{"id":18497134,"url":"https://github.com/bottlerocket-os/bottlerocket-admin-container","last_synced_at":"2026-01-18T01:10:53.557Z","repository":{"id":38424691,"uuid":"240619493","full_name":"bottlerocket-os/bottlerocket-admin-container","owner":"bottlerocket-os","description":"A container for admin access to Bottlerocket","archived":false,"fork":false,"pushed_at":"2026-01-15T00:21:47.000Z","size":144,"stargazers_count":63,"open_issues_count":9,"forks_count":45,"subscribers_count":25,"default_branch":"develop","last_synced_at":"2026-01-15T07:37:11.850Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bottlerocket-os.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE-APACHE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":"COPYRIGHT","agents":null,"dco":null,"cla":null}},"created_at":"2020-02-15T00:02:02.000Z","updated_at":"2026-01-13T21:57:24.000Z","dependencies_parsed_at":"2023-02-14T02:01:43.819Z","dependency_job_id":"e7c75c3c-b528-4972-bf1f-0ae92dd20b1a","html_url":"https://github.com/bottlerocket-os/bottlerocket-admin-container","commit_stats":null,"previous_names":[],"tags_count":46,"template":false,"template_full_name":"amazon-archives/__template_Custom","purl":"pkg:github/bottlerocket-os/bottlerocket-admin-container","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bottlerocket-os%2Fbottlerocket-admin-container","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bottlerocket-os%2Fbottlerocket-admin-container/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bottlerocket-os%2Fbottlerocket-admin-container/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bottlerocket-os%2Fbottlerocket-admin-container/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bottlerocket-os","download_url":"https://codeload.github.com/bottlerocket-os/bottlerocket-admin-container/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bottlerocket-os%2Fbottlerocket-admin-container/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28525686,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T00:39:45.795Z","status":"ssl_error","status_checked_at":"2026-01-18T00:39:39.467Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T13:33:35.142Z","updated_at":"2026-01-18T01:10:53.548Z","avatar_url":"https://github.com/bottlerocket-os.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Bottlerocket Admin Container\n\nThis is the admin container for troubleshooting the [Bottlerocket](https://github.com/bottlerocket-os/bottlerocket) operating system.\nIt runs outside of Bottlerocket's container orchestrator in a separate instance of `containerd`.\nThe container hosts an SSH server to allow public key SSH access, as well as `agetty` services for serial console devices to allow console access.\nYou can also connect to the admin container via the control container by running `enter-admin-container`.\nUnless otherwise specified through user-data, the default user is **ec2-user**.\n\nThe admin container is disabled by default in Bottlerocket.\nFor more information about how the admin container fits into the Bottlerocket operating system, please see the [Bottlerocket documentation](https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#admin-container).\n\n## Building the Container Image\n\nYou'll need Docker 20.10 or later for multi-stage build, BuildKit, and chmod on COPY/ADD support.\nThen run `make`!\n\n## Authenticating with the Admin Container\n\nStarting from v0.6.0, users have the option to pass in their own ssh keys rather than the admin container relying on the AWS instance metadata service (IMDS).\n\nUsers can add their own keys by populating the admin container's user-data with a base64-encoded JSON block.\nIf user-data is populated then Bottlerocket will not fetch from IMDS at all, but if user-data is not set then Bottlerocket will continue to use the keys from IMDS.\n\nTo use custom public keys for `.ssh/authorized_keys` and/or custom CA keys for `/etc/ssh/trusted_user_ca_keys.pub` you will want to generate a JSON-structure like this:\n\n```json\n{\n  \"ssh\": {\n    \"authorized-keys\": [\n      \"ssh-rsa EXAMPLEAUTHORIZEDPUBLICKEYHERE my-key-pair\"\n    ],\n    \"trusted-user-ca-keys\": [\n      \"ssh-rsa EXAMPLETRUSTEDCAPUBLICKEYHERE authority@ssh-ca.example.com\"\n    ]\n  }\n}\n```\n\nIf you want to access to the admin container using [EC2 instance connect](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html), set `authorized-keys-command` and `authorized-keys-command-user` as follows:\n\n```json\n{\n  \"ssh\": {\n    \"authorized-keys-command\": \"/opt/aws/bin/eic_run_authorized_keys %u %f\",\n    \"authorized-keys-command-user\": \"ec2-instance-connect\"\n  }\n}\n```\n\nTo change allowed SSH ciphers to a specific set, you can add a ciphers section:\n\n```json\n{\n  \"ssh\": {\n    \"authorized-keys...\",\n    \"ciphers\": [\n        \"chacha20-poly1305@openssh.com\",\n        \"aes128-ctr\",\n        \"aes192-ctr\",\n        \"aes256-ctr\",\n        \"aes128-gcm@openssh.com\",\n        \"aes256-gcm@openssh.com\"\n    ]\n  }\n}\n```\n\nTo change allowed key exchange algorithms to a specific set, you can add a\n`key-exchange-algorithms` section:\n\n```json\n{\n  \"ssh\": {\n    \"authorized-keys...\",\n    \"key-exchange-algorithms\": [\n        \"curve25519-sha256\",\n        \"curve25519-sha256@libssh.org\",\n        \"ecdh-sha2-nistp256\",\n        \"ecdh-sha2-nistp384\",\n        \"ecdh-sha2-nistp521\",\n        \"diffie-hellman-group-exchange-sha256\"\n    ]\n  }\n}\n```\n\nTo change allowed MACs to a specific set, you can add a `macs` section:\n\n```json\n{\n  \"ssh\": {\n    \"authorized-keys...\",\n    \"macs\": [\n      \"hmac-sha2-256\",\n      \"hmac-sha2-512\",\n      \"umac-64@openssh.com\",\n      \"umac-128@openssh.com\",\n      \"hmac-sha2-256-etm@openssh.com\",\n      \"hmac-sha2-512-etm@openssh.com\",\n      \"hmac-md5-etm@openssh.com\",\n      \"hmac-md5-96-etm@openssh.com\",\n      \"umac-64-etm@openssh.com\",\n      \"umac-128-etm@openssh.com\"\n    ]\n  }\n}\n```\n\nTo change the port that the admin container SSH daemon is running on (default is 22), you can add a `port` section:\n\n```json\n{\n  \"ssh\": {\n    \"authorized-keys...\",\n    \"port\": 1234\n  }\n}\n```\n\nYou can also tweak ciphers, key exchange algorithms and MACs following way (see https://man.openbsd.org/sshd_config for details):\n- If the specified list begins with a ‘+’ character, then the specified entries will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified entries (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ‘^’ character, then the specified entries will be placed at the head of the default set.\n\nBy default, the admin container's local user will be `ec2-user`. If you would like to change this, you can set the user value like so:\n\n```json\n{\n  \"user\": \"bottlerocket\",\n  \"ssh\": {\n    \"authorized-keys...\",\n  }\n}\n```\n\nFor logging in via serial console, you can specify a password for the primary user like so:\n\n```json\n{\n  \"user\": \"bottlerocket\",\n  \"password-hash\": \"$y$jFT$NER...\",\n  \"ssh\": {\n    \"authorized-keys...\",\n  }\n}\n```\n\nWhere the password-hash can be generated from:\n\n```bash\nmkpasswd -m yescrypt -R 11 \u003cdesired password\u003e\n```\n\nOnce you've created your JSON, you'll need to base64-encode it and set it as the value of the admin host container's user-data setting in your [instance user data toml](https://github.com/bottlerocket-os/bottlerocket#using-user-data).\n\n```toml\n[settings.host-containers.admin]\n# ex: echo '{\"ssh\":{\"authorized-keys\":[]}}' | base64\nuser-data = \"eyJzc2giOnsiYXV0aG9yaXplZC1rZXlzIjpbXX19Cg==\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbottlerocket-os%2Fbottlerocket-admin-container","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbottlerocket-os%2Fbottlerocket-admin-container","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbottlerocket-os%2Fbottlerocket-admin-container/lists"}