As our customers increasingly adopt containers to run their workloads, we saw a need for a Linux distribution designed from the ground up to run containers with a focus on security, operations, and manageability at scale. Customers needed an operating system that would give them the ability to manage thousands of hosts running containers with automation.
Meet Bottlerocket, a new open source Linux distribution that is built to run containers. Bottlerocket is designed to improve security and operations of your containerized infrastructure. Its built-in security hardening helps simplify security compliance, and its transactional update mechanism enables the use of container orchestrators to automate operating system (OS) updates and decrease operational costs.
Bottlerocket is developed as an open source project on GitHub with a public roadmap. We’re looking forward to building a community around Bottlerocket on GitHub and welcome your feature requests, bug reports, or contributions.
We began designing and building Bottlerocket based on the things we’ve learned from how customers use Amazon Linux to run containers and from running services such as AWS Fargate. At every step of the design process, we optimized Bottlerocket for security, speed, and ease of maintenance.
Bottlerocket improves security by including only the software needed to run containers, which reduced the security attack surface. It uses Security-Enhanced Linux (SELinux) in enforcing mode to increase the isolation between containers and the host operating system, in addition to standard Linux kernel technologies to implement isolation between containerized workloads—such as control groups (cgroups), namespaces, and seccomp.
Also, Bottlerocket uses Device-mapper’s verity target (dm-verity), a Linux kernel feature that provides integrity checking to help prevent attackers from persisting threats on the OS, such as overwriting core system software. The modern Linux kernel in Bottlerocket includes eBPF, which reduces the need for kernel modules for many low-level system operations. Large parts of Bottlerocket are written in Rust, a modern programming language that helps ensure thread safety and prevent memory-related errors, such as buffer overflows that can lead to security vulnerabilities.
Bottlerocket also enforces an operating model that further improves security by discouraging administrative connections to production servers. It is suited for large distributed environments in which control over any individual host is limited. For debugging, you can run an “admin container” using Bottlerocket’s API (invoked via user data or AWS Systems Manager) and then log in with SSH for advanced debugging and troubleshooting. The admin container is an Amazon Linux 2 container image and contains utilities for troubleshooting and debugging Bottlerocket and runs with elevated privileges. It allows you to install and use standard debugging tools, such as traceroute, strace, tcpdump. The act of logging into an individual Bottlerocket instance is intended to be an infrequent operation for advanced debugging and troubleshooting.
Bottlerocket improves operations and manageability at scale by making it easier to manage nodes and automate updates to nodes in your cluster. Unlike general-purpose Linux distributions designed to support applications packaged in a variety of formats, Bottlerocket is purpose-built to run containers. Updates to other general-purpose Linux distributions are applied on a package-by-package basis and the complex dependencies among their packages can result in errors, making the process challenging to automate.
Furthermore, general-purpose operating systems come with the flexibility to configure each instance as necessary for its workload uniquely, which makes management that is performed with traditional Linux tools more complex. By contrast, updates to Bottlerocket can be applied and rolled back in an atomic manner, which makes them easy to automate, reducing management overhead and reducing operational costs.
Bottlerocket integrates with container orchestrators to enable the automated patching of hosts to improve operational costs, manageability, and uptime. It is designed to work with any orchestrator, and AWS-provided builds work with Amazon EKS (in General Availability), and Amazon ECS (in preview).
Bottlerocket open source project
We have launched Bottlerocket as an open source project to enable our customers to make customizations to the operating system (e.g., integration with custom orchestrators/kernels/container runtimes) used to run their infrastructure, submit them for upstream inclusion, and produce custom builds. All design documents, code, build tools, tests, and documentation will be hosted on GitHub. We will use the GitHub’s bug and feature tracking systems for project management. You can view and contribute to Bottlerocket source code using standard GitHub workflows. The availability of build, release, and test infrastructure makes it easy to produce custom builds that includes their changes. ISV partners can quickly validate their software before their customers update to the latest versions of Bottlerocket.
We want to grow a vibrant community of users and contributors who adopt and support Bottlerocket as an open source project. We believe that an open source approach enables us to drive innovation based on our experience with working with other open source projects in the container space such as containerd, Linux kernel, Kubernetes, and Firecracker.
Bottlerocket includes standard open source components, such as the Linux kernel, containerd container runtime, etc. Bottlerocket-specific additions focus on reliable updates and an API-based mechanism to make configuration changes and trigger updates/roll-backs. Bottlerocket code is licensed under either the Apache 2.0 license or the MIT license at your option. Underlying third-party code, like the Linux kernel, remains subject to its original license. If you modify Bottlerocket, you may use “Bottlerocket Remix” to refer to your builds in accordance with the policy guidelines.
Getting started with Bottlerocket
Although you can run Bottlerocket as a standalone OS without an orchestrator for development and test use cases (using utilities in the admin container to administer and update Bottlerocket), we recommend using it with a container orchestrator to take advantage of all its benefits.
An easy way to get started is by using AWS-provided Bottlerocket AMIs with either Amazon EKS or Amazon ECS (in preview). You can find the IDs for these AMIs by querying SSM with the AWS CLI as follows.
To find the latest AMI ID for the Bottlerocket aws-k8s-1.17 variant, run:
aws ssm get-parameter --region us-west-2
--query Parameter.Value --output text
To find the latest AMI ID for the Bottlerocket aws-ecs-1 variant, run:
aws ssm get-parameter --region us-west-2
--query Parameter.Value --output text
In both of the above example commands, you can change the region if you operate in another region, or change the architecture from x86_64 to arm64 if you use Graviton-powered instances.
Once you have this AMI ID, you can launch an EC2 instance and connect it to your existing EKS or ECS cluster. To connect to an EKS cluster with the Kubernetes variant of Bottlerocket, you’ll need to provide user data, such as the following, when you launch the EC2 instance:
api-server = "Your EKS API server endpoint here"
cluster-certificate = "Your base64-encoded cluster certificate here"
cluster-name = "Your cluster name here"
To connect to an ECS cluster with the ECS variant of Bottlerocket, you can provide user data like this:
cluster = “Your cluster name here”
For further instructions on getting started, see the guide for EKS and the guide for ECS.
Contributing to Bottlerocket
In addition to using AWS-provided Bottlerocket AMIs, you can produce custom builds of Bottlerocket with your own changes. To do so, you can fork the GitHub repository, make your changes, and follow our building guide. As a prerequisite step, you must first set up your build environment. The build system is based on the Rust language. We recommend you install the latest stable Rust using
rustup. To organize build tasks, we use
cargo-deny during the build process. To get these, run:
cargo install cargo-make
cargo install cargo-deny --version 0.6.2
Bottlerocket uses Docker to orchestrate package and image builds. We recommend Docker 19.03 or later. You’ll need to have Docker installed and running with your user account able to access the Docker API. This is commonly enabled by adding your user account to the docker group.
To build an image, run after your source code changes are made:
All packages will be built in turn, and then compiled into an
img file in the
Next, to register the Bottlerocket AMI, for use on Amazon EC2, you need to set up the aws-cli and run:
cargo make ami
We invite you to join us in further enhancing Bottlerocket. See the Bottlerocket issues list and the Bottlerocket roadmap. We welcome contributions. Going over existing issues is a great way to get started contributing. See our contributor’s guide for details.
We hope you use Bottlerocket to run your containers and we look forward to your feedback!