The new version of Bottlerocket 1.2.0, the distro for AWS containers, has already been released

The launch of the new version of Bottlerocket 1.2.0, which is a Linux distribution that is developed with the participation of Amazon to run isolated containers efficiently and safely. This new version is characterized by being to a greater extent uAn update version of packages, although it also comes with some new changes.

The distribution It is characterized by providing an indivisible system image automatically and atomically updated that includes the Linux kernel and a minimal system environment that includes only the components necessary to run containers.

About Bottlerocket

The environment makes use of the systemd system manager, the Glibc library, Buildroot, bootloader grub, the wicked network configurator, the runtime containerd for container isolation, the platform Kubernetes, AWS-iam-authenticator, and the Amazon ECS agent.

Container orchestration tools are shipped in a separate management container that is enabled by default and managed through the AWS SSM agent and API. The base image lacks a command shell, SSH server, and interpreted languages (for example, without Python or Perl): Administrator tools and debugging tools are moved to a separate service container, which is disabled by default.

The difference clef with respect to similar distributions such as Fedora CoreOS, CentOS / Red Hat Atomic Host is the primary focus on providing maximum security in the context of hardening the system against potential threats, which makes it difficult to exploit vulnerabilities in operating system components and increases container isolation.

Containers are created using the standard Linux kernel mechanisms: cgroups, namespaces, and seccomp. For additional isolation, the distribution uses SELinux in "application" mode.

Partition root is mounted read-only and the configuration partition / etc is mounted on tmpfs and restored to its original state after reboot. Direct modification of files in the / etc directory, such as /etc/resolv.conf and /etc/containerd/config.toml, to permanently save configuration, use API, or move functionality to separate containers is not supported. For cryptographic verification of the integrity of the root section, the dm-verity module is used and if an attempt to modify the data is detected at the block device level, the system is rebooted.

Most of the system components are written in the Rust language, which provides a means of safely working with memory, allowing you to avoid vulnerabilities caused by accessing a memory area after it is freed, dereferencing null pointers, and exceeding buffer limits.

Main new features of Bottlerocket 1.2.0

In this new version of Bottlerocket 1.2.0 a lot of updates have been introduced of packages of which the updates of the Rust versions and dependencies, host-ctr, the updated version of the default management container and various third-party packages.

On the part of the novelties, it stands out from Bottlerocket 1.2.0 is that added support for container image registration mirrors, as well as the ability to use self-signed certificates (CA) and the parameter to be able to configure the host name.

The topologyManagerPolicy and topologyManagerScope settings for kubelet were also added, as well as support for kernel compression using the zstd algorithm.

Moreover provided the ability to boot the system into virtual machines VMware in the OVA (Open Virtualization Format) format.

Of the other changes that stand out from this new version:

  • Updated version of the aws-k8s-1.21 distribution with support for Kubernetes 1.21.
  • Removed support for aws-k8s-1.16.
  • The use of wildcards to apply rp_filter to interfaces is avoided
  • Migrations moved from v1.1.5 to v1.2.0

Finally if you are interested in knowing more about it of this new version, you can check details in the following link. In addition to that you can also consult the information for your setup and handling here.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.