Cette page est affichée en anglais. Une traduction française est en cours.
SkillsApr 16, 2026·3 min de lecture

Bottlerocket — Container-Optimized Linux OS by AWS

A minimal, security-focused Linux distribution built by AWS specifically for running containers. Bottlerocket reduces attack surface with an immutable root filesystem, automatic updates, and API-driven configuration.

Script Depot
Script Depot · Community
Prêt pour agents

Installation agent prête

Cet actif peut être installé après choix du runtime, vérification du plan et exécution de la commande adaptée.

Native · 98/100Policy : autoriser
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
Bottlerocket Overview
Commande d'installation directe
npx -y tokrepo@latest install 4c93666f-39d2-11f1-9bc6-00163e2b0d79 --target codex

À exécuter après confirmation du plan en dry-run.

TL;DR
Bottlerocket is AWS's minimal Linux OS for containers with an immutable root filesystem, automatic updates, and API-driven configuration.
§01

What it is

Bottlerocket is a minimal Linux distribution built by AWS specifically for running containers. It reduces the attack surface with an immutable root filesystem, removes unnecessary packages (no shell by default, no package manager), and provides automatic updates with rollback support.

Bottlerocket targets teams running containers on EKS, ECS, or bare metal who want a hardened, low-maintenance host OS. Configuration is done through an API rather than SSH, aligning with infrastructure-as-code practices.

§02

How it saves time or tokens

Traditional container hosts run full Linux distributions (Ubuntu, Amazon Linux) with thousands of packages that need patching. Bottlerocket includes only what containers need, reducing the number of CVEs to track and patch. Automatic updates happen atomically with rollback, eliminating manual OS maintenance.

The API-driven configuration means no SSH sessions, no Ansible playbooks for OS-level settings -- just API calls or user-data at boot.

§03

How to use

  1. Launch Bottlerocket on AWS EKS:
aws ec2 run-instances \
  --image-id resolve:ssm:/aws/service/bottlerocket/aws-k8s-1.29/x86_64/latest/image_id \
  --instance-type m5.large \
  --key-name my-key \
  --user-data file://config.toml
  1. Configure via TOML user-data:
[settings.kubernetes]
cluster-name = "my-cluster"
api-server = "https://my-eks-endpoint.amazonaws.com"
cluster-certificate = "base64-cert..."
  1. Nodes join the EKS cluster automatically. No SSH needed for normal operations.
§04

Example

# Check Bottlerocket version via the admin container
# (debug access, disabled by default)
enter-admin-container

apiclient get settings.kubernetes
# Returns cluster configuration

apiclient set settings.ntp.time-servers='["169.254.169.123"]'
# Changes NTP settings via API

# Trigger an update
apiclient update check
apiclient update apply

EKS managed node group with Bottlerocket:

eksctl create nodegroup \
  --cluster my-cluster \
  --node-ami-family Bottlerocket \
  --nodes 3
§05

Related on TokRepo

§06

Common pitfalls

  • Bottlerocket has no shell or package manager by default. If you need to debug, enable the admin container explicitly. This is by design for security.
  • Not all EKS add-ons or DaemonSets work out of the box on Bottlerocket. Test your observability and networking agents before rolling out.
  • Bottlerocket updates are atomic. If an update fails, the system rolls back to the previous version. Monitor update status via the API.

Questions fréquentes

Is Bottlerocket only for AWS?+

Bottlerocket is built by AWS but supports VMware and bare metal deployments in addition to AWS. The EKS variant is most popular, but other variants exist for different environments.

Can I SSH into Bottlerocket?+

Not by default. Bottlerocket is designed to be managed via API. An admin container can be enabled for emergency debugging, which provides a shell, but this should not be used for normal operations.

How does Bottlerocket update?+

Bottlerocket uses image-based updates. The entire OS partition is replaced atomically, with the previous version kept for rollback. Updates can be triggered via the API or automated through the update operator in Kubernetes.

Is Bottlerocket free?+

Yes. Bottlerocket is open-source under Apache 2.0 and MIT licenses. You pay only for the AWS infrastructure (EC2 instances) running it.

How does Bottlerocket compare to Amazon Linux?+

Amazon Linux is a general-purpose OS with full package management. Bottlerocket is container-only with a minimal footprint, immutable filesystem, and API-driven configuration. Bottlerocket has fewer CVEs and lower maintenance overhead.

Sources citées (3)
En lien sur TokRepo
DevOps toolsSecurity toolsFeatured workflows

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires

LinuxKit — Toolkit for Building Secure Container-Optimized OS Images

Build minimal, immutable Linux distributions purpose-built for running containers. Compose your OS from signed components and produce bootable images for bare metal, VMs, or cloud platforms.

Skills
AI Open Source

Lima — Linux Virtual Machines for Container Development

Run Linux VMs on macOS and Linux with automatic file sharing, port forwarding, and containerd integration for seamless container workflows.

Skills
Script Depot

Sysdig — Deep System Visibility and Container Troubleshooting for Linux

Sysdig is an open-source system exploration tool that captures kernel-level events on Linux. It combines the power of strace, tcpdump, and top into a single CLI with container-native awareness.

Skills
Script Depot

Distroless — Minimal Container Images by Google

Language-focused container images that strip away the OS layer for smaller, more secure production containers.

Skills
Script Depot
Accueil🔍Rechercher👤Moi