WavebreakMediaMicro - Fotolia

AWS Bottlerocket container OS locks down hosts

AWS Bottlerocket puts the cloud giant's spin on the container OS, and container host security, but the company will have to overcome a generally poor reputation in the open source world.

AWS previewed an open source container OS this week called Bottlerocket that could offer security advantages for container hosts, provided AWS can gain traction in the open source community.

Most of Bottlerocket's features are similar to other container OS variants already available, such as Fedora CoreOS (formerly CoreOS and Red Hat Project Atomic), Rancher OS and Google Cloud's Container-optimized OS. All strip out unnecessary Linux operating system components to create a small version of the Linux operating system suitable for use inside containers or to host containers on cluster servers, and to reduce the OS attack surface for security purposes. Most employ immutable file systems to perform updates, an approach that can mitigate drift within container infrastructure, support automatic OS updates and rollback in the event of failed updates.

Bottlerocket, released in preview this week for Amazon EKS, also strips out the SSH server and shell script access by default. Should users need direct access to servers running Bottlerocket, they must use a separate control container, a move that may have container security advantages.

At no point does a user have an unmoderated path to cluster hosts. That potentially makes it more difficult for an attacker to mess with clusters externally.
Tom PetrocelliAnalyst, Amalgam Insights

"At no point does a user have an unmoderated path to cluster hosts," said Tom Petrocelli, analyst at Amalgam Insights. "That potentially makes it more difficult for an attacker to mess with clusters externally, by sending shutdown commands, for example."

The AWS Bottlerocket approach also puts OS configuration behind a separate API, in addition to the immutable filesystem, to shore up the stability of container OS upgrades.

"Many [container OSes] support automated OS updates," said Deepak Singh, VP of compute services at AWS. "We also move all the settings and configuration behind an API ... so once automated updates are enabled, our customers can always trust that the OS will still work."

The lack of direct access to the container OS tends to encourage IT automation practices such as immutable infrastructure that consistently manage an entire fleet of container hosts as one entity, rather than individually modifying servers.

AWS Bottlerocket
AWS EKS users can preview Bottlerocket container OS in its initial release.

AWS faces wary open source community

The first preview version of Bottlerocket is available as an add-on for Amazon EKS, but there's nothing about the project that ties it to Kubernetes or AWS. The source code is available on GitHub for others to modify to support other container orchestrators and container formats such as CRI-O, in addition to the current containerd default.

Tom Petrocelli, Amalgam InsightsTom Petrocelli

While AWS is relatively late to the container OS game, it may have an opportunity to capitalize on uncertainty around the market's most well-established container OS project, Fedora CoreOS, which is in the process of melding components from CoreOS and Red Hat Project Atomic into one codebase. Both projects in their original form have been shelved by Red Hat, and the original CoreOS will reach the end of its life in May 2020.

"All Linux companies are trying to create a form of secure Linux, especially to harden Kubernetes," Petrocelli said. "Right now, Red Hat is still absorbing all the pieces of Tectonic and CoreOS."

However, AWS has a checkered reputation in the open source community, where it has had high-profile battles with open core partners such as MongoDB, Redis and Elastic over its use of open source IP in its cloud services.

"AWS has a lot of damage control to do in open source because of what's happened with Mongo and the others," Petrocelli said. "Their reputation is that they take more than they give."

It's still very early for Bottlerocket, now in version 0.3.0, so it's too soon to say what kind of open source traction it will get, or how its long-term governance will shake out. For now, its governance is similar to AWS Firecracker, with source code publicly available, and open to pull requests and contributions from outside Amazon.

"Neither Bottlerocket or Firecracker is just for AWS," Singh said. "If customers want to use them with something else, they can do it."

Dig Deeper on Containers and virtualization