On the surface, Amazon Web Service's new minified operating system to use in containers is just another bare-bones Linux distribution to go alongside others that serve the same purpose, such as Red Hat Enterprise Linux CoreOS, RancherOS, or Flatcar Container Linux.
But a few things do set Bottlerocket apart from the others, starting with the most obvious fact that it's integrated into AWS, which means AWS will be pushing it to become the default OS in containers for customers using Amazon Elastic Container Service or Amazon Elastic Kubernetes Service. In addition, Amazon has chosen to write large parts of the distribution in Rust, even though Linux is written in C, with some assembly language.
The latter may have been something of an inevitability. Last month at the Linux Plumbers Conference there was talk of allowing in-tree Rust language support, and even Linus Torvalds said during June's Open Source Summit that he was "certain" that languages like Rust would soon be used for "drivers and things that are not very central to the kernel."
That time has evidently arrived sooner than anybody thought.
"Bottlerocket is designed to improve security and operations of your containerized infrastructure," Samartha Chandrashekar, an AWS senior product manager, explained in a blog. "Its built-in security hardening helps simplify security compliance, and its transactional update mechanism enables the use of container orchestrators to automate operating system updates and decrease operational costs."
He's not kidding about the added security. Rust, for example, was designed in part to make writing secure software easier. In the case of Bottlerocket, according to Chandrashekar, it "helps ensure thread safety and prevent memory-related errors, such as buffer overflows that can lead to security vulnerabilities."
In addition, Bottlerocket comes with Security-Enhanced Linux in enforcing mode, which provides added isolation between the container and its cluster's underlying operating system.
AWS has also taken the pain out of updating Bottlerocket by offering pretested updates that are applied in a single step.
"These updates can also be rolled back in a single step to a known good state," AWS explained in a FAQ. "As a result, 'botched' updates that can leave the system unusable because of inconsistent states that need manual repair do not occur with Bottlerocket. With single-step atomic updates, there is lower complexity, which reduces update failures."
Bottlerocket Is Open Source
For the time being Bottlerocket will be available to users of ECS and EKS, offered in all AWS availability regions at no cost other than the cost of the compute resources used. However, AWS has released the software as open source, available on GitHub, with AWS's code covered under Apache 2.0 and MIT licenses (user's choice) and third-party code, like the Linux kernel, remaining under its original licensing.
Chandrashekar said that AWS has made the software open source so that users can customize it to integrate with orchestrators, kernels, container runtimes, and the like that they use in their infrastructures.
"We want to grow a vibrant community of users and contributors who adopt and support Bottlerocket as an open source project," he said. "We believe that an open source approach enables us to drive innovation based on our experience with working with other open source projects in the container space such as containerd, Linux kernel, Kubernetes, and Firecracker."
What AWS hasn't pointed out is that making the software available under open source licenses also helps AWS's efforts to be included in the type of cloud-neutral multi-cloud infrastructures that are being advocated by IBM/Red Hat, SUSE/Rancher, VMware, and other vendors.
Vendor uptake would be key here, and both Apache and MIT licenses would allow proprietary vendors such as VMware to release their own versions of the code under proprietary licenses.