ContainerOS Billing and Benefits-Container Service for Kubernetes(ACK)-阿里云帮助中心

Supported scenarios

ContainerOS runs in node pools of ACK managed clusters with cluster version 1.24 or later and containerd runtime. See Create an ACK managed cluster. To upgrade, see Manually upgrade a cluster.
ContainerOS does not support Arm nodes or instance types with local disks.

Background

Traditional operating systems include far more packages and services than containers need, causing bloated images, slow boot times, and complex maintenance.

ACK designed ContainerOS to address these issues. It is lighter, boots faster, and uses fewer resources than traditional operating systems—ideal for large-scale container deployments.

Features

Feature	Description
Image Streamlining	Includes only packages and services needed to run Kubernetes pods, cutting boot time. ContainerOS ships about 210 packages, compared to about 600 in traditional operating systems such as Alibaba Cloud Linux 3 (Alinux 3), Alinux 2, and CentOS. Reduces disk usage: over 60% fewer packages shrink the storage footprint. Reduces CVE exposure: Fewer packages mean fewer known vulnerabilities and a smaller attack surface. ContainerOS excludes Python and direct SSH login. Focus on applications, not OS management.
Fast boot	End-to-end OS optimizations speed up boot and shorten scale-out time. Simplified boot flow and preloaded management images eliminate pull delays during startup. Combined with ACK control-plane optimizations, node scaling is even faster. For example, ContainerOS scales 1,000 nodes to readiness in 53 seconds (P90), outperforming CentOS and the Alinux 2 custom image approach. Important These values are theoretical and may vary. Test in your environment for accurate results.
Security hardening	The root file system is read-only—only /etc and /var are writable. This immutable design prevents escaped containers from modifying the host. Direct login is blocked; use the administrative container for non-routine O&M.
Atomic upgrades	ContainerOS omits `yum` and uses image-level updates, rollbacks (disk replacement), and limited hot upgrades. This ensures consistent versions and configurations across all nodes. Each image undergoes strict testing before release. Unlike individual RPM upgrades, image-level publishing guarantees post-upgrade stability.

Benefits

Benefit	Description
Vertical optimization for containers	Optimized for container workloads with fast boot, security hardening, and an immutable root file system—boosting performance, simplifying cluster O&M, and ensuring node consistency.
Fast node scaling	ACK control-plane and OS-level optimizations together speed up node scaling. Node scaling accounts for over 90% of total autoscaling time, so ContainerOS significantly improves autoscaling performance.
OS maintainability	With ACK, ContainerOS provides continuous Kubernetes updates, timely CVE fixes, and on-demand image releases. Unlike the Alinux 2 custom image approach, ContainerOS offers official maintenance and CVE coverage, reducing custom OS upkeep. Joint optimizations with ACK also cut node downtime from O&M tasks.
Alinux 3 compatibility	ContainerOS shares the same kernel and most packages with Alinux 3, shipping kernel 5.10 LTS with the latest Linux community features.

Security notes

ContainerOS hardens security at both the OS and infrastructure levels.

Operating system security

Feature

Description

Minimal execution environment

ContainerOS ships only about 210 packages needed for containers, reducing CVEs and attack surface. High-risk packages such as binutils, Python, OpenSSH, and tcpdump are removed, and scripting languages (Perl, Ruby) are unsupported.

ContainerOS node O&M method

Uses a minimal execution environment and immutable root file system for stronger security. O&M methods differ from standard Linux—see O&M ContainerOS nodes.

Immutable root file system

Does not support package managers such as yum. Uses rpm-ostree for traceable OS changes and rollbacks. / and /usr are read-only; /etc (configuration) and /var (logs, container images) are writable.

Expand to view paths, attributes, and recommended usage in the file system

Path	Properties	Purpose
`/` `/usr`	Read-only Executable	The root file system `/` and the `/usr` directory are mounted as read-only to ensure system integrity and prevent tampering.
`/etc`	Writable Stateful	This directory contains system configuration files, such as custom systemd service files and personalized software configurations. These files are retained after a system upgrade.
`/var`	Writable Stateful	This directory stores directories created by components at runtime, such as `/var/run/NetworkManager`, and component working directories, such as `/var/lib/containerd`. The contents of this directory are retained after a system upgrade.
`/home` `/mnt` `/opt` `/root` `/usr/local`	Writable Stateful	These directories are symbolic links within the `/var` directory. This makes them available for use during system operation, such as creating new users in the `/home` directory or mounting other data disks in the `/mnt` directory.
`/run` `/tmp`	Writable Stateless	These directories are mounted as tmpfs and store temporary files required by the system. Data in these directories is cleared upon restart.

Read-only system disk

The system disk is read-only to protect the OS from tampering and persistent attacks. Attach a separate data disk for normal operation.

User data is stored on the data disk, isolating it from the system disk. By default, the data disk mounts to /var.

Available only in ContainerOS 3.5.0 and later.

Removed shell interpreters

Shell interpreters such as /bin/bash and /bin/sh are removed, blocking shell script execution and reducing malicious script attack risk.

New Bootstrap container

The Bootstrap container runs User Data scripts before the main container starts and exits automatically after initialization—avoiding security risks to the host or application containers.

Infrastructure security

Built on Alinux—Alibaba Cloud’s most widely used OS—ContainerOS inherits years of packaging and image delivery experience with cloud-native optimizations. Each release undergoes OS baseline and ACK integration testing.

Billing

ContainerOS is a free image. ContainerOS is available in ACK node pools at no cost with long-term support from Alibaba Cloud.

However, other resources used with ContainerOS—such as vCPUs, memory, storage, public bandwidth, and snapshots—are billed separately. See Billing overview.

References

See Use ContainerOS.
See ContainerOS image release history.