The new version of Bottlerocket 1.3.0 has already been released and these are its news

The launch of la new version of the Linux distribution «Bottlerocket 1.3.0» in which some changes and improvements have been made to the system of which MCS added restrictions to SELinux policy are highlighted, as well as the solution to several SELinux policy problems, IPv6 support in kubelet and pluto and also hybrid boot support for x86_64.

For those unaware of bottlerocket, you should know that this is a Linux distribution that is developed with the participation of Amazon to run isolated containers efficiently and safely. This new version is characterized by being to a greater extent a package update version, although it also comes with some new changes.

The distribution It is characterized by providing an indivisible system image automatically and atomically updated that includes the Linux kernel and a minimal system environment that includes only the components necessary to run containers.

About Bottlerocket

The environment makes use of the systemd system manager, the Glibc library, Buildroot, bootloader grub, the wicked network configurator, the runtime containerd for container isolation, the platform Kubernetes, AWS-iam-authenticator, and the Amazon ECS agent.

Container orchestration tools are shipped in a separate management container that is enabled by default and managed through the AWS SSM agent and API. The base image lacks a command shell, SSH server, and interpreted languages (for example, without Python or Perl): Administrator tools and debugging tools are moved to a separate service container, which is disabled by default.

The difference clef with respect to similar distributions such as Fedora CoreOS, CentOS / Red Hat Atomic Host is the primary focus on providing maximum security in the context of hardening the system against potential threats, which makes it difficult to exploit vulnerabilities in operating system components and increases container isolation.

Main new features of Bottlerocket 1.3.0

In this new version of the distribution, the fix for vulnerabilities in docker toolkit and the runtime container (CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, CVE-2021-41103) related to incorrect permission settings, allowing unprivileged users to leave the base directory and run external programs.

On the part of the changes that have been implemented we can find that IPv6 support has been added to kubelet and plutoIn addition, the ability to restart the container after changing its configuration was provided, and support for Amazon EC2 M6i instances was added to eni-max-pods.

Also stand out MCS's new restrictions on SELinux policy, as well as the solution of several SELinux policy problems, in addition to the fact that for the x86_64 platform, the hybrid boot mode is implemented (with EFI and BIOS compatibility) and in Open-vm-tools it adds support for filter based devices In the Cilium Toolkit.

On the other hand, the compatibility with the version of the aws-k8s-1.17 distribution based on Kubernetes 1.17 was eliminated, which is why it is recommended to use the aws-k8s-1.21 variant with compatibility with Kubernetes 1.21, in addition to the k8s variants using the cgroup runtime.slice and system.slice settings.

Of the other changes that stand out in this new version:

  • Region indicator added to aws-iam-authenticator command
  • Restart modified host containers
  • Updated the default control container to v0.5.2
  • Eni-max-pods updated with new instance types
  • Added new cilium device filters to open-vm-tools
  • Include / var / log / kdumpen logdog tarballs
  • Update third-party packages
  • Wave definition added for slow implementation
  • Added 'infrasys' to create TUF infra on AWS
  • Archive old migrations
  • Documentation changes

Finally if you are interested in knowing more about it, you can check the details In the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.