Amazon
Bottlerocket (a hanya, sunan da aka ba wa ƙananan roka na foda na gida) ba shine farkon OS don kwantena ba, amma yana yiwuwa ya zama yaduwa godiya ga tsoho haɗin kai tare da ayyukan AWS. Kodayake tsarin yana mayar da hankali ga girgije na Amazon, lambar tushe na buɗewa yana ba da damar gina shi a ko'ina: a cikin gida a kan uwar garke, a kan Rasberi Pi, a cikin kowane girgije mai gasa, har ma a cikin yanayin da ba shi da kwantena.
Wannan cikakken cancanta ne don rarraba CoreOS wanda Red Hat ya binne.
A zahiri, sashin Sabis na Yanar Gizo na Amazon ya riga ya sami Amazon Linux, wanda kwanan nan ya fito a cikin sigarsa ta biyu: rarraba ce ta gaba ɗaya wacce za a iya gudanar da ita a cikin akwati Docker ko tare da Linux KVM, Microsoft Hyper-V, da VMware. ESXi hypervisors. An inganta shi don gudana akan girgijen AWS, amma tare da sakin Bottlerocket, kowa yana ƙarfafawa don haɓakawa zuwa sabon tsarin da ya fi tsaro, na zamani, kuma yana amfani da ƙananan albarkatu.
AWS ta sanar da Bottlerocket
Extreme minimalism
An cire Linux daga duk abin da ba a buƙata don gudanar da kwantena. Wannan zane, a cewar kamfanin, yana rage girman harin.
Wannan yana nufin cewa an shigar da ƙarancin fakiti akan tsarin tushe, wanda ke sauƙaƙe kulawa da sabunta OS, kuma yana rage yuwuwar matsaloli saboda dogaro, rage amfani da albarkatu. Ainihin, duk abin da ke nan yana aiki a cikin kwantena daban-daban, kuma tsarin da ke ciki kusan babu komai.
Amazon ya kuma cire duk wani harsashi da masu fassara, yana kawar da haɗarin amfani da su ko masu amfani da haɓaka gata da gangan. Don kare kanka da tsaro, hoton tushe baya haɗa da harsashi na umarni, sabar SSH, ko harsunan da aka fassara kamar Python. Ana sanya kayan aikin gudanarwa a cikin kwandon sabis na daban, wanda aka kashe ta tsohuwa.
Ana sarrafa tsarin ta hanyoyi biyu: ta hanyar API da ƙungiyar makaɗa.
Maimakon manajan fakitin da ke sabunta guda ɗaya na software, Bottlerocket yana zazzage cikakken hoton tsarin fayil kuma ya sake yin aiki a ciki. Idan kaya ya gaza, yana jujjuya baya ta atomatik, kuma gazawar aikin aiki na iya jawo jujjuyawa da hannu (umurni ta hanyar API).
Tsarin tsari /etc
saka tare da tsarin fayil a cikin RAM /etc
ba a goyan bayan: don adana saituna ya kamata ku yi amfani da API ko matsar da ayyukan cikin kwantena daban.
Tsarin sabunta API
Tsaro
Ana ƙirƙira kwantena ta daidaitattun hanyoyin tsarin kwaya na Linux - ƙungiyoyi, wuraren suna da seccomp, kuma ana amfani da su azaman tsarin kula da shiga tilas, wato, don ƙarin keɓewa.
Ta hanyar tsoho, ana kunna manufofi don raba albarkatu tsakanin kwantena da kwaya. Ana kiyaye binaries tare da tutoci don hana masu amfani ko shirye-shirye aiwatar da su. Kuma idan mutum ya isa tsarin fayil ɗin, Bottlerocket yana ba da kayan aiki don bincika da bin diddigin kowane canje-canje da aka yi.
Ana aiwatar da yanayin “tabbataccen boot” ta hanyar aikin na'ura-mapper-verity (
Akwai kuma tacewa a cikin tsarin
Samfurin kisa
An ayyana mai amfani
Haɗawa
Tsaro
Yanayin gazawa
Samun dama ga albarkatu
Mai amfani
aikin
a
kowane
haƙƙin mai amfani
katse kisa
kira tsarin, laifi
Ainihin
aikin
babu
a tsaye
babu
fargabar kwaya
mike
GMP
taron
a
JIT, CO-RE
tabbatar, JIT
saƙon kuskure
mataimaka iyaka
Yadda BPF ya bambanta da mai amfani na yau da kullun ko lambar matakin kernel
AWS ya ce Bottlerocket "yana amfani da samfurin aiki wanda ke kara inganta tsaro ta hanyar hana haɗi zuwa sabar samarwa tare da gata na gudanarwa" kuma "ya dace da manyan tsarin rarrabawa inda aka iyakance iko akan kowane mai masaukin baki."
An tanadar da akwati mai gudanarwa don masu gudanar da tsarin. Amma AWS ba ya tunanin mai gudanarwa sau da yawa yana buƙatar yin aiki a cikin Bottlerocket: "Ayyukan shiga cikin wani misali na Bottlerocket na daban an yi niyya ne don ayyukan da ba safai ba: ci gaba da gyara matsala da matsala,"
Harshen tsatsa
Kayan aikin OS da ke saman kwaya yawanci ana rubuta su cikin Tsatsa. Wannan harshe bisa yanayinsa ne
Ana amfani da tutoci ta tsohuwa lokacin gini --enable-default-pie
и --enable-default-ssp
don ba da damar bazuwar sararin adireshi na fayilolin aiwatarwa (
Don fakitin C/C++, an haɗa ƙarin tutoci -Wall
, -Werror=format-security
, -Wp,-D_FORTIFY_SOURCE=2
, -Wp,-D_GLIBCXX_ASSERTIONS
и -fstack-clash-protection
.
Bayan Rust da C/C++, an rubuta wasu fakiti a cikin Go.
Haɗin kai tare da ayyukan AWS
Bambanci daga tsarin sarrafa kwantena iri ɗaya shine cewa Amazon ya inganta Bottlerocket don aiki akan AWS da haɗawa tare da sauran ayyukan AWS.
Shahararriyar mawaƙan kwantena ita ce Kubernetes, don haka AWS ta gabatar da haɗin kai tare da Sabis ɗin Kubernetes na Enterprise (EKS). Kayan aikin ƙungiyar kaɗe-kaɗe suna zuwa a cikin wani akwati daban
Zai zama mai ban sha'awa ganin ko Bottlerocket ya tashi, idan aka yi la'akari da gazawar wasu tsare-tsaren makamancin haka a baya. Misali, PhotonOS daga Vmware ya zama ba a da'awar, kuma RedHat ya sayi CoreOS da
Haɗin Bottlerocket cikin sabis na AWS ya sa wannan tsarin ya zama na musamman ta hanyarsa. Wannan shine watakila babban dalilin da yasa wasu masu amfani zasu iya fifita Bottlerocket akan sauran distros kamar CoreOS ko Alpine. An fara tsara tsarin don yin aiki tare da EKS da ECS, amma muna maimaita cewa wannan ba lallai ba ne. Na farko, Bottlerocket na iya
Ana buga lambar tushen Bottlerocket akan GitHub a ƙarƙashin lasisin Apache 2.0. Masu haɓakawa sun riga sun kasance
Hakoki na Talla
VDSina tayi
source: www.habr.com