Amazon Web Services has recently announced the general availability of the Amazon ECS optimised Bottlerocket Amazon Machine Image (AMI) on all commercial AWS platforms. Bottlerocket is an open-source OS based on Linux, which is purpose-built to run containers. Bottlerocket includes only the software needed to run a container. It comes with a single step update mechanism that enables user to improve security posture and reduce maintenance required for Amazon ECS clusters. With the new release, users can also automate OS updates for Bottlerocket, improve application availability, and reduce disruptions.
Last year, Amazon had announced the general availability of Bottlerocket purpose-built to run containers.
Bottlerocket’s root filesystem is read-only and is backed by dm-verity. It comes with Security-Enhanced Linux (SELinux) policies for additional isolation. Users can use AWS CloudFormation template, Bottlerocket ECS Updater for automatic rolling of OS updates for Amazon EC2 instances running Bottlerocket in users’ clusters.
Bottlerocket’s main components include:
- An admin container for advanced troubleshooting and debugging
- Managing and orchestrating updates by integrations with container orchestrators such as the Amazon EKS platform.
- A single step atomic update mechanism to apply and roll back OS updates.
- Minimal operating system that includes Linux Kernel and systems software containerised as a container routine
The prerequisites for using Bottlerocket are– an AWS CLI with appropriate credentials; default VPC in a region of choice( user can use the VPC of your account); a key pair in user’s account to ensure remote access.
Following are the advantages of using Bottlerocket:
- Improved security: It helps in enhancing safety and reducing moisture overhead from a user’s Amazon ECS clusters. All root files are marked as read-only and cannot be directly modified by userspace processes. The platform checks the integrity of exchanged containers by using a cryptographic digest. It uses dm-verity for its root filesystem image. Any anomaly or corruption can restart the whole process. Modifications are, however, made through APIs.
- Simplified operational tasks/automated operating system updates: Updates in the platform are applied and rolled back in an atomic manner. AWS claims the process is as simple as updating your phone. This is achieved by two mechanisms in the updation process–two partition sets that use an active/passive flip to swap OS images and a declarative API with modelled settings for runtime configuration.
- The software only includes the primary software required to run containers. This approach helps the consumers significantly reduce the attack surface and impact of vulnerabilities.
- The software is open-sourced and universally available, making it subject to universal development, thus enabling customers, partners, and all interested parties to suggest code changes in its design and dataset.
- The platform is also entirely supported by Amazon Web Services, which provides excellent support to its users like Amazon EC2, Amazon EKR, Amazon EKS, etc. It ensures that its users have the help they require at an arm’s length.
While Bottlerocket is not the first operating system touted to most efficiently run containers, experts believe that it is going to see rapid growth.
Bottlerocket’s competitors include Red Hat owned CoreOS, Talos, and RancherOS. What makes it a cut above the rest is its tight integration with the native services in AWS, one of the leading public cloud providers, apart from its upgrading and security offerings. Bottlerocket can hook on to native AWS managed container services–EKS and ECS.