ContainerOS is an official Alibaba Cloud operating system optimized for containerized environments and fully compatible with the Kubernetes ecosystem. Based on Alibaba Cloud Linux 3, ContainerOS provides enhanced security, faster boot speeds, and a minimal set of system services and packages. It includes pre-integrated cloud-native components for immediate use.
Applicability
For Node Pools in ACK managed clusters with a cluster version of 1.24 or later that use containerd as the container runtime. For more information, see Create an ACK managed cluster. To upgrade a cluster, see Manually upgrade a cluster.
Not supported on GPU nodes or nodes with the Arm architecture.
Introduction to ContainerOS
In containerized deployments, cloud-native components like container runtimes and Kubernetes let you focus on application development without managing low-level infrastructure details. Traditional operating systems are designed for a wide range of use cases and include numerous user-space tools, packages, and services. This results in a bloated system, slow boot times, and significant operational challenges due to the variety and versions of software packages.
ACK designed ContainerOS to address these issues and improve user experience in cloud-native scenarios. ContainerOS is a lightweight, modular operating system that starts and runs containers faster. It also offers enhanced security and requires fewer resources, making it ideal for cloud computing and large-scale deployments.
Features
Feature | Description |
Streamlined image | Includes only the essential packages and system services required to run Kubernetes pods. System-wide optimizations significantly reduce boot time. ContainerOS and traditional operating systems like Alibaba Cloud Linux 3, Alibaba Cloud Linux 2, and CentOS respectively include about 210 and 600 pre-installed packages.
Additionally, ContainerOS does not include Python support or direct SSH login functionality. This allows you to focus on developing and running your business applications without worrying about the underlying operating system. |
Quick Launch | Full-stack optimizations significantly improve OS boot speed and reduce node scale-out time within the ACK infrastructure. By simplifying the OS boot process and pre-installing the container images for cluster management components, ContainerOS reduces delays caused by image pulling during node startup. Combined with ACK control plane optimizations, this further accelerates node scale-out. For example, the following figure shows that for a 1,000-node scale-out, the P90 node readiness time on ContainerOS is only 53 seconds. This provides a significant advantage over CentOS and the optimized Alibaba Cloud Linux 2 custom image.  Important The data provided in this example is for reference only. Actual data may vary based on product optimizations. Actual performance depends on your operational environment. |
Security hardening | The root file system is read-only. Only the /etc and /var directories are writable to allow for basic system configuration. This design aligns with the immutable infrastructure principle in cloud-native environments and effectively prevents escaped containers from tampering with the host file system. While direct user login is prohibited to prevent untraceable operations, ContainerOS provides a dedicated administrative container for non-routine O&M needs. |
Atomic upgrades | Following the cloud-native immutable infrastructure principle, ContainerOS does not include package managers like |
Advantages
Advantage | Description |
Optimized for container environments | ContainerOS is purpose-built and optimized for container environments, featuring quick launch, security hardening, and an immutable root file system. These features improve performance. They also simplify cluster-wide operations and management, ensuring high consistency across all nodes. |
Rapid node scale-out | By integrating ACK control plane optimizations with internal OS enhancements, ContainerOS significantly accelerates node scale-out. Currently, node scale-out accounts for over 90% of the total time for ACK auto scaling. Using ContainerOS dramatically improves the auto scaling experience of Node Pools. |
OS maintainability | In coordination with the ACK control plane, ContainerOS supports continuous updates for Kubernetes and other system software, CVE patching, and on-demand image releases, enhancing OS manageability. Compared to the Alibaba Cloud Linux 2 custom image solution, which also uses pre-installed images to speed up node startup, ContainerOS includes official maintenance and CVE patching. This reduces the effort required for custom OS image maintenance, upgrades, and critical issue fixes. Through joint optimization with ACK, ContainerOS significantly reduces node unavailability caused by operational tasks, ensuring business continuity. |
Alibaba Cloud Linux 3 compatibility | The kernel version and most packages in ContainerOS are identical to those in Alibaba Cloud Linux 3. It uses the latest kernel 5.10 LTS, giving cloud applications the latest features from the Linux community. |
Security
ContainerOS applies the following design principles to enhance its security.
Operating system security
Feature | Description | |
Minimal execution environment | ContainerOS includes only the packages and system services necessary for containerized environments, totaling about 210 packages. Fewer packages mean fewer CVEs and a reduced attack surface for the OS. Vulnerability-prone packages such as | |
O&M for ContainerOS nodes | It uses a minimal execution environment and an immutable root file system to enhance security. The O&M methods for ContainerOS nodes differ from those of standard Linux operating systems. For more information, see O&M for ContainerOS nodes. | |
Immutable root file system | Package managers like yum are not supported. Only traceable OS changes and rollbacks using rpm-ostree are supported. The root file system  | |
Read-only system disk | The system disk is set to read-only, which protects it from tampering and persistent attacks. An additional data disk must be mounted to ensure the system can boot and run properly. User data is stored on the data disk, isolating it from the system disk. The data disk is mounted to the | Supported only in ContainerOS 3.5.0 and later versions. |
Shell interpreter removal | Shell script interpreters (such as /bin/bash and /bin/sh) are removed from the system, blocking the execution channel for shell scripts and thereby reducing the risk of malicious script attacks. | |
Bootstrap container | ContainerOS provides a bootstrap container to execute custom user data scripts before the main containers start. The bootstrap container automatically exits after completing its initialization tasks, preventing security risks to the main system or primary application containers.  | |
Infrastructure security
ContainerOS is built upon the distribution framework of Alibaba Cloud Linux. As the most widely utilized OS on the platform, the latter provides a foundation extensively optimized for cloud-native scenarios. By leveraging this established ecosystem for package building and image delivery, ContainerOS ensures consistent reliability. Furthermore, every image undergoes rigorous baseline OS and ACK integration testing prior to release to guarantee maximum availability and security.
Billing
ContainerOS is a free image. You can use the ContainerOS image in ACK node pools and receive long-term support from Alibaba Cloud for the operating system at no cost.
However, when you use a ContainerOS image, you are charged for other resources that you use, such as vCPUs, memory, storage, public bandwidth, and snapshots. For more information about the billing of other resources, see Billing overview.
References
To learn how to use ContainerOS as the operating system for a node pool, see Use ContainerOS.
For the release notes of ContainerOS images, see Release notes for ContainerOS images.