Sakin rarraba Bottlerocket 1.1.0 na Linux yana samuwa, wanda aka haɓaka tare da sa hannun Amazon don ingantaccen kuma amintaccen ƙaddamar da kwantena. An rubuta kayan aikin rarraba da abubuwan sarrafawa cikin Rust kuma an rarraba su ƙarƙashin lasisin MIT da Apache 2.0. Yana goyan bayan Gudun Bottlerocket a cikin Amazon ECS da AWS EKS Kubernetes gungu, da kuma ƙirƙirar gine-gine na al'ada da bugu waɗanda ke ba da damar yin amfani da kayan aikin ƙira daban-daban da kayan aiki na lokaci don kwantena.
Rarraba yana ba da hoton tsarin da ba za a iya ganuwa ba ta atomatik da sabuntawa ta atomatik wanda ya haɗa da kernel Linux da ƙaramin tsarin tsarin, gami da abubuwan da ake buƙata kawai don gudanar da kwantena. Yanayin ya haɗa da mai sarrafa tsarin, ɗakin karatu na Glibc, kayan aikin ginawa, GRUB boot loader, muguwar hanyar sadarwa ta hanyar sadarwa, lokacin kwantena na kwantena da keɓaɓɓe, dandamalin kwantena na Kubernetes, aws-iam-authenticator, da Amazon. Wakilin ECS.
Kayan aikin kaɗe-kaɗe na kwantena suna zuwa a cikin wani akwati daban wanda aka kunna ta tsohuwa kuma ana sarrafa ta API da AWS SSM Agent. Hoton tushe ba shi da harsashi na umarni, uwar garken SSH da harsunan da aka fassara (misali, babu Python ko Perl) - kayan aikin gudanarwa da kayan aikin gyara ana sanya su a cikin kwandon sabis na daban, wanda aka kashe ta tsohuwa.
Bambanci mai mahimmanci daga irin wannan rarraba kamar Fedora CoreOS, CentOS / Red Hat Atomic Mai watsa shiri shine babban mayar da hankali ga samar da matsakaicin tsaro a cikin mahallin ƙarfafa tsarin kariya daga barazanar da zai yiwu, yana sa ya fi wuya a yi amfani da rashin ƙarfi a cikin abubuwan da aka gyara na OS da kuma ƙara wariyar kwantena. . Ana ƙirƙira kwantena ta amfani da daidaitattun hanyoyin kernel na Linux - ƙungiyoyi, wuraren suna da seccomp. Don ƙarin keɓancewa, rarraba yana amfani da SELinux a cikin yanayin “ƙarfafa”.
Tushen partition ana hawa karanta-kawai, kuma /etc settings partition ana hawa a tmpfs kuma a mayar da shi zuwa yadda yake a asali bayan an sake farawa. Gyaran fayiloli kai tsaye a cikin /etc directory, kamar /etc/resolv.conf da /etc/containerd/config.toml, ba a tallafawa - don adana saituna na dindindin, dole ne ku yi amfani da API ko matsar da ayyukan cikin kwantena daban. Ana amfani da tsarin dm-verity don tantance amincin tushen ɓangaren, kuma idan an gano ƙoƙarin gyara bayanai a matakin toshewar na'urar, tsarin zai sake yin aiki.
Yawancin abubuwan haɗin tsarin an rubuta su a cikin Rust, wanda ke ba da fasalulluka masu aminci don guje wa raunin da ya faru ta hanyar samun damar ƙwaƙwalwar ajiya kyauta, ɓangarorin null pointer, da buffer overruns. Lokacin da aka gina ta tsohuwa, ana amfani da hanyoyin tattarawa "-enable-default-pie" da "-enable-default-ssp" don ba da damar bazuwar sararin adireshi na fayil mai aiwatarwa (PIE) da kariya daga tari ta hanyar maye gurbin canary. Don fakitin da aka rubuta a cikin C/C++, tutocin “-Wall”, “-Werror=tsaro-tsaro”, “-Wp,-D_FORTIFY_SOURCE=2”, “-Wp,-D_GLIBCXX_ASSERTIONS” da “-fstack-karo” su ma. kunna -kariya".
A cikin sabon saki:
- Sabbin zaɓuɓɓukan rarrabawa guda biyu aws-k8s-1.20 da vmware-k8s-1.20 tare da goyan bayan Kubernetes 1.20 an gabatar da su. Waɗannan bambance-bambancen, da kuma sabunta sigar aws-ecs-1, suna amfani da sabon sakin Linux kernel 5.10. An saita yanayin kullewa zuwa “mutunci” ta tsohuwa (ana toshe damar da ke ba da damar yin canje-canje ga kernel mai gudana daga sararin mai amfani). An dakatar da goyan bayan bambance-bambancen aws-k8s-1.15 dangane da Kubernetes 1.15.
- Amazon ECS yana goyan bayan yanayin hanyar sadarwa na awsvpc, wanda ke ba ku damar keɓance hanyoyin sadarwa daban-daban da adiresoshin IP na ciki don kowane ɗawainiya.
- Ƙara saitunan don sarrafa nau'o'in Kubernetes daban-daban, ciki har da QPS, iyakokin tafkin, da ikon haɗi zuwa masu samar da girgije ban da AWS.
- Kwancen bootstrap yana ba da ƙuntatawa ga damar yin amfani da bayanan mai amfani ta amfani da SELinux.
- Ƙara girman resize2fs mai amfani.
source: budenet.ru