Skip to content

bottlerocket-os/bottlerocket-control-container

BranchesTags

Repository files navigation

Bottlerocket Control Container

This is the control container for the Bottlerocket operating system. This container runs the AWS SSM Agent that lets you run commands, or start interactive sessions, on Bottlerocket instances in EC2 and hybrid environments.

For more information about the control container, including how to use it and how to replace it or remove it from Bottlerocket, please see the Bottlerocket documentation.

Building the Container Image

You'll need Docker 20.10 or later for multi-stage build, BuildKit, and chmod on COPY/ADD support. Then run make!

Connecting to AWS Systems Manager (SSM)

Starting from v0.5.0, users have the option to pass in their own activation information for SSM. This is for users that want to set up on-premises virtual machines (VMs) in their hybrid environment as managed instances.

Users can add their own activations by populating the control container's user data with a base64-encoded JSON block.

To use hybrid activations for managed instances you will want to generate a JSON-structure like this:

{
  "ssm": {
    "activation-id": "foo",
    "activation-code": "bar",
    "region":"us-west-2"
  }
}

Once you've created your JSON, you'll need to base64-encode it and put it in the control host container's user-data setting in your instance user data.

For example:

[settings.host-containers.control]
# ex: echo '{"ssm":{"activation-id":"foo","activation-code":"bar","region":"us-west-2"}}' | base64
user-data = "eyJzc20iOnsiYWN0aXZhdGlvbi1pZCI6ImZvbyIsImFjdGl2YXRpb24tY29kZSI6ImJhciIsInJlZ2lvbiI6InVzLXdlc3QtMiJ9fQo="

Inspector SBOM Upload (corgid)

This container includes corgid, a binary that collects the Bottlerocket package inventory, converts it to a CycloneDX SBOM, and sends it to the Amazon Inspector API for vulnerability scanning. It runs automatically in the background when the container starts.

Disabling corgid

To disable Inspector SBOM upload, set upload-sbom to false in the control container's user data:

{
  "inspector": {
    "upload-sbom": false
  }
}

Base64-encode the JSON and set it in your instance user data:

[settings.host-containers.control]
# echo '{"inspector": {"upload-sbom": false}}' | base64
user-data = "eyJpbnNwZWN0b3IiOiB7InVwbG9hZC1zYm9tIjogZmFsc2V9fQ=="

This can be combined with SSM hybrid activation settings in the same JSON object:

{
  "ssm": {
    "activation-id": "foo",
    "activation-code": "bar",
    "region": "us-west-2"
  },
  "inspector": {
    "upload-sbom": false
  }
}

About

A container for remote control of Bottlerocket

Resources

Readme

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

43 stars

Watchers

21 watching

Forks

29 forks
Report repository

Releases 52

0.21.0 Latest
May 14, 2026
+ 51 releases

Packages

 
 
 

Contributors

Languages

Generated from amazon-archives/__template_Custom