Esta página se muestra en inglés. Una traducción al español está en curso.
SkillsApr 16, 2026·3 min de lectura

Bottlerocket — Container-Optimized Linux OS by AWS

A minimal, security-focused Linux distribution built by AWS specifically for running containers. Bottlerocket reduces attack surface with an immutable root filesystem, automatic updates, and API-driven configuration.

Script Depot
Script Depot · Community
Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
Bottlerocket Overview
Comando de instalación directa
npx -y tokrepo@latest install 4c93666f-39d2-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

TL;DR
Bottlerocket is AWS's minimal Linux OS for containers with an immutable root filesystem, automatic updates, and API-driven configuration.
§01

What it is

Bottlerocket is a minimal Linux distribution built by AWS specifically for running containers. It reduces the attack surface with an immutable root filesystem, removes unnecessary packages (no shell by default, no package manager), and provides automatic updates with rollback support.

Bottlerocket targets teams running containers on EKS, ECS, or bare metal who want a hardened, low-maintenance host OS. Configuration is done through an API rather than SSH, aligning with infrastructure-as-code practices.

§02

How it saves time or tokens

Traditional container hosts run full Linux distributions (Ubuntu, Amazon Linux) with thousands of packages that need patching. Bottlerocket includes only what containers need, reducing the number of CVEs to track and patch. Automatic updates happen atomically with rollback, eliminating manual OS maintenance.

The API-driven configuration means no SSH sessions, no Ansible playbooks for OS-level settings -- just API calls or user-data at boot.

§03

How to use

  1. Launch Bottlerocket on AWS EKS:
aws ec2 run-instances \
  --image-id resolve:ssm:/aws/service/bottlerocket/aws-k8s-1.29/x86_64/latest/image_id \
  --instance-type m5.large \
  --key-name my-key \
  --user-data file://config.toml
  1. Configure via TOML user-data:
[settings.kubernetes]
cluster-name = "my-cluster"
api-server = "https://my-eks-endpoint.amazonaws.com"
cluster-certificate = "base64-cert..."
  1. Nodes join the EKS cluster automatically. No SSH needed for normal operations.
§04

Example

# Check Bottlerocket version via the admin container
# (debug access, disabled by default)
enter-admin-container

apiclient get settings.kubernetes
# Returns cluster configuration

apiclient set settings.ntp.time-servers='["169.254.169.123"]'
# Changes NTP settings via API

# Trigger an update
apiclient update check
apiclient update apply

EKS managed node group with Bottlerocket:

eksctl create nodegroup \
  --cluster my-cluster \
  --node-ami-family Bottlerocket \
  --nodes 3
§05

Related on TokRepo

§06

Common pitfalls

  • Bottlerocket has no shell or package manager by default. If you need to debug, enable the admin container explicitly. This is by design for security.
  • Not all EKS add-ons or DaemonSets work out of the box on Bottlerocket. Test your observability and networking agents before rolling out.
  • Bottlerocket updates are atomic. If an update fails, the system rolls back to the previous version. Monitor update status via the API.

Preguntas frecuentes

Is Bottlerocket only for AWS?+

Bottlerocket is built by AWS but supports VMware and bare metal deployments in addition to AWS. The EKS variant is most popular, but other variants exist for different environments.

Can I SSH into Bottlerocket?+

Not by default. Bottlerocket is designed to be managed via API. An admin container can be enabled for emergency debugging, which provides a shell, but this should not be used for normal operations.

How does Bottlerocket update?+

Bottlerocket uses image-based updates. The entire OS partition is replaced atomically, with the previous version kept for rollback. Updates can be triggered via the API or automated through the update operator in Kubernetes.

Is Bottlerocket free?+

Yes. Bottlerocket is open-source under Apache 2.0 and MIT licenses. You pay only for the AWS infrastructure (EC2 instances) running it.

How does Bottlerocket compare to Amazon Linux?+

Amazon Linux is a general-purpose OS with full package management. Bottlerocket is container-only with a minimal footprint, immutable filesystem, and API-driven configuration. Bottlerocket has fewer CVEs and lower maintenance overhead.

Referencias (3)
Relacionados en TokRepo
DevOps toolsSecurity toolsFeatured workflows

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados

LinuxKit — Toolkit for Building Secure Container-Optimized OS Images

Build minimal, immutable Linux distributions purpose-built for running containers. Compose your OS from signed components and produce bootable images for bare metal, VMs, or cloud platforms.

Skills
AI Open Source

Lima — Linux Virtual Machines for Container Development

Run Linux VMs on macOS and Linux with automatic file sharing, port forwarding, and containerd integration for seamless container workflows.

Skills
Script Depot

Sysdig — Deep System Visibility and Container Troubleshooting for Linux

Sysdig is an open-source system exploration tool that captures kernel-level events on Linux. It combines the power of strace, tcpdump, and top into a single CLI with container-native awareness.

Skills
Script Depot

Distroless — Minimal Container Images by Google

Language-focused container images that strip away the OS layer for smaller, more secure production containers.

Skills
Script Depot
Inicio🔍Buscar👤Yo