In Container-Optimized OS, the Linux kernel and the root filesystem (rootfs) are configured such that the kernel verifies the integrity of the rootfs during boot up. It does so by computing the checksum of the rootfs and comparing it against the approved Container-Optimized OS checksum computed at build time. In case of a mismatch, the kernel panics with an error message indicating the rootfs verification failed. This mechanism prevents against attackers from "owning" the machine through permanent local changes.
The root filesystem ("/") is mounted as read-only with some portions of it re-mounted as writable, as follows:
/var/lib/cloudare all mounted using tmpfs and, while they are writable, their contents are not preserved between reboots.
/homeare mounted from a stateful disk partition, which means these locations can be used to store data that persists across reboots. For example, Docker's working directory
/var/lib/dockeris stateful across reboots.
Among the writable locations, only
/var/lib/cloudare mounted as "executable" (i.e. without the noexec mount flag).
By default Container-Optimized OS is configured to drop all incoming TCP/UDP connections except SSH on port 22.
By default Container-Optimized OS does not contain accessible user accounts.
New accounts can be added via
You can also
add SSH public keys
which will be read by
google-accounts-manager daemon running on Container-Optimized
sshd is configured to disallow password authentication, i.e., one should
authenticate using SSH public keys. No root logins are allowed through
SSH. All users added by
Container-Optimized OS is capable of auto updates. This mechanism can be used to update a fleet of Compute Engine instances.