# Bottlerocket — Container-Optimized Linux OS by AWS > A minimal, security-focused Linux distribution built by AWS specifically for running containers. Bottlerocket reduces attack surface with an immutable root filesystem, automatic updates, and API-driven configuration. ## Install Save as a script file and run: # Bottlerocket — Container-Optimized Linux OS by AWS ## Quick Use ```bash # Launch via AWS CLI (EKS-optimized AMI) aws ec2 run-instances --image-id resolve:ssm:/aws/service/bottlerocket/aws-k8s-1.29/x86_64/latest/image_id --instance-type m5.large # Or use eksctl with Bottlerocket node groups eksctl create nodegroup --cluster my-cluster --node-ami-family Bottlerocket ``` ## Introduction Bottlerocket is a free, open-source Linux distribution from AWS designed solely for hosting containers. It strips away unnecessary packages, uses an immutable root filesystem, and applies updates atomically — reducing operational burden and improving security for Kubernetes and ECS workloads. ## What Bottlerocket Does - Provides a minimal OS image purpose-built for container orchestrators (EKS, ECS, VMware) - Enforces an immutable root filesystem with dm-verity integrity checking - Delivers atomic A/B partition updates that can roll back automatically on failure - Exposes all host configuration through a secure API instead of SSH - Integrates with AWS Systems Manager for remote management without opening ports ## Architecture Overview Bottlerocket uses a dual-partition (A/B) update scheme where the inactive partition receives updates and becomes active on reboot. The root filesystem is read-only and verified at boot via dm-verity. A separate data partition persists container images and settings. All configuration flows through an API server running on a Unix socket, and an admin container provides optional shell access for debugging. ## Self-Hosting & Configuration - Build custom variants from source using the Rust-based build system and Tuftool for TUF-signed repos - Configure via user data (TOML format) passed at instance launch for cluster endpoint, certificates, and settings - Use the Bottlerocket update operator to orchestrate rolling updates across Kubernetes nodes - Enable the admin or control containers for SSH-like debugging when needed - Deploy on bare metal or VMware vSphere using the metal or vmware variants ## Key Features - Attack surface reduced by 60-80%% compared to general-purpose Linux distributions - SELinux enforced by default in strict mode for all containers - Automated security updates via TUF-signed update repositories - Boot time under 10 seconds on modern hardware - Supports GPU workloads and custom kernel modules via host containers ## Comparison with Similar Tools - **Amazon Linux 2** — general-purpose with full package manager; Bottlerocket is minimal and immutable - **Flatcar Container Linux** — similar philosophy but Bottlerocket has tighter AWS integration and API-driven config - **Talos Linux** — Kubernetes-only OS with API management; Bottlerocket also supports ECS - **Ubuntu Core** — snap-based immutable OS; Bottlerocket is lighter and container-focused - **RancherOS** — deprecated; Bottlerocket is actively maintained with AWS backing ## FAQ **Q: Can I SSH into Bottlerocket?** A: Not by default. You enable an admin container for shell access or use AWS SSM for remote management. **Q: Does Bottlerocket work outside AWS?** A: Yes. There are variants for VMware vSphere, bare metal, and other cloud providers. **Q: How are updates applied?** A: Updates download to the inactive partition and activate on reboot. If the new version fails health checks, it rolls back automatically. **Q: Can I install custom packages?** A: No. The OS is immutable. Custom software runs as containers or host containers that have privileged access. ## Sources - https://github.com/bottlerocket-os/bottlerocket - https://bottlerocket.dev --- Source: https://tokrepo.com/en/workflows/4c93666f-39d2-11f1-9bc6-00163e2b0d79 Author: Script Depot