Amazon has announced the general availability of Bottlerocket, an open source Linux distribution built to run containers. Bottlerocket is designed to improve security and operations of containerized infrastructure. Its built-in security hardening helps simplify security compliance, and its transactional update mechanism enables the use of container orchestrators to automate OS updates. In these respects Bottlerocket is similar to the Container-Optimized OS that Google has released in 2017.
Being based on Red Hat Linux distributions Bottlerocket is using SELinux to ensure baseline mandatory access control. Bottlerocket uses Device-mapper’s verity target (dm-verity), a Linux kernel feature that provides integrity checking to help prevent attackers from persisting threats on the OS, such as overwriting core system software.
Bottlerocket integrates with container orchestrators to enable the automated patching of hosts to improve operational costs, manageability, and uptime. It is designed to work with any orchestrator, and AWS-provided builds work with Amazon EKS (in General Availability), and Amazon ECS (in preview).
Bottlerocket includes standard open source components, such as the Linux kernel, containerd container runtime, etc. Bottlerocket-specific additions focus on reliable updates and an API-based mechanism to make configuration changes and trigger updates/roll-backs. Bottlerocket code is licensed under either the Apache 2.0 license or the MIT license at your option.