[HN Gopher] Bottlerocket - Minimal, immutable Linux OS with veri...
___________________________________________________________________
Bottlerocket - Minimal, immutable Linux OS with verified boot
Author : akyuu
Score : 122 points
Date : 2023-09-23 19:44 UTC (3 hours ago)
(HTM) web link (bottlerocket.dev)
(TXT) w3m dump (bottlerocket.dev)
| [deleted]
| super_linear wrote:
| Is anyone successfully using this outside of AWS?
| kulor wrote:
| Very similar to CoreOS'[1] directive
|
| [1] https://fedoraproject.org/coreos/
| avtar wrote:
| And Flatcar Linux, derived from CoreOS https://www.flatcar.org/
| evrimoztamur wrote:
| This looks very interesting but as other commenters pointed out,
| the path to running it yourself seems to be obscured. Even the
| GitHub page is listed only on the main page.
|
| I found the VMware instructions at
| https://github.com/bottlerocket-os/bottlerocket/blob/develop...
| stigz wrote:
| This seems to still be very much an AWS/Amazon project with no
| clear path to becoming its own independent thing. For example,
| you want vulnerability scanning on the OS? Well you can use an
| Amazon product for that, otherwise *shrug* [1]. So I guess as
| long as you plan to run Bottlerocket in AWS, you're fine.
|
| I wish the Bottlerocket team would do 1 of 2 things. Either own
| up that this is just an AWS project, or start to solve for things
| like this and actually be a product that "runs in the cloud or in
| your datacenter" as they suggest on their website.
|
| [1] https://bottlerocket.dev/en/faq/#4_2
| insanitybit wrote:
| It's not like something is stopping one from doing a vuln scan,
| right? Like, there's something that SSM's in (or uses the admin
| container) and then runs the scan. Couldn't you just do the
| same thing?
|
| Genuine questions, I don't know if this is the case or not.
| stigz wrote:
| That's a good point. And it sounds like it would work to me
| as well. I don't know the answer either.
|
| I guess my point is the project should be providing a clear
| path that doesn't involve AWS instead of just stopping short.
| xyzzy123 wrote:
| To be fair, I think "VM" on the OS for Flatcar / BottleRocket /
| CoreOS is not a requirement in the same way as on RHEL etc.
|
| Do you want to know if you are patched? Are you running the
| latest version? If so, you have all the available patches.
|
| I appreciate this can cause difficulties in some regulated
| domains because there's a "vm" box that needs to be ticked on
| the compliance worksheet.
|
| Most of the reason we need VM on a "traditional" OS is to
| handle the fact that they have a very broad configuration space
| and their software composition can be - and often is - pretty
| arbitrary (incorporating stuff from a ton of sources / vendors
| and those versions can move independently).
|
| But that's not how you're supposed to use a container OS.
|
| If you do "extra work" to discover vulnerabilities in "latest",
| you are not really doing the job of a system owner (whose job
| is to apply patches from upstream in a timely fashion), you are
| doing the work of a security researcher.
| garganzol wrote:
| Website says that the OS does not have a shell. I cannot imagine
| a useful docker container without at least one shell script
| inside. So, if there is no shell, doesn't it mean that
| Bottlerocket is generally unusable except niche scenarios?
| CGamesPlay wrote:
| The docker containers can have shell scripts inside. The host
| machine doesn't have a shell. You can bring a docker container
| with a shell, and run it privileged, to have a shell on the
| host machine.
| snowstormsun wrote:
| It's not uncommon to have docker containers without a shell for
| security reasons. For example distroless.
| katella wrote:
| Verified boot?
| akyuu wrote:
| It means there is a full trusted boot chain from the TPM to
| loading the immutable root filesystem:
| https://github.com/bottlerocket-os/bottlerocket/blob/develop...
|
| Regular Linux distributions don't have this, even if Secure
| Boot is enabled: https://0pointer.net/blog/brave-new-trusted-
| boot-world.html
| sneak wrote:
| Neither "Get Started" nor the FAQ tell me how to run this.
| belter wrote:
| https://bottlerocket.dev/en/os/1.15.x/install/quickstart/aws...
| sneak wrote:
| The site should probably say somewhere that this was built
| for AWS and AWS only.
|
| Instead it says:
|
| > _Bottlerocket is installed as the base operating system on
| the machine or instance where your containers themselves are
| running._
|
| > _Bottlerocket runs in the cloud or in your datacenter._
| akyuu wrote:
| On the GitHub repo (https://github.com/bottlerocket-
| os/bottlerocket), there are instructions for using it on
| VMware and bare metal:
|
| https://github.com/bottlerocket-
| os/bottlerocket/blob/develop...
|
| https://github.com/bottlerocket-
| os/bottlerocket/blob/develop...
| jonhohle wrote:
| On one hand it seems like an ncurses tool to install to a
| disk seems appropriate. On the other hand, the number of
| times one of these images would be configured for a
| company is probably pretty small.
|
| I'll have to spend a bit more time, but this seems like a
| nice option for orgs that want to run on-prem (e.g. not
| in cloud), and have a low maintenance container host.
| deanCommie wrote:
| Great project, but it's been around since 2020:
| https://aws.amazon.com/about-aws/whats-new/2020/08/announcin...
| nathias wrote:
| how does this compare to nix?
| stigz wrote:
| I think Nix intention is more general purpose OS and tooling.
| Bottlerocket is about being just enough of an OS to run
| containers, and that's it.
| flowless wrote:
| You could use Nix to build (and manage/update) an OS similar to
| this.
| blq10 wrote:
| [dead]
| zsims wrote:
| Nix has no security guarantees, nor sandboxing primitives. So
| not really comparable.
| reocha wrote:
| NixOS supports firejail: https://search.nixos.org/options?cha
| nnel=23.05&from=0&size=5...
| jacurtis wrote:
| Bottlerocket does not off FIPS mode like most other enterprise
| *nix distributions.
|
| Just to save anybody the trouble who needs FIPS approved
| encryption for host OSes that you use at work for various
| compliance programs. This makes Bottlerocket a non-starter for
| us. A very active issue has been open for over 2 years on this
| and the dev teams don't seem to be convinced that this is
| important. We even communicated with the dev team through our
| dedicated AWS reps and they have no interest in adding this.
|
| Here is the open 2+ year thread on this:
| https://github.com/bottlerocket-os/bottlerocket/issues/1667
| hedora wrote:
| In my experience with FIPS certification usually requires some
| changes that undermine security.
|
| If you need it, then you need it, but having the certification
| is a mildly bad sign in my opinion.
|
| I'm not the only one with this opinion. For instance, the
| Microsoft Windows team seems to agree:
|
| https://techcommunity.microsoft.com/t5/microsoft-security-ba...
| akyuu wrote:
| In the GitHub issue, there is a mention of replacing rustls
| and Go's crypto library with OpenSSL. That seems like a
| serious security downgrade.
| throwing_away wrote:
| Having been around a bunch of former-government people and
| bumping into FIPS myself a few times (like yubikeys) and
| reading about it, that's also been my sense, but it's nice to
| see a formal writeup with examples.
|
| Thanks for the link.
___________________________________________________________________
(page generated 2023-09-23 23:00 UTC)