Bottlerocket — Container-Optimized Linux OS by AWS

Introduction

Bottlerocket is a free, open-source Linux distribution from AWS designed solely for hosting containers. It strips away unnecessary packages, uses an immutable root filesystem, and applies updates atomically — reducing operational burden and improving security for Kubernetes and ECS workloads.

What Bottlerocket Does

• Provides a minimal OS image purpose-built for container orchestrators (EKS, ECS, VMware)
• Enforces an immutable root filesystem with dm-verity integrity checking
• Delivers atomic A/B partition updates that can roll back automatically on failure
• Exposes all host configuration through a secure API instead of SSH
• Integrates with AWS Systems Manager for remote management without opening ports

Architecture Overview

Bottlerocket uses a dual-partition (A/B) update scheme where the inactive partition receives updates and becomes active on reboot. The root filesystem is read-only and verified at boot via dm-verity. A separate data partition persists container images and settings. All configuration flows through an API server running on a Unix socket, and an admin container provides optional shell access for debugging.

Self-Hosting & Configuration

• Build custom variants from source using the Rust-based build system and Tuftool for TUF-signed repos
• Configure via user data (TOML format) passed at instance launch for cluster endpoint, certificates, and settings
• Use the Bottlerocket update operator to orchestrate rolling updates across Kubernetes nodes
• Enable the admin or control containers for SSH-like debugging when needed
• Deploy on bare metal or VMware vSphere using the metal or vmware variants

Key Features

• Attack surface reduced by 60-80%% compared to general-purpose Linux distributions
• SELinux enforced by default in strict mode for all containers
• Automated security updates via TUF-signed update repositories
• Boot time under 10 seconds on modern hardware
• Supports GPU workloads and custom kernel modules via host containers

Comparison with Similar Tools

• Amazon Linux 2 — general-purpose with full package manager; Bottlerocket is minimal and immutable
• Flatcar Container Linux — similar philosophy but Bottlerocket has tighter AWS integration and API-driven config
• Talos Linux — Kubernetes-only OS with API management; Bottlerocket also supports ECS
• Ubuntu Core — snap-based immutable OS; Bottlerocket is lighter and container-focused
• RancherOS — deprecated; Bottlerocket is actively maintained with AWS backing

FAQ

Q: Can I SSH into Bottlerocket? A: Not by default. You enable an admin container for shell access or use AWS SSM for remote management.

Q: Does Bottlerocket work outside AWS? A: Yes. There are variants for VMware vSphere, bare metal, and other cloud providers.

Q: How are updates applied? A: Updates download to the inactive partition and activate on reboot. If the new version fails health checks, it rolls back automatically.

Q: Can I install custom packages? A: No. The OS is immutable. Custom software runs as containers or host containers that have privileged access.

Sources

• https://github.com/bottlerocket-os/bottlerocket
• https://bottlerocket.dev