[HN Gopher] Bottlerocket - Minimal, immutable Linux OS with veri... ___________________________________________________________________ Bottlerocket - Minimal, immutable Linux OS with verified boot Author : akyuu Score : 122 points Date : 2023-09-23 19:44 UTC (3 hours ago) (HTM) web link (bottlerocket.dev) (TXT) w3m dump (bottlerocket.dev) | [deleted] | super_linear wrote: | Is anyone successfully using this outside of AWS? | kulor wrote: | Very similar to CoreOS'[1] directive | | [1] https://fedoraproject.org/coreos/ | avtar wrote: | And Flatcar Linux, derived from CoreOS https://www.flatcar.org/ | evrimoztamur wrote: | This looks very interesting but as other commenters pointed out, | the path to running it yourself seems to be obscured. Even the | GitHub page is listed only on the main page. | | I found the VMware instructions at | https://github.com/bottlerocket-os/bottlerocket/blob/develop... | stigz wrote: | This seems to still be very much an AWS/Amazon project with no | clear path to becoming its own independent thing. For example, | you want vulnerability scanning on the OS? Well you can use an | Amazon product for that, otherwise *shrug* [1]. So I guess as | long as you plan to run Bottlerocket in AWS, you're fine. | | I wish the Bottlerocket team would do 1 of 2 things. Either own | up that this is just an AWS project, or start to solve for things | like this and actually be a product that "runs in the cloud or in | your datacenter" as they suggest on their website. | | [1] https://bottlerocket.dev/en/faq/#4_2 | insanitybit wrote: | It's not like something is stopping one from doing a vuln scan, | right? Like, there's something that SSM's in (or uses the admin | container) and then runs the scan. Couldn't you just do the | same thing? | | Genuine questions, I don't know if this is the case or not. | stigz wrote: | That's a good point. And it sounds like it would work to me | as well. I don't know the answer either. | | I guess my point is the project should be providing a clear | path that doesn't involve AWS instead of just stopping short. | xyzzy123 wrote: | To be fair, I think "VM" on the OS for Flatcar / BottleRocket / | CoreOS is not a requirement in the same way as on RHEL etc. | | Do you want to know if you are patched? Are you running the | latest version? If so, you have all the available patches. | | I appreciate this can cause difficulties in some regulated | domains because there's a "vm" box that needs to be ticked on | the compliance worksheet. | | Most of the reason we need VM on a "traditional" OS is to | handle the fact that they have a very broad configuration space | and their software composition can be - and often is - pretty | arbitrary (incorporating stuff from a ton of sources / vendors | and those versions can move independently). | | But that's not how you're supposed to use a container OS. | | If you do "extra work" to discover vulnerabilities in "latest", | you are not really doing the job of a system owner (whose job | is to apply patches from upstream in a timely fashion), you are | doing the work of a security researcher. | garganzol wrote: | Website says that the OS does not have a shell. I cannot imagine | a useful docker container without at least one shell script | inside. So, if there is no shell, doesn't it mean that | Bottlerocket is generally unusable except niche scenarios? | CGamesPlay wrote: | The docker containers can have shell scripts inside. The host | machine doesn't have a shell. You can bring a docker container | with a shell, and run it privileged, to have a shell on the | host machine. | snowstormsun wrote: | It's not uncommon to have docker containers without a shell for | security reasons. For example distroless. | katella wrote: | Verified boot? | akyuu wrote: | It means there is a full trusted boot chain from the TPM to | loading the immutable root filesystem: | https://github.com/bottlerocket-os/bottlerocket/blob/develop... | | Regular Linux distributions don't have this, even if Secure | Boot is enabled: https://0pointer.net/blog/brave-new-trusted- | boot-world.html | sneak wrote: | Neither "Get Started" nor the FAQ tell me how to run this. | belter wrote: | https://bottlerocket.dev/en/os/1.15.x/install/quickstart/aws... | sneak wrote: | The site should probably say somewhere that this was built | for AWS and AWS only. | | Instead it says: | | > _Bottlerocket is installed as the base operating system on | the machine or instance where your containers themselves are | running._ | | > _Bottlerocket runs in the cloud or in your datacenter._ | akyuu wrote: | On the GitHub repo (https://github.com/bottlerocket- | os/bottlerocket), there are instructions for using it on | VMware and bare metal: | | https://github.com/bottlerocket- | os/bottlerocket/blob/develop... | | https://github.com/bottlerocket- | os/bottlerocket/blob/develop... | jonhohle wrote: | On one hand it seems like an ncurses tool to install to a | disk seems appropriate. On the other hand, the number of | times one of these images would be configured for a | company is probably pretty small. | | I'll have to spend a bit more time, but this seems like a | nice option for orgs that want to run on-prem (e.g. not | in cloud), and have a low maintenance container host. | deanCommie wrote: | Great project, but it's been around since 2020: | https://aws.amazon.com/about-aws/whats-new/2020/08/announcin... | nathias wrote: | how does this compare to nix? | stigz wrote: | I think Nix intention is more general purpose OS and tooling. | Bottlerocket is about being just enough of an OS to run | containers, and that's it. | flowless wrote: | You could use Nix to build (and manage/update) an OS similar to | this. | blq10 wrote: | [dead] | zsims wrote: | Nix has no security guarantees, nor sandboxing primitives. So | not really comparable. | reocha wrote: | NixOS supports firejail: https://search.nixos.org/options?cha | nnel=23.05&from=0&size=5... | jacurtis wrote: | Bottlerocket does not off FIPS mode like most other enterprise | *nix distributions. | | Just to save anybody the trouble who needs FIPS approved | encryption for host OSes that you use at work for various | compliance programs. This makes Bottlerocket a non-starter for | us. A very active issue has been open for over 2 years on this | and the dev teams don't seem to be convinced that this is | important. We even communicated with the dev team through our | dedicated AWS reps and they have no interest in adding this. | | Here is the open 2+ year thread on this: | https://github.com/bottlerocket-os/bottlerocket/issues/1667 | hedora wrote: | In my experience with FIPS certification usually requires some | changes that undermine security. | | If you need it, then you need it, but having the certification | is a mildly bad sign in my opinion. | | I'm not the only one with this opinion. For instance, the | Microsoft Windows team seems to agree: | | https://techcommunity.microsoft.com/t5/microsoft-security-ba... | akyuu wrote: | In the GitHub issue, there is a mention of replacing rustls | and Go's crypto library with OpenSSL. That seems like a | serious security downgrade. | throwing_away wrote: | Having been around a bunch of former-government people and | bumping into FIPS myself a few times (like yubikeys) and | reading about it, that's also been my sense, but it's nice to | see a formal writeup with examples. | | Thanks for the link. ___________________________________________________________________ (page generated 2023-09-23 23:00 UTC)