ContainerOS is Alibaba Cloud's official operating system, optimized for container scenarios and fully compatible with the Kubernetes ecosystem. Built on Alibaba Cloud Linux 3, ContainerOS delivers enhanced security, faster boot times, and a streamlined set of system services and packages. It includes cloud-native components by default and works out-of-the-box.
Applicability
Use it in node pools of ACK managed clusters running Kubernetes version 1.24 or later with containerd as the container runtime. For more information, see Create an ACK managed cluster. To upgrade your cluster, see Manually upgrade a cluster.
Do not use it on Arm architecture nodes.
Introduction to ContainerOS
In containerized deployment scenarios, using cloud-native components such as container runtimes and Kubernetes lets you focus on application development without worrying about underlying infrastructure details. Traditional operating systems include many user-mode tools, packages, and system services to support diverse use cases. This results in bloated systems, slow boot times, and fragmented package versions—posing significant operational challenges.
To address these limitations in cloud-native environments and improve user experience, ACK designed ContainerOS specifically for container workloads. Compared to traditional operating systems, ContainerOS is lighter, more modular, and starts containers faster. It also offers stronger security and lower resource demands, making it ideal for cloud computing and large-scale deployments.
Features
Feature | Description |
Minimal image | Includes only the packages and system services required to run Kubernetes pods. Full-system integration optimizations significantly reduce boot time. ContainerOS contains approximately 210 system packages, compared to around 600 in traditional operating systems such as Alibaba Cloud Linux 3, Alibaba Cloud Linux 2, and CentOS.
Additionally, ContainerOS does not support Python and does not provide SSH login by default. This lets you focus on developing and running applications without managing operating system concerns. |
Ultra-fast boot | End-to-end optimizations significantly improve OS boot speed and reduce node scale-out time in ACK. By simplifying the OS boot process and preloading container images required by cluster control components, ContainerOS minimizes delays caused by image pulls during node startup. Combined with ACK control plane optimizations, this further accelerates node provisioning. As shown in the following chart, the P90 node-ready time for scaling out 1,000 nodes with ContainerOS is only 53 seconds. This represents a clear advantage over CentOS and the Alibaba Cloud Linux 2 custom image optimization approach.  Important The data in this example are theoretical values. Actual results may vary slightly due to product optimizations. Refer to your operational environment for accurate measurements. |
Security hardening | The root file system has read-only permission. Only the /etc and /var directories are writable to support basic system configuration needs. This design aligns with the immutable infrastructure principle in cloud-native environments and prevents container escape attacks from tampering with the host file system. ContainerOS also blocks direct user logins that could lead to untraceable operations. Instead, it provides a dedicated administrative container for non-routine maintenance tasks. |
Atomic upgrades | Following the cloud-native immutable infrastructure principle, ContainerOS does not include the Each image undergoes rigorous internal testing before release. Compared to the uncertainty of upgrading individual RPM packages in traditional operating systems, image-level testing and publishing better guarantee post-upgrade system stability. |
Benefits
Benefit | Description |
Vertical optimization for container workloads | Optimized specifically for container scenarios, ContainerOS features fast boot, security hardening, and an immutable root file system. It improves performance and simplifies cluster-wide operations and management while ensuring high consistency across nodes. |
Ultra-fast node scale-out | By combining ACK control plane optimizations with internal OS improvements, ContainerOS significantly accelerates node scale-out. Currently, node provisioning accounts for over 90% of the total time in ACK node autoscaling. Using ContainerOS greatly enhances the autoscaling experience for node pools. |
Operational capabilities | Integrated with ACK control, ContainerOS supports continuous updates for Kubernetes and other system software, CVE fixes, and on-demand image releases. Compared to the Alibaba Cloud Linux 2 custom image approach—which also uses preloaded images to speed up node startup—ContainerOS offers official maintenance and CVE coverage. This reduces the burden of maintaining, upgrading, and fixing critical issues in custom OS images. Additionally, joint optimizations with ACK significantly shorten node downtime caused by maintenance operations, ensuring smooth business continuity. |
Alibaba Cloud Linux 3 compatibility | ContainerOS uses the same kernel version and most packages as Alibaba Cloud Linux 3, including the latest kernel 5.10 LTS. This provides cloud applications with the newest features from the Linux community. |
Security notes
ContainerOS applies the following design principles to enhance security.
Operating system security
Feature | Description | |
Minimal execution environment | ContainerOS includes only the packages and system services needed for container workloads—about 210 packages total. Fewer packages mean fewer CVEs and a reduced attack surface. High-risk packages such as binutils, Python, openssh, and tcpdump are removed. ContainerOS minimizes scripting language support and does not allow execution of Python, Perl, or Ruby scripts. | |
ContainerOS node maintenance | ContainerOS uses a minimal execution environment and an immutable root file system to improve security. Maintaining ContainerOS nodes differs from standard Linux systems. For more information, see Maintain ContainerOS nodes. | |
Immutable root file system | Package managers like yum are not supported. Use rpm-ostree for traceable OS changes and rollbacks. The root file system  | |
Read-only system disk | The system disk is set to read-only mode to prevent data writes, protecting the system from tampering and persistent attacks. To ensure normal system startup and operation, mount a separate data disk. User data is stored on the data disk, isolating it from the system disk. The data disk is mounted to | Supported only in ContainerOS 3.5.0 and later. |
Shell interpreter removed | The system removes shell script interpreters (such as /bin/bash and /bin/sh), blocking shell script execution and reducing the risk of malicious script attacks. | |
Bootstrap container added | A Bootstrap container runs custom user data scripts before the main application containers start. It exits automatically after completing initialization tasks, avoiding security risks to the main system or application containers.  | |
Infrastructure security
Based on the Alibaba Cloud Linux package ecosystem, Alibaba Cloud Linux is Alibaba Cloud's Linux server operating system distribution and the most widely used OS on Alibaba Cloud. ContainerOS builds on Alibaba Cloud Linux and incorporates extensive cloud-specific optimizations. It leverages years of Alibaba Cloud Linux experience in package and image delivery. Before release, each image undergoes OS baseline tests and ACK integration testing to ensure availability and security.
Billing notes
ContainerOS is a free image. You can use the ContainerOS image in ACK node pools at no cost and receive long-term support from Alibaba Cloud for this operating system.
However, other resources used with ContainerOS—such as vCPUs, memory, storage, public bandwidth, and snapshots—are billed separately. For details on resource billing, see Billing overview.
References
To use ContainerOS as the node pool operating system, see Use ContainerOS.
For ContainerOS image release notes, see ContainerOS image release notes.