An buga sakin Bottlerocket 1.8.0 na rarraba Linux, wanda aka haɓaka tare da sa hannun Amazon don ingantaccen kuma amintaccen ƙaddamar da kwantena. An rubuta kayan aikin rarraba da abubuwan sarrafawa cikin Rust kuma an rarraba su ƙarƙashin lasisin MIT da Apache 2.0. Yana goyan bayan Gudun Bottlerocket akan Amazon ECS, VMware da AWS EKS Kubernetes clusters, da kuma ƙirƙirar gine-ginen al'ada da bugu waɗanda ke ba da damar yin amfani da nau'ikan kade-kade da kayan aikin lokaci don kwantena.
Rarraba yana ba da hoton tsarin da ba za a iya ganuwa ba ta atomatik da sabuntawa ta atomatik wanda ya haɗa da kernel Linux da ƙaramin tsarin tsarin, gami da abubuwan da ake buƙata kawai don gudanar da kwantena. Yanayin ya haɗa da mai sarrafa tsarin, ɗakin karatu na Glibc, kayan aikin ginawa, GRUB boot loader, muguwar hanyar sadarwa ta hanyar sadarwa, lokacin kwantena na kwantena da keɓaɓɓe, dandamalin kwantena na Kubernetes, aws-iam-authenticator, da Amazon. Wakilin ECS.
Kayan aikin kaɗe-kaɗe na kwantena suna zuwa a cikin wani akwati daban wanda aka kunna ta tsohuwa kuma ana sarrafa ta API da AWS SSM Agent. Hoton tushe ba shi da harsashi na umarni, uwar garken SSH da harsunan da aka fassara (misali, babu Python ko Perl) - kayan aikin gudanarwa da kayan aikin gyara ana sanya su a cikin kwandon sabis na daban, wanda aka kashe ta tsohuwa.
Bambanci mai mahimmanci daga irin wannan rarraba kamar Fedora CoreOS, CentOS / Red Hat Atomic Mai watsa shiri shine babban mayar da hankali ga samar da matsakaicin tsaro a cikin mahallin ƙarfafa tsarin kariya daga barazanar da zai yiwu, yana sa ya fi wuya a yi amfani da rashin ƙarfi a cikin abubuwan da aka gyara na OS da kuma ƙara wariyar kwantena. . Ana ƙirƙira kwantena ta amfani da daidaitattun hanyoyin kernel na Linux - ƙungiyoyi, wuraren suna da seccomp. Don ƙarin keɓancewa, rarraba yana amfani da SELinux a cikin yanayin “ƙarfafa”.
Tushen partition ana hawa karanta-kawai, kuma /etc settings partition ana hawa a tmpfs kuma a mayar da shi zuwa yadda yake a asali bayan an sake farawa. Gyaran fayiloli kai tsaye a cikin /etc directory, kamar /etc/resolv.conf da /etc/containerd/config.toml, ba a tallafawa - don adana saituna na dindindin, dole ne ku yi amfani da API ko matsar da ayyukan cikin kwantena daban. Ana amfani da tsarin dm-verity don tantance amincin tushen ɓangaren, kuma idan an gano ƙoƙarin gyara bayanai a matakin toshewar na'urar, tsarin zai sake yin aiki.
Yawancin abubuwan haɗin tsarin an rubuta su a cikin Rust, wanda ke ba da fasalulluka masu aminci don guje wa raunin da ya faru ta hanyar samun damar ƙwaƙwalwar ajiya kyauta, ɓangarorin null pointer, da buffer overruns. Lokacin da aka gina ta tsohuwa, ana amfani da hanyoyin tattarawa "-enable-default-pie" da "-enable-default-ssp" don ba da damar bazuwar sararin adireshi na fayil mai aiwatarwa (PIE) da kariya daga tari ta hanyar maye gurbin canary. Don fakitin da aka rubuta a cikin C/C++, tutocin “-Wall”, “-Werror=tsaro-tsaro”, “-Wp,-D_FORTIFY_SOURCE=2”, “-Wp,-D_GLIBCXX_ASSERTIONS” da “-fstack-karo” su ma. kunna -kariya".
A cikin sabon saki:
- An sabunta abubuwan da ke cikin kwantenan gudanarwa da sarrafawa.
- An sabunta lokacin aiki don keɓancewar kwantena zuwa reshen 1.6.x mai kwantena.
- Yana tabbatar da cewa tsarin baya wanda ke daidaita aikin kwantena an sake farawa bayan canje-canje ga shagon takaddun shaida.
- Yana yiwuwa a saita sigogin taya na kernel ta sashin Kanfigareshan Boot.
- An kunna yin watsi da ɓangarorin fanko yayin sa ido kan amincin tushen ɓangaren ta amfani da dm-verity.
- An ba da ikon ɗaure sunayen masu masaukin baki a /etc/hosts.
- An ba da ikon samar da saitin hanyar sadarwa ta amfani da mai amfani da netdog (an ƙara umarnin ƙirƙirar-net-config).
- Sabbin zaɓuɓɓukan rarrabawa tare da tallafi don Kubernetes 1.23 an gabatar da su. An rage lokacin farawa na kwasfa a cikin Kubernetes ta hanyar kashe yanayin daidaita MapAndSecretChangeDetectionStrategy yanayin. Ƙara sabbin saitunan kubelet: mai bada-id da podPidsLimit.
- Wani sabon nau'in kayan rarraba "aws-ecs-1-nvidia" don Sabis na Kwantena na Amazon (Amazon ECS), wanda aka kawo tare da direbobin NVIDIA, an gabatar da su.
- Ƙara tallafi don Microchip Smart Storage da MegaRAID SAS ajiya na'urorin. An faɗaɗa tallafi don katunan Ethernet akan kwakwalwan Broadcom.
- Sabbin nau'ikan fakiti da abubuwan dogaro ga yarukan Go da Rust, da kuma nau'ikan fakiti tare da shirye-shiryen ɓangare na uku. Bottlerocket SDK an sabunta shi zuwa sigar 0.26.0.
source: budenet.ru