AWS customers can find relevant information about the vulnerability and any customer action required for mitigation in the AWS security bulletin.
Disclosure: I am an AWS employee working on containers
Does AWS use runc/lxc/other popular containers for its compute service’s host environment?
The security bulletin contains all the relevant information about this vulnerability and what customer action is required for mitigation.
Oh, sorry, I was just asking out of curiosity as an aside.
Oh, got it! So I think the challenge is that there isn’t a simple answer to your question. Amazon uses a bunch of different technologies, in different combinations, for different purposes. Some of them we’ve talked about in public, but not everything. And I only know my own little corner of it super well; I don’t feel comfortable speaking about the implementation of the things I don’t work on because I don’t want to be inaccurate or imprecise.
I think some of the interesting ones (from a compute perspective) are the Nitro system architecture that’s used for the newer instance types in EC2 and the new Firecracker VMM used in Lambda and Fargate for function- and container-like workloads (full disclosure: I currently work on firecracker-containerd to bridge container-like workloads into microVMs without the full Fargate system).
For the container services, Amazon ECS and Amazon EKS both use Docker (which uses runc) in the default configurations (running in EC2 instances under your control, so Docker runs inside the AWS hypervisor). The bulletin that I linked above contains information about the patched Docker RPM for Amazon Linux and the patched AMIs for ECS and EKS.
Firecracker looks pretty interesting! I confess that over the last five years or so containerization/virtualization has really exploded in a way that I personally find difficult to keep up with.
It’s great to see the innovation but it’s tough to understand what distinguishes all of these new products from various vendors. I frequently find myself asking “how is this better than X? Does it even obsolete X or is it complementary?”
The fact that these new features are often introduced with those stack/layer diagrams does help a lot, though.