コンピューティング

Bottlerocket

A Linux-based OS purpose-built for running containers, delivering security and operational efficiency with a minimal footprint

About 4 min read

Overview

Bottlerocket is a Linux-based operating system developed by AWS, purpose-built for container workloads. It radically strips away components unnecessary for container execution from general-purpose Linux distributions - package managers, shell login, general-purpose libraries, and more - minimizing the attack surface. With an immutable root filesystem, API-driven configuration management, and automatic update mechanisms, it dramatically reduces the operational burden of managing large-scale container clusters.

Immutable Filesystem and Security Model

Bottlerocket's root filesystem is mounted as a read-only partition with integrity verified by dm-verity. This structurally prevents OS binaries and libraries from being tampered with at runtime - even if a container escape occurs, the host OS files cannot be modified. The SSH daemon is disabled by default, eliminating direct host login. When debugging is needed, you temporarily enable the admin container and access it via SSM Session Manager. SELinux is enabled by default, applying mandatory access control between the container runtime and the host OS. Kernel lockdown restricts dynamic loading of kernel modules. These layers of defense automatically satisfy many CIS Benchmark and DISA STIG requirements at the OS level. Compared to general-purpose Linux, the dramatically smaller number of installed packages means a lower probability of being affected by CVEs, reducing both the frequency and urgency of patch application.

API-Driven Configuration Management and Updates

Configuration changes in Bottlerocket are made through an API server rather than directly editing configuration files as in traditional Linux. Network settings, DNS, NTP, container runtime parameters, and other configurations are set as structured data via the apiclient command or HTTP API. Settings are serialized in TOML format and validated before being applied, preventing system failures caused by syntax errors. OS updates use an A/B partition scheme. The new version is written to the partition not currently in use, and the switch occurs on reboot. If an update fails, it automatically rolls back to the original partition, making the risk of update-related failures extremely low. In EKS environments, the Bottlerocket Update Operator sequentially updates nodes within the cluster, automating Pod draining and node reboots. Updates replace the entire image rather than updating individual packages.

Running on ECS and EKS with Variant Selection

Bottlerocket is provided as variants optimized for each orchestrator. EKS variants such as aws-k8s-1.29 and aws-k8s-1.30 include kubelet and containerd built in, and can be launched as EKS managed node groups or self-managed node groups. The ECS variant aws-ecs-2 includes the ECS agent built in, operating as a container instance in an ECS cluster. Variant selection is determined by the AMI at launch time and cannot be changed afterward. When using EKS managed node groups, specify the Bottlerocket AMI in the launch template and write configuration in TOML format in user data - note this differs from Amazon Linux 2's bash script format. NVIDIA driver-embedded variants are also available for GPU workloads. AMIs are periodically updated by AWS, and the latest AMI ID can be retrieved from SSM Parameter Store for dynamic reference in Terraform or CloudFormation.

共有するXB!

Related Terms

Amazon EKSAmazon ECSAWS FargateAmazon EC2Amazon ECR

Related Services

Amazon EKSAmazon ECSAmazon EC2Amazon ECR

Related Articles

Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Container-Optimized OS - Strengthening Container Host Security and Operations with BottlerocketLearn how to optimize container hosts with AWS Bottlerocket. Covers the minimal OS design, automatic updates, immutable infrastructure, and integration with ECS/EKS.Amazon ECR Container Image Management - Lifecycle Policies and Image ScanningLearn how to automatically clean up old images with private repository lifecycle policies and detect vulnerabilities with image scanning.Container Orchestration with Amazon ECS - Task Definition and Service DesignA comprehensive guide covering task definition design, service deployment strategies, choosing between Fargate and EC2, and Auto Scaling configuration patterns.Container Orchestration - Optimizing Kubernetes Operations with Amazon EKSLearn about managed Kubernetes operations with Amazon EKS.

Similar Terms and Articles

Container-Optimized OS - Strengthening Container Host Security and Operations with BottlerocketLearn how to optimize container hosts with AWS Bottlerocket. Covers the minimal OS design, automatic updates, immutable infrastructure, and integration with ECS/EKS.BottlerocketA Linux-based open-source OS purpose-built for running containersAWS Open Source Contributions - The Strategic Significance of Bottlerocket, Firecracker, Cedar, and OpenSearchThis article explains the technical features of open source projects led by AWS, including Bottlerocket, Firecracker, Cedar, and OpenSearch, and examines the uniqueness of AWS's OSS strategy.Container Orchestration - Optimizing Kubernetes Operations with Amazon EKSLearn about managed Kubernetes operations with Amazon EKS.