security: the file system is "primarily read-only" and is integrity-checked at boot time. Additionally, secure shell (SSH) access isn't enabled by default and is part of a separate admin container that runs with elevated privileges and can be enabled as needed for troubleshooting. 

SEE: Google programming language scorecard: How C, C++, Dart, Rust, Go rate for Fuchsia

Interestingly, most of Bottlerocket has been written in Rust due to the language's ability to address memory security bugs, which Microsoft is also exploring for the same reason in low-level Windows components and its secure infrastructure programming initiative Project Verona. Google has also explored Rust for its new OS Fuchsia

"Almost all first-party components are written in Rust. Rust eliminates some classes of memory safety issues, and encourages design patterns that help security," AWS says on its Bottlerocket page on GitHub.  

Bottlerocket currently includes packages for the Linux kernel, glibc, Buildroot, GRUB, systemd, Wicket, container, Kubernetes, and aws-iam-authenticator. 

Editorial standards