Amazon gagarumin sakin farko na sadaukarwar rarraba Linux , an ƙera shi don gudanar da keɓantattun kwantena yadda ya kamata kuma amintacce. An rubuta kayan aikin rarraba da abubuwan sarrafawa a cikin Tsatsa da ƙarƙashin lasisin MIT da Apache 2.0. Ana haɓaka aikin akan GitHub kuma yana samuwa don shiga ta membobin al'umma. An samar da hoton tura tsarin don x86_64 da gine-gine na Aarch64. An daidaita OS don gudana akan Amazon ECS da AWS EKS Kubernetes gungu. kayan aikin don ƙirƙirar majalissar ku da bugu, waɗanda za su iya amfani da wasu kayan aikin ƙungiyar kaɗe-kaɗe, kernels da lokacin aiki don kwantena.
Rarraba yana samar da kwaya na Linux da ƙaramin tsarin tsarin, gami da abubuwan da ake buƙata kawai don gudanar da kwantena. Daga cikin fakitin da ke cikin aikin akwai tsarin sarrafa tsarin, ɗakin karatu na Glibc, da kayan aikin taro
Buildroot, GRUB bootloader, mai saita hanyar sadarwa , lokacin aiki don ware kwantena , Kubernetes gandun daji dandamali dandamali, aws-iam-authenticator, da Amazon ECS wakili.
Ana sabunta rarrabawar ta atomatik kuma ana isar da ita ta sigar hoton tsarin da ba za a iya raba shi ba. An ware sassan diski guda biyu don tsarin, ɗayan wanda ya ƙunshi tsarin aiki, kuma ana kwafi sabuntawa zuwa na biyu. Bayan shigar da sabuntawa, bangare na biyu yana aiki, kuma a farkon, har sai sabuntawa na gaba ya zo, ana adana sigar da ta gabata ta tsarin, wanda zaku iya juyawa idan matsaloli suka taso. Ana shigar da sabuntawa ta atomatik ba tare da sa hannun mai gudanarwa ba.
Bambanci mai mahimmanci daga irin wannan rarraba kamar Fedora CoreOS, CentOS / Red Hat Atomic Mai watsa shiri shine babban mayar da hankali kan samarwa. a cikin mahallin ƙarfafa tsarin kariya daga yiwuwar barazanar, yana sa ya fi wuya a yi amfani da rashin ƙarfi a cikin abubuwan da aka gyara na OS da kuma ƙara warewar kwantena. Ana ƙirƙira kwantena ta amfani da daidaitattun hanyoyin kernel Linux - ƙungiyoyi, wuraren suna da seccomp. Don ƙarin keɓancewa, rarraba yana amfani da SELinux a cikin yanayin “ƙarfafa”, kuma ana amfani da ƙirar don tabbatar da bayanan sirri na amincin ɓangaren tushen. . Idan yunƙurin canza bayanai a matakin toshe na'urar an gano, tsarin zai sake yin aiki.
Tushen partition ana hawa karanta-kawai, kuma /etc settings partition ana hawa a tmpfs kuma a mayar da shi zuwa yadda yake a asali bayan an sake farawa. Gyaran fayiloli kai tsaye a cikin /etc directory, kamar /etc/resolv.conf da /etc/containerd/config.toml, ba a tallafawa - don adana saituna na dindindin, dole ne ku yi amfani da API ko matsar da ayyukan cikin kwantena daban.
Yawancin abubuwan haɗin tsarin an rubuta su a cikin Rust, wanda ke ba da fasalulluka masu aminci ga ƙwaƙwalwar ajiya don guje wa lahani da ke haifarwa ta hanyar samun damar ƙwaƙwalwar ajiya kyauta, ɓangarorin maƙasudin null, da wuce gona da iri. Lokacin ginawa ta tsohuwa, ana amfani da hanyoyin haɗin “-enable-default-pie” da “--enable-default-ssp” don ba da damar bazuwar sararin adireshi na fayilolin aiwatarwa () da kuma tari kariyar ambaliya ta hanyar maye gurbin canary.
Don fakitin da aka rubuta a cikin C/C++, an haɗa ƙarin tutoci
"-Wall", "-Werror=tsaro-tsaro", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" da "-fstack-karo-kariya".
Ana ba da kayan aikin ƙungiyar kwantena daban , wanda aka kunna ta tsohuwa kuma ana sarrafa shi ta hanyar da AWS SSM Agent. Hoton tushe ba shi da harsashi na umarni, uwar garken SSH da harsunan da aka fassara (misali, babu Python ko Perl) - kayan aikin gudanarwa da kayan aikin gyara suna cikin , wanda aka kashe ta tsohuwa.
source: budenet.ru