Bottlerocket isn’t the first operating system stripped down to most-efficiently run containers, but it’s one that is likely to see rapid adoption, and generate a significant partner opportunity, because of its tight integration with native services in the industry’s leading public cloud, as well as innovative upgrading and security capabilities.
“We are one of largest destinations for customers running containerized workloads,” Peder Ulander, who lead’s AWS’ open source efforts, told CRN. That includes enterprises self-managing orchestrators like Kubernetes or Docker Swarm, or opting for managed AWS container services Amazon Elastic Kubernetes Services (EKS) and Amazon Elastic Container Services (ECS).
While the project is led by Amazon, and focused on Amazon’s cloud, Bottlerocket is open source—it can be deployed anywhere: on-premises, any competing public cloud, on the network’s edge, and even in non-containerized environments like AWS EC2 instances, Ulander said.
Bottlerocket has been in a beta preview for around three months, and in that time most of AWS’ publicly acknowledged container customers have deployed it to some degree. Internally, the team behind Amazon SageMaker has also been working closely with Bottlerocket developers to optimize the AWS machine learning platform, Ulander said.
The new operating system creates a huge opportunity for Amazon’s technology and channel partners, said Gaurav Rishi, head of product at Kasten, the first data management provider certified to do backup, disaster recovery and application migration for Bottlerocket.
“This is great news for channels since this not only underscores the fact that vendors are doubling-down on container-related innovations, but these innovations help their customers with far more simplified operations for business continuity in the cloud-native world,” Rishi told CRN.
Benefits of slimming down
“Bottlerocket is a slimmed down Linux that’s optimized to run your container hosts,” Ulander said.
AWS and the developer community it’s nurturing on GitHub have eliminated Linux kernel features not needed to support container deployments; that leaner OS creates a smaller attack surface for better security and a smaller install footprint to bring down resource utilization and costs.
Bottlerocket’s efficiency, security and cost-optimization will encourage more enterprises to pursue cloud transformations, said Rishi, Kasten’s head of product.
“Cloud-native represents a major opportunity for partners and other collaborators in the channel ecosystem as container and Kubernetes adoption accelerates,” Rishi told CRN.
Bottlerocket “opens up a whole new world where more companies can take advantage of cloud-native capabilities which is driving significant sales opportunities,” he said.
AWS has played a foundational role in enabling the shift to modern architecture, and the cloud leader has been working with partners like Kasten to spur more investment in cutting-edge solutions that ensure smooth operations beyond deployment—Day 2 management and security—for seamless business continuity.
“Bottlerocket is one of these innovative advancements,” Rishi said.
The lightweight Linux landscape
Bottlerocket’s development was motivated by a similar logic that went into building Amazon Linux, a distribution that took advantage of native AWS feature around security, orchestration and monitoring.
“This is kind of a redux of that stuff,” Ulander said.
But Bottlerocket isn’t the first Linux built for containers.
Those are all good products, Ulander said.
What makes Bottlerocket stand out from that pack, he said, is its ability to hook into native AWS managed container services—EKS and ECS.
“The differences between similar container operating systems and Bottlerocket is that Amazon has optimized it to perform on AWS and integrate with other AWS services,” said Brady Thompson, a solutions architect at Austin, Tex.-based AWS channel partner Flux7, an NTT DATA company.
And there are other differences, especially around security and upgradability features, Thompson said.
Other lightweight Linux distributions “are all very minimal, meaning they will ship with only the absolute required software to run containers,” Thompson told CRN USA.
Native AWS integrations
“Integration into AWS services is what makes this unique and probably why someone would want this verses a CoreOS or an Alpine,” Ulander told CRN USA.
Bottlerocket was built to power EKS and ECS. But it doesn’t have to—users of those two AWS-native managed container services will still have a choice of operating systems.
Ulander expects some customers will want to continue to use other Linux versions, like CentOS.
But he encourages the majority of AWS customers now running Amazon Linux with those managed container services to migrate to Bottlerocket.
“Who doesn’t want better security, better speed and a lower price,” Ulander said.
The more AWS can lighten the resource load, the better those distributed applications will perform, he said.
“At the end of the day, it’s a container host, it’s not running your apps,” Ulander told CRN. “It’s not going to make or break your apps as a developer, but it will make or break your experience.”
At the same time, while Bottlerocket is an effort led by AWS and integrated with Amazon’s cloud, it can be deployed in most computing environments.
“It’s a Linux distribution. In a different cloud, you still need to select what your container host OS should be,” Ulander said.
Security and updates
Beyond integrations with AWS-native services, Bottlerocket offers some unique benefits, especially around security and ease of updating the software.
Updates aren’t presented package by package, with all the steps that process introduces, Ulander said, but instead come “whole hog.”
“For a container host operating system, you don’t want it to be super flexible and have multiple packages,” he told CRN USA.
Thompson said Flux7 is pleased to see AWS and its developer community followed a security-first approach when developing the container OS.
“Amazon removed all shells and interpreters, eliminating the risk of them being exploited or by users accidentally escalating privileges,” Thompson told CRN USA.
By default, policies are enabled to enforce separation between the containers and the kernel. Binaries are secured with hardened flags to keep users or programs from executing them. And if a user can break into the filesystem, Bottlerocket offers a tool to validate and track any changes made, Thompson said.
To improve the process of installing updates, Amazon leveraged TUF (The Update Framework), which downloads image-based upgrades to alternate or “unmounted” partitions, Thompson said.
Another tool toggles the partition priority and can even fall back on failure, he said. “This allows the OS to be upgraded at one step without a reboot or the risk of package by package upgrades having issues and leaving the OS in an unknown state.”
Updates can also be triggered automatically using a Kubernetes operator or manually via the API, Thompson noted.
Why open source?
Amazon open-sourced Bottlerocket “because we believe this is a bigger thing that a lot of customers can actually make use of in their own environments,” Ulander said.
The open source model delivers consistency, from developers running test workloads on their laptops, to full data center production deployments, to running on the two managed AWS container services, ECS and EKS.
Because Bottlerocket is based on the latest Linux kernel, partners and customers that want to optimize the OS can contribute to the project. That makes Bottlerocket “a very strong partner play where they want to include and distribute these packages within their own solutions,” Ulander said.
In that sense, it’s similar to what AWS did with Firecracker, a cloud technology developed for virtual machines and serverless functions.
Thompson, of Flux7, noted Bottlerocket is “one of the few Amazon Machine Images developed and provided by AWS that is open source,” which gives partners the flexibility to create custom variants to meet their specific needs.
Even AWS offers different variants that take Bottlerocket and package it with combinations of software and filesystems to meet specific use cases, Thompson said.