Amazon game da sakin karshe - rarraba na musamman don kwantena masu gudana da kuma sarrafa su yadda ya kamata.
Bottlerocket (a hanya, sunan da aka ba wa ƙananan roka na foda na gida) ba shine farkon OS don kwantena ba, amma yana yiwuwa ya zama yaduwa godiya ga tsoho haɗin kai tare da ayyukan AWS. Kodayake tsarin yana mayar da hankali ga girgije na Amazon, lambar tushe na buɗewa yana ba da damar gina shi a ko'ina: a cikin gida a kan uwar garke, a kan Rasberi Pi, a cikin kowane girgije mai gasa, har ma a cikin yanayin da ba shi da kwantena.
Wannan cikakken cancanta ne don rarraba CoreOS wanda Red Hat ya binne.
A zahiri, sashin Sabis na Yanar Gizo na Amazon ya riga ya sami Amazon Linux, wanda kwanan nan ya fito a cikin sigarsa ta biyu: rarraba ce ta gaba ɗaya wacce za a iya gudanar da ita a cikin akwati Docker ko tare da Linux KVM, Microsoft Hyper-V, da VMware. ESXi hypervisors. An inganta shi don gudana akan girgijen AWS, amma tare da sakin Bottlerocket, kowa yana ƙarfafawa don haɓakawa zuwa sabon tsarin da ya fi tsaro, na zamani, kuma yana amfani da ƙananan albarkatu.
AWS ta sanar da Bottlerocket . Nan da nan ta yarda cewa wannan ba shine farkon "Linux don kwantena ba," yana ambaton CoreOS, Rancher OS da Project Atomic a matsayin tushen wahayi. Masu haɓakawa sun rubuta cewa tsarin aiki shine "sakamakon darussan da muka koya daga gudanar da ayyukan samarwa a ma'aunin Amazon na dogon lokaci, da kuma kwarewar da muka samu a cikin shekaru shida da suka gabata game da yadda ake tafiyar da kwantena."
Extreme minimalism
An cire Linux daga duk abin da ba a buƙata don gudanar da kwantena. Wannan zane, a cewar kamfanin, yana rage girman harin.
Wannan yana nufin cewa an shigar da ƙarancin fakiti akan tsarin tushe, wanda ke sauƙaƙe kulawa da sabunta OS, kuma yana rage yuwuwar matsaloli saboda dogaro, rage amfani da albarkatu. Ainihin, duk abin da ke nan yana aiki a cikin kwantena daban-daban, kuma tsarin da ke ciki kusan babu komai.
Amazon ya kuma cire duk wani harsashi da masu fassara, yana kawar da haɗarin amfani da su ko masu amfani da haɓaka gata da gangan. Don kare kanka da tsaro, hoton tushe baya haɗa da harsashi na umarni, sabar SSH, ko harsunan da aka fassara kamar Python. Ana sanya kayan aikin gudanarwa a cikin kwandon sabis na daban, wanda aka kashe ta tsohuwa.
Ana sarrafa tsarin ta hanyoyi biyu: ta hanyar API da ƙungiyar makaɗa.
Maimakon manajan fakitin da ke sabunta guda ɗaya na software, Bottlerocket yana zazzage cikakken hoton tsarin fayil kuma ya sake yin aiki a ciki. Idan kaya ya gaza, yana jujjuya baya ta atomatik, kuma gazawar aikin aiki na iya jawo jujjuyawa da hannu (umurni ta hanyar API).
Tsarin tsari (Tsarin Sabuntawa) yana zazzage sabuntawar tushen hoto zuwa sassa daban-daban ko "wanda ba a saka" ba. An ware sassan diski guda biyu don tsarin, ɗayan wanda ya ƙunshi tsarin aiki, kuma ana kwafi sabuntawa zuwa na biyu. A wannan yanayin, tushen ɓangaren yana ɗora a cikin yanayin karanta kawai, da kuma ɓangaren /etc saka tare da tsarin fayil a cikin RAM kuma yana mayar da asalin asalin bayan an sake farawa. Gyaran fayiloli kai tsaye a ciki /etc ba a goyan bayan: don adana saituna ya kamata ku yi amfani da API ko matsar da ayyukan cikin kwantena daban.
Tsarin sabunta API
Tsaro
Ana ƙirƙira kwantena ta daidaitattun hanyoyin tsarin kwaya na Linux - ƙungiyoyi, wuraren suna da seccomp, kuma ana amfani da su azaman tsarin kula da shiga tilas, wato, don ƙarin keɓewa. a cikin yanayin "ƙarfafa".
Ta hanyar tsoho, ana kunna manufofi don raba albarkatu tsakanin kwantena da kwaya. Ana kiyaye binaries tare da tutoci don hana masu amfani ko shirye-shirye aiwatar da su. Kuma idan mutum ya isa tsarin fayil ɗin, Bottlerocket yana ba da kayan aiki don bincika da bin diddigin kowane canje-canje da aka yi.
Ana aiwatar da yanayin “tabbataccen boot” ta hanyar aikin na'ura-mapper-verity (), wanda ke bincika amincin tushen bangare yayin taya. AWS ya bayyana dm-verity a matsayin "siffar kernel na Linux wanda ke ba da bincike na gaskiya don hana malware daga aiki akan OS, kamar sake rubuta ainihin software."
Akwai kuma tacewa a cikin tsarin (BPF mai tsawo, ), wanda ke ba da damar maye gurbin na'urorin kernel tare da ƙarin amintattun shirye-shiryen BPF don ayyukan tsarin ƙananan matakai.
Samfurin kisa
An ayyana mai amfani
Haɗawa
Tsaro
Yanayin gazawa
Samun dama ga albarkatu
Mai amfani
aikin
a
kowane
haƙƙin mai amfani
katse kisa
kira tsarin, laifi
Ainihin
aikin
babu
a tsaye
babu
fargabar kwaya
mike
GMP
taron
a
JIT, CO-RE
tabbatar, JIT
saƙon kuskure
mataimaka iyaka
Yadda BPF ya bambanta da mai amfani na yau da kullun ko lambar matakin kernel
AWS ya ce Bottlerocket "yana amfani da samfurin aiki wanda ke kara inganta tsaro ta hanyar hana haɗi zuwa sabar samarwa tare da gata na gudanarwa" kuma "ya dace da manyan tsarin rarrabawa inda aka iyakance iko akan kowane mai masaukin baki."
An tanadar da akwati mai gudanarwa don masu gudanar da tsarin. Amma AWS ba ya tunanin mai gudanarwa sau da yawa yana buƙatar yin aiki a cikin Bottlerocket: "Ayyukan shiga cikin wani misali na Bottlerocket na daban an yi niyya ne don ayyukan da ba safai ba: ci gaba da gyara matsala da matsala," masu haɓakawa.
Harshen tsatsa
Kayan aikin OS da ke saman kwaya yawanci ana rubuta su cikin Tsatsa. Wannan harshe bisa yanayinsa ne Kuma .
Ana amfani da tutoci ta tsohuwa lokacin gini --enable-default-pie и --enable-default-ssp don ba da damar bazuwar sararin adireshi na fayilolin aiwatarwa (, PIE) da kariyar tari mai ambaliya.
Don fakitin C/C++, an haɗa ƙarin tutoci -Wall, -Werror=format-security, -Wp,-D_FORTIFY_SOURCE=2, -Wp,-D_GLIBCXX_ASSERTIONS и -fstack-clash-protection.
Bayan Rust da C/C++, an rubuta wasu fakiti a cikin Go.
Haɗin kai tare da ayyukan AWS
Bambanci daga tsarin sarrafa kwantena iri ɗaya shine cewa Amazon ya inganta Bottlerocket don aiki akan AWS da haɗawa tare da sauran ayyukan AWS.
Shahararriyar mawaƙan kwantena ita ce Kubernetes, don haka AWS ta gabatar da haɗin kai tare da Sabis ɗin Kubernetes na Enterprise (EKS). Kayan aikin ƙungiyar kaɗe-kaɗe suna zuwa a cikin wani akwati daban , wanda aka kunna ta tsohuwa kuma ana sarrafa shi ta API da AWS SSM Agent.
Zai zama mai ban sha'awa ganin ko Bottlerocket ya tashi, idan aka yi la'akari da gazawar wasu tsare-tsaren makamancin haka a baya. Misali, PhotonOS daga Vmware ya zama ba a da'awar, kuma RedHat ya sayi CoreOS da , wanda aka ɗauke shi majagaba a fage.
Haɗin Bottlerocket cikin sabis na AWS ya sa wannan tsarin ya zama na musamman ta hanyarsa. Wannan shine watakila babban dalilin da yasa wasu masu amfani zasu iya fifita Bottlerocket akan sauran distros kamar CoreOS ko Alpine. An fara tsara tsarin don yin aiki tare da EKS da ECS, amma muna maimaita cewa wannan ba lallai ba ne. Na farko, Bottlerocket na iya kuma yi amfani da shi, alal misali, azaman mafita da aka shirya. Na biyu, masu amfani da EKS da ECS har yanzu za su sami damar zaɓar OS ɗin su.
Ana buga lambar tushen Bottlerocket akan GitHub a ƙarƙashin lasisin Apache 2.0. Masu haɓakawa sun riga sun kasance .
Hakoki na Talla
VDSina tayi . Yana yiwuwa a shigar da kowane tsarin aiki, gami da daga hoton ku. Kowane uwar garken an haɗa shi zuwa tashar Intanet mai girman Megabits 500 kuma ana kiyaye shi daga harin DDoS kyauta!
source: www.habr.com