MCPcopy Index your code
hub / github.com/bottlerocket-os/bottlerocket-control-container

github.com/bottlerocket-os/bottlerocket-control-container @v0.21.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.21.2 ↗ · + Follow
76 symbols 96 edges 8 files 16 documented · 21%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Bottlerocket Control Container

This is the control container for the Bottlerocket operating system. This container runs the AWS SSM Agent that lets you run commands, or start interactive sessions, on Bottlerocket instances in EC2 and hybrid environments.

For more information about the control container, including how to use it and how to replace it or remove it from Bottlerocket, please see the Bottlerocket documentation.

Building the Container Image

You'll need Docker 20.10 or later for multi-stage build, BuildKit, and chmod on COPY/ADD support. Then run make!

Connecting to AWS Systems Manager (SSM)

Starting from v0.5.0, users have the option to pass in their own activation information for SSM. This is for users that want to set up on-premises virtual machines (VMs) in their hybrid environment as managed instances.

Users can add their own activations by populating the control container's user data with a base64-encoded JSON block.

To use hybrid activations for managed instances you will want to generate a JSON-structure like this:

{
  "ssm": {
    "activation-id": "foo",
    "activation-code": "bar",
    "region":"us-west-2"
  }
}

Once you've created your JSON, you'll need to base64-encode it and put it in the control host container's user-data setting in your instance user data.

For example:

[settings.host-containers.control]
# ex: echo '{"ssm":{"activation-id":"foo","activation-code":"bar","region":"us-west-2"}}' | base64
user-data = "eyJzc20iOnsiYWN0aXZhdGlvbi1pZCI6ImZvbyIsImFjdGl2YXRpb24tY29kZSI6ImJhciIsInJlZ2lvbiI6InVzLXdlc3QtMiJ9fQo="

Inspector SBOM Upload (corgid)

This container includes corgid, a binary that collects the Bottlerocket package inventory, converts it to a CycloneDX SBOM, and sends it to the Amazon Inspector API for vulnerability scanning. It runs automatically in the background when the container starts.

Disabling corgid

To disable Inspector SBOM upload, set upload-sbom to false in the control container's user data:

{
  "inspector": {
    "upload-sbom": false
  }
}

Base64-encode the JSON and set it in your instance user data:

[settings.host-containers.control]
# echo '{"inspector": {"upload-sbom": false}}' | base64
user-data = "eyJpbnNwZWN0b3IiOiB7InVwbG9hZC1zYm9tIjogZmFsc2V9fQ=="

This can be combined with SSM hybrid activation settings in the same JSON object:

{
  "ssm": {
    "activation-id": "foo",
    "activation-code": "bar",
    "region": "us-west-2"
  },
  "inspector": {
    "upload-sbom": false
  }
}

Core symbols most depended-on inside this repo

get
called by 7
sources/corgid/src/imds.rs
post
called by 4
sources/corgid/src/sigv4.rs
to_json
called by 2
sources/corgid/src/sbom.rs
inspector_enabled
called by 1
sources/corgid/src/main.rs
build_signed_request
called by 1
sources/corgid/src/sigv4.rs
build_endpoint
called by 1
sources/corgid/src/sigv4.rs
parse
called by 1
sources/corgid/src/sbom.rs
digest
called by 1
sources/corgid/src/sbom.rs

Shape

Class 36
Method 24
Function 12
Enum 4

Languages

Rust100%

Modules by API surface

sources/corgid/src/inspector.rs25 symbols
sources/corgid/src/sbom.rs21 symbols
sources/corgid/src/sigv4.rs6 symbols
sources/corgid/src/metadata.rs6 symbols
sources/corgid/src/main.rs6 symbols
sources/corgid/src/inventory.rs6 symbols
sources/corgid/src/imds.rs5 symbols
sources/corgid/src/error.rs1 symbols

For agents

$ claude mcp add bottlerocket-control-container \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page