How do I regain access to a Bottlerocket node after disabling the control and admin containers?
There is a way to regain access to a Bottlerocket node in such a state. See the Regaining Access documentation for further details.
How do I SSH into Bottlerocket?
Bottlerocket’s control container includes the capability for accessing the host through SSM. SSM is the preferred way to access a Bottlerocket node.
If SSM does not work in your use case, there is a way to access the host through SSH by using the admin container.
How do I perform fault injection with Bottlerocket?
How do I clean up old container images from Bottlerocket?
You should not need to manually clean up container images from Bottlerocket, this is handled automatically by the orchestrator agent.
On Kubernetes variants,
kubelet manages the container image clean up, the settings
settings.kubernetes.image-gc-low-threshold-percent allow you to control how this clean up occurs.
On ECS variants, the ECS Agent manages the container image clean up, the settings
settings.ecs.image-cleanup-wait allow you to control how this clean up occurs.
If you want to manually clean up images, log into the admin container and use
image commands with the address pointed at
/run/dockershim.sock. For example, on Kubernetes variants to list all images:
sudo chroot /.bottlerocket/rootfs ctr -n k8s.io image ls
From here you can decide which images you want to manually remove.
How do I manage an on-prem Bottlerocket node similar to how I manage a cloud Bottlerocket node?
If you are using the control container, you can use SSM to manage on-prem Bottlerocket nodes by passing in your own activation information for SSM.
Otherwise, you are in control of what host containers you have running and accessible.
Host containers have the
apiclient binary available.
This allows you to use custom host containers to manage a Bottlerocket node in a similar fashion to the control container.
How do I disable Secure Boot?
If you have a specific reason to disable Secure Boot in Bottlerocket, you will need to make infrastructure-level changes which vary by platform.
aws-*variants: Re-register the AMI without UEFI metadata.
vmware-*variants: configure the virtual machine to disable Secure Boot.
How do I scan my cluster for software vulnerabilities?
The ability to scan your hosts for vulnerabilities is included with Bottlerocket by enabling the control container in order to utilize Amazon Inspector. Amazon Inspector works via the SSM agent, which is included in the control container.
I heard Bottlerocket is immutable. What does that really mean?
There are both immutable and mutable areas on a Bottlerocket host.
dm-verity is used for Bottlerocket’s root filesystem, meaning it is read-only.
More details about the immutable filesystem are available in the "Immutable Filesystem" section of the Restricted Filesystem documentation.
On the other hand, the non-root filesystem uses SELinux to protect files at a granular level. There are rules and policies which determine the mutability of different areas of the non-root filesystem. With sufficient privilege, a user can modify the SELinux labels of a file or resource. More details about the mutability of the non-root filesystem are available in the "Mutable Filesystem" section of the Restricted Filesystem documentation.
What language does Bottlerocket use for settings?
How do I access logs for bootstrap containers?
Bootstrap container output should be present in the system journal. You can access the system journal from the admin container as follows:
sudo chroot /.bottlerocket/rootfs journalctl
How long do variants receive updates?
Each variant has specific dependency constraints which dictate how long a variant can be reasonably patched. See the Security Features document in the Bottlerocket GitHub repo for more information.