FAQ

  1. Access
    1. How do I regain access to a Bottlerocket node after disabling the control and admin containers?
    2. How do I SSH into Bottlerocket?
  2. Kubernetes
    1. How do I perform fault injection with Bottlerocket?
  3. Management
    1. How do I clean up old container images from Bottlerocket?
  4. On-Prem
    1. How do I manage an on-prem Bottlerocket node similar to how I manage a cloud Bottlerocket node?
  5. Security
    1. How do I disable Secure Boot?
    2. How do I scan my cluster for software vulnerabilities?
    3. I heard Bottlerocket is immutable. What does that really mean?
  6. Settings
    1. What language does Bottlerocket use for settings?
  7. Troubleshooting
    1. How do I access logs for bootstrap containers?
  8. Updates
    1. How long do variants receive updates?

Access

How do I regain access to a Bottlerocket node after disabling the control and admin containers?

There is a way to regain access to a Bottlerocket node in such a state. See the Regaining Access documentation for further details.

How do I SSH into Bottlerocket?

Bottlerocket’s control container includes the capability for accessing the host through SSM. SSM is the preferred way to access a Bottlerocket node.

If SSM does not work in your use case, there is a way to access the host through SSH by using the admin container.

Kubernetes

How do I perform fault injection with Bottlerocket?

Fault injection testing on a Bottlerocket cluster is not different from testing on a cluster running another operating system. You can use fault injection tools such as those in Istio or Chaos Mesh.

Alternatively, if you are using EKS, you can use AWS Fault Injection Simulator (FIS). In order to use AWS FIS, you need SSM access to the node, which is available through the control container.

Management

How do I clean up old container images from Bottlerocket?

You should not need to manually clean up container images from Bottlerocket, this is handled automatically by the orchestrator agent.

On Kubernetes variants, kubelet manages the container image clean up, the settings settings.kubernetes.image-gc-high-threshold-percent and settings.kubernetes.image-gc-low-threshold-percent allow you to control how this clean up occurs.

On ECS variants, the ECS Agent manages the container image clean up, the settings settings.ecs.image-cleanup-enabled, settings.ecs.image-cleanup-age, settings.ecs.image-cleanup-delete-per-cycle, and settings.ecs.image-cleanup-wait allow you to control how this clean up occurs.

If you want to manually clean up images, log into the admin container and use ctr’s image commands with the address pointed at /run/dockershim.sock. For example, on Kubernetes variants to list all images:

sudo chroot /.bottlerocket/rootfs ctr -n k8s.io image ls

From here you can decide which images you want to manually remove.

On-Prem

How do I manage an on-prem Bottlerocket node similar to how I manage a cloud Bottlerocket node?

If you are using the control container, you can use SSM to manage on-prem Bottlerocket nodes by passing in your own activation information for SSM.

Otherwise, you are in control of what host containers you have running and accessible. Host containers have the apiclient binary available. This allows you to use custom host containers to manage a Bottlerocket node in a similar fashion to the control container.

Security

How do I disable Secure Boot?

If you have a specific reason to disable Secure Boot in Bottlerocket, you will need to make infrastructure-level changes which vary by platform.

  • aws-* variants: Re-register the AMI without UEFI metadata.
  • vmware-* variants: configure the virtual machine to disable Secure Boot.

How do I scan my cluster for software vulnerabilities?

The ability to scan your hosts for vulnerabilities is included with Bottlerocket by enabling the control container in order to utilize Amazon Inspector. Amazon Inspector works via the SSM agent, which is included in the control container.

I heard Bottlerocket is immutable. What does that really mean?

There are both immutable and mutable areas on a Bottlerocket host.

dm-verity is used for Bottlerocket’s root filesystem, meaning it is read-only. More details about the immutable filesystem are available in the "Immutable Filesystem" section of the Restricted Filesystem documentation.

On the other hand, the non-root filesystem uses SELinux to protect files at a granular level. There are rules and policies which determine the mutability of different areas of the non-root filesystem. With sufficient privilege, a user can modify the SELinux labels of a file or resource. More details about the mutability of the non-root filesystem are available in the "Mutable Filesystem" section of the Restricted Filesystem documentation.

Settings

What language does Bottlerocket use for settings?

When defining settings in user data, Bottlerocket uses TOML. Some settings have examples available for reference, such as the container image registry settings.

Troubleshooting

How do I access logs for bootstrap containers?

Bootstrap container output should be present in the system journal. You can access the system journal from the admin container as follows:

sudo chroot /.bottlerocket/rootfs journalctl

Updates

How long do variants receive updates?

Each variant has specific dependency constraints which dictate how long a variant can be reasonably patched. See the Security Features document in the Bottlerocket GitHub repo for more information.