Containers

Container-Optimized OS - Strengthening Container Host Security and Operations with Bottlerocket

Learn how to optimize container hosts with AWS Bottlerocket. Covers the minimal OS design, automatic updates, immutable infrastructure, and integration with ECS/EKS.

約 4 分で読めます

The Challenge of Container Host Operating Systems

When using EC2 instances as worker nodes for ECS or EKS, the choice of host OS has a significant impact on security and operations. General-purpose operating systems like Amazon Linux 2 or Ubuntu include many packages unnecessary for running containers (package managers, shells, various utilities), all of which expand the attack surface. OS patching also carries the risk of dependency issues when updating individual packages. Bottlerocket is a Linux-based OS purpose-built for containers, developed by AWS, that fundamentally solves these challenges. It includes only the container runtime (containerd), the Kubernetes kubelet (for EKS) or ECS agent, and minimal system components, thoroughly eliminating unnecessary software.

Security Design and Immutable Infrastructure

Bottlerocket's security design is multi-layered. The root filesystem is mounted read-only, and dm-verity verifies block-level integrity. If tampering is detected, the system refuses to boot. SELinux is enabled by default, restricting container process privileges to the minimum. Since there is no package manager, installing software at runtime is impossible, reducing supply chain attack risk. SSH access is disabled by default, and management is performed via API (through the SSM agent). OS updates use image-based atomic updates that replace the entire OS with a new image. Updates use an A/B partition scheme, and if booting from the new image fails, the system automatically rolls back to the previous version.

Integration with ECS/EKS and Operations

Bottlerocket provides AMIs compatible with both ECS and EKS. For EKS, you can use it simply by selecting Bottlerocket as the AMI type for managed node groups. Karpenter (node autoscaler) also supports specifying Bottlerocket AMIs. For ECS, you launch container instances using the ECS-optimized Bottlerocket AMI. Configuration is done via TOML-formatted user data, specifying Kubernetes cluster information or the ECS cluster name. The Bottlerocket Update Operator (for EKS) automates rolling updates that sequentially update nodes in the cluster. It automatically executes the cycle of draining a node (evicting Pods), updating, and rejoining, updating the OS without service interruption. Bottlerocket is free to use, and only EC2 instance charges apply. You can systematically learn Kubernetes operations from basics to advanced topics through books (Amazon).

Bottlerocket Pricing

Bottlerocket is free to use. Selecting the Bottlerocket AMI as the OS for your EC2 instances incurs only the same EC2 instance charges as Amazon Linux 2. There are no OS license fees. While Bottlerocket does not provide direct cost savings, the indirect cost benefits include reduced operational effort through automatic security patching and lower incident response costs through a reduced attack surface.

Summary - Guidelines for Using Bottlerocket

Bottlerocket is a minimal Linux OS optimized for container workloads. Its key strengths are the immutable filesystem, SELinux, dm-verity, atomic updates for high security, and native integration with ECS/EKS. If you are running EC2-based worker nodes on ECS or EKS, migrating from Amazon Linux 2 to Bottlerocket can strengthen security and simplify OS management. If you are using Fargate, host OS management is unnecessary, so Bottlerocket is not needed.

Related Services

BottlerocketA Linux-based open-source OS purpose-built for running containersAmazon EKSA managed service for easily building and operating Kubernetes clusters on AWSAmazon ECSA container orchestration service for easily running and managing containerized applications

Related Articles

Container Orchestration - Optimizing Kubernetes Operations with Amazon EKSLearn about managed Kubernetes operations with Amazon EKS.Container Orchestration with Amazon ECS - Task Definition and Service DesignA comprehensive guide covering task definition design, service deployment strategies, choosing between Fargate and EC2, and Auto Scaling configuration patterns.Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.

More on This Topic

Simplifying Container Deployment - Zero-Configuration Deployment with AWS App RunnerLearn how to deploy containerized web applications with AWS App Runner. This guide covers the differences from ECS/Fargate, auto scaling, VPC integration, and CI/CD pipeline connectivity.The Fastest Container Deployment with AWS App Runner - From Source Code to Production in MinutesJust specify source code or a container image to get an HTTPS endpoint up and running. Learn the differences from ECS/Fargate and how to connect to private resources using VPC connectors.Instantly Deploy Container Web Apps with AWS App Runner - Automatic Builds from Source Code and HTTPS PublishingLearn about deploying container applications with App Runner, auto scaling, and custom domain configuration.Amazon ECR Container Image Management - Lifecycle Policies and Image ScanningLearn how to automatically clean up old images with private repository lifecycle policies and detect vulnerabilities with image scanning.Container Orchestration with Amazon ECS - Task Definition and Service DesignA comprehensive guide covering task definition design, service deployment strategies, choosing between Fargate and EC2, and Auto Scaling configuration patterns.Breaking Down ECS on Fargate Cost Structure - Practical Combinations of Spot, ARM, and ScalingBreak down ECS on Fargate pricing across CPU, memory, and storage, and learn practical cost optimization techniques combining Fargate Spot, Graviton (ARM), and Service Auto Scaling.Container Orchestration - Optimizing Kubernetes Operations with Amazon EKSLearn about managed Kubernetes operations with Amazon EKS.Serverless Container Operations with AWS Fargate - Usage Patterns for ECS and EKSRun serverless containers without managing instances. Learn how to choose between ECS and EKS, and optimize costs through task sizing.

Similar Articles and Services

BottlerocketA Linux-based OS purpose-built for running containers, delivering security and operational efficiency with a minimal footprintAWS Open Source Contributions - The Strategic Significance of Bottlerocket, Firecracker, Cedar, and OpenSearchThis article explains the technical features of open source projects led by AWS, including Bottlerocket, Firecracker, Cedar, and OpenSearch, and examines the uniqueness of AWS's OSS strategy.Container Orchestration - Optimizing Kubernetes Operations with Amazon EKSLearn about managed Kubernetes operations with Amazon EKS.Amazon EKSA fully managed Kubernetes control plane service that enables seamless migration of on-premises Kubernetes workloads to the cloud