All Products
Search
Document Center

Container Service for Kubernetes:ContainerOS overview

Last Updated:Feb 28, 2026

ContainerOS is Alibaba Cloud's official operating system, optimized for container scenarios and fully compatible with the Kubernetes ecosystem. Built on Alibaba Cloud Linux 3, ContainerOS delivers enhanced security, faster boot times, and a streamlined set of system services and packages. It includes cloud-native components by default and works out-of-the-box.

Applicability

  • Use it in node pools of ACK managed clusters running Kubernetes version 1.24 or later with containerd as the container runtime. For more information, see Create an ACK managed cluster. To upgrade your cluster, see Manually upgrade a cluster.

  • Do not use it on Arm architecture nodes.

Introduction to ContainerOS

In containerized deployment scenarios, using cloud-native components such as container runtimes and Kubernetes lets you focus on application development without worrying about underlying infrastructure details. Traditional operating systems include many user-mode tools, packages, and system services to support diverse use cases. This results in bloated systems, slow boot times, and fragmented package versions—posing significant operational challenges.

To address these limitations in cloud-native environments and improve user experience, ACK designed ContainerOS specifically for container workloads. Compared to traditional operating systems, ContainerOS is lighter, more modular, and starts containers faster. It also offers stronger security and lower resource demands, making it ideal for cloud computing and large-scale deployments.

Features

Feature

Description

Minimal image

Includes only the packages and system services required to run Kubernetes pods. Full-system integration optimizations significantly reduce boot time. ContainerOS contains approximately 210 system packages, compared to around 600 in traditional operating systems such as Alibaba Cloud Linux 3, Alibaba Cloud Linux 2, and CentOS.

  • Reduces disk usage: With over 60% fewer packages, ContainerOS uses far less storage space.

  • Reduces CVE vulnerabilities: Fewer packages mean fewer CVEs and a smaller attack surface.

Additionally, ContainerOS does not support Python and does not provide SSH login by default. This lets you focus on developing and running applications without managing operating system concerns.

Ultra-fast boot

End-to-end optimizations significantly improve OS boot speed and reduce node scale-out time in ACK. By simplifying the OS boot process and preloading container images required by cluster control components, ContainerOS minimizes delays caused by image pulls during node startup. Combined with ACK control plane optimizations, this further accelerates node provisioning.

As shown in the following chart, the P90 node-ready time for scaling out 1,000 nodes with ContainerOS is only 53 seconds. This represents a clear advantage over CentOS and the Alibaba Cloud Linux 2 custom image optimization approach.

image
Important

The data in this example are theoretical values. Actual results may vary slightly due to product optimizations. Refer to your operational environment for accurate measurements.

Security hardening

The root file system has read-only permission. Only the /etc and /var directories are writable to support basic system configuration needs. This design aligns with the immutable infrastructure principle in cloud-native environments and prevents container escape attacks from tampering with the host file system. ContainerOS also blocks direct user logins that could lead to untraceable operations. Instead, it provides a dedicated administrative container for non-routine maintenance tasks.

Atomic upgrades

Following the cloud-native immutable infrastructure principle, ContainerOS does not include the yum package manager. It supports updates and rollbacks (disk replacement upgrades) at the OS image level, along with limited layered hot upgrades. This ensures consistent software versions and system configurations across all cluster nodes.

Each image undergoes rigorous internal testing before release. Compared to the uncertainty of upgrading individual RPM packages in traditional operating systems, image-level testing and publishing better guarantee post-upgrade system stability.

Benefits

Benefit

Description

Vertical optimization for container workloads

Optimized specifically for container scenarios, ContainerOS features fast boot, security hardening, and an immutable root file system. It improves performance and simplifies cluster-wide operations and management while ensuring high consistency across nodes.

Ultra-fast node scale-out

By combining ACK control plane optimizations with internal OS improvements, ContainerOS significantly accelerates node scale-out. Currently, node provisioning accounts for over 90% of the total time in ACK node autoscaling. Using ContainerOS greatly enhances the autoscaling experience for node pools.

Operational capabilities

Integrated with ACK control, ContainerOS supports continuous updates for Kubernetes and other system software, CVE fixes, and on-demand image releases. Compared to the Alibaba Cloud Linux 2 custom image approach—which also uses preloaded images to speed up node startup—ContainerOS offers official maintenance and CVE coverage. This reduces the burden of maintaining, upgrading, and fixing critical issues in custom OS images.

Additionally, joint optimizations with ACK significantly shorten node downtime caused by maintenance operations, ensuring smooth business continuity.

Alibaba Cloud Linux 3 compatibility

ContainerOS uses the same kernel version and most packages as Alibaba Cloud Linux 3, including the latest kernel 5.10 LTS. This provides cloud applications with the newest features from the Linux community.

Security notes

ContainerOS applies the following design principles to enhance security.

Operating system security

Feature

Description

Minimal execution environment

ContainerOS includes only the packages and system services needed for container workloads—about 210 packages total. Fewer packages mean fewer CVEs and a reduced attack surface. High-risk packages such as binutils, Python, openssh, and tcpdump are removed. ContainerOS minimizes scripting language support and does not allow execution of Python, Perl, or Ruby scripts.

ContainerOS node maintenance

ContainerOS uses a minimal execution environment and an immutable root file system to improve security. Maintaining ContainerOS nodes differs from standard Linux systems. For more information, see Maintain ContainerOS nodes.

Immutable root file system

Package managers like yum are not supported. Use rpm-ostree for traceable OS changes and rollbacks. The root file system / and core directory /usr (which stores binaries and dynamic libraries) are read-only. The /etc (dynamic configuration) and /var (log records and container images) directories remain writable.

image

Expand to view file system paths, their properties, and recommended usage

Path

Properties

Purpose

/

/usr

Read-only

Executable

The root file system / and the /usr directory are mounted as read-only to ensure system integrity and prevent tampering.

/etc

Writable

Stateful

This directory contains system configuration files, such as custom systemd service files and personalized software configurations. These files are retained after a system upgrade.

/var

Writable

Stateful

This directory stores directories created by components at runtime, such as /var/run/NetworkManager, and component working directories, such as /var/lib/containerd. The contents of this directory are retained after a system upgrade.

/home

/mnt

/opt

/root

/usr/local

Writable

Stateful

These directories are symbolic links within the /var directory. This makes them available for use during system operation, such as creating new users in the /home directory or mounting other data disks in the /mnt directory.

/run

/tmp

Writable

Stateless

These directories are mounted as tmpfs and store temporary files required by the system. Data in these directories is cleared upon restart.

Read-only system disk

The system disk is set to read-only mode to prevent data writes, protecting the system from tampering and persistent attacks. To ensure normal system startup and operation, mount a separate data disk.

User data is stored on the data disk, isolating it from the system disk. The data disk is mounted to /var by default.

Supported only in ContainerOS 3.5.0 and later.

Shell interpreter removed

The system removes shell script interpreters (such as /bin/bash and /bin/sh), blocking shell script execution and reducing the risk of malicious script attacks.

Bootstrap container added

A Bootstrap container runs custom user data scripts before the main application containers start. It exits automatically after completing initialization tasks, avoiding security risks to the main system or application containers.

image

Infrastructure security

Based on the Alibaba Cloud Linux package ecosystem, Alibaba Cloud Linux is Alibaba Cloud's Linux server operating system distribution and the most widely used OS on Alibaba Cloud. ContainerOS builds on Alibaba Cloud Linux and incorporates extensive cloud-specific optimizations. It leverages years of Alibaba Cloud Linux experience in package and image delivery. Before release, each image undergoes OS baseline tests and ACK integration testing to ensure availability and security.

Billing notes

ContainerOS is a free image. You can use the ContainerOS image in ACK node pools at no cost and receive long-term support from Alibaba Cloud for this operating system.

However, other resources used with ContainerOS—such as vCPUs, memory, storage, public bandwidth, and snapshots—are billed separately. For details on resource billing, see Billing overview.

References