All you need to know about the Bottlerocket Operating System

Introduction
Bottlerocket OS has been promoted by AWS for a while now. In fact it is the recommended default OS for EKS worker nodes. They also use the same OS for ECS as well.
Although by design bottlerocket seems extremely promising but we are yet to see any official benchmark comparison report by AWS or any third party. Although we are not sure about the performance benefits - the design does provide some obvious security and maintainability benefits.
Bottlerocket includes only the essential software required to run containers this keeps the OS lightweight. In this blog we are gonna deep dive into the design aspects of Bottlerocket and understand the benefits it provides over traditional operating systems.
No SSH Access
Bottlerocket eliminates SSH access entirely, opting for an API-based administration model. This approach significantly reduces attack surfaces by removing entry points that are often exploited in traditional operating systems. Bottlerocket employs an API-based administration model instead of traditional SSH-based or command-line management
- You interact with Bottlerocket via API
- This approach alings with Infrastructure-as-Code (IaC) practices ensuring repeatable deployments.
Traditional OS with SSH:
cat /etc/environment
echo "new-value" > /etc/some-config
sudo apt update && sudo apt upgrade
Traditional OS with SSH
Bottlerocket Equivalent:
apiclient get settings
apiclient set some.config.key=new-value
apiclient update apply
apiclient reboot
Bottlerocket Equivalent
Immutability
Bottlerocket uses a read-only root filesystem to ensure that the filsystem cannot be modified directly. This approach minimizes the risk of accidental changes or malicious tampering. Only specific areas of the filesystem (e.g. /etc
) are writable for user configurations, and even thse are managed via controlled mechanisms like APIs .
How Updates Work: Updates are delivered as a complete, signed image and applied atomically.
- Bottlerocket uses a.dual-partition scheme:
- Active Partition: The currently running version of Bottlerocket.
- Inactive Partition: A backup or staging area for the new update.
- During an update:
- The update is downloaded and applied to the inactive partition.
- On the next reboot, the inactive partition becomes active.
- If the update fails, Bottlerocket automatically rolls back to the previous version, ensuring stability
- The entire OS image is replaced during an update
This design ensures that updates are consistent and minimizes downtime or the risk of a corrupated state.

Customized Kernel Patches
The Linux kernel in Bottlerocket is specially tuned for container workloads, focusing on performance and resource efficiency.
Specific Optimizations:
- CGroup v2: Provides better resource isolation and hierarchical resource management.
- OverlayFS Enhancements: Improves filesystem performance for container image operations, enabling faster container startups.
- Debugging Interfaces Disabled: Limits kernel-level information exposure to minimize risks.
Why kernel debugging interface disabled?
- To reduce attack vectors.
- Key Changes:
- Removal of /proc/kcore.
- Limited kernel messages available to non-root users.
- Benefit: Prevents attackers from using debugging tools to gather sensitive kernel-level information.
Conclusion
Bottlerocket is designed to make running containers easier, safer, and more efficient. By ditching SSH, using a read-only system, and tweaking the Linux kernel for containers, it stands out from traditional operating systems. While we don’t have official performance reports yet, the benefits in security and simplicity are clear. If you’re using EKS or ECS, Bottlerocket is definitely worth considering for a smoother container experience.
KubeNine helps you setup your Kubernetes clusters and ensures smooth operations. Reach out to us to discuss more!