Sakin rarraba Bottlerocket 1.2.0 na Linux yana samuwa, wanda aka haɓaka tare da sa hannun Amazon don ingantaccen kuma amintaccen ƙaddamar da kwantena. An rubuta kayan aikin rarraba da abubuwan sarrafawa cikin Rust kuma an rarraba su ƙarƙashin lasisin MIT da Apache 2.0. Yana goyan bayan Gudun Bottlerocket a cikin Amazon ECS, VMware da AWS EKS Kubernetes clusters, da kuma ƙirƙirar gine-ginen al'ada da bugu waɗanda ke ba da damar yin amfani da kayan aikin ƙira daban-daban da kayan aikin lokaci don kwantena.
Rarraba yana ba da hoton tsarin da ba za a iya ganuwa ba ta atomatik da sabuntawa ta atomatik wanda ya haɗa da kernel Linux da ƙaramin tsarin tsarin, gami da abubuwan da ake buƙata kawai don gudanar da kwantena. Yanayin ya haɗa da mai sarrafa tsarin, ɗakin karatu na Glibc, kayan aikin ginawa, GRUB boot loader, muguwar hanyar sadarwa ta hanyar sadarwa, lokacin kwantena na kwantena da keɓaɓɓe, dandamalin kwantena na Kubernetes, aws-iam-authenticator, da Amazon. Wakilin ECS.
Kayan aikin kaɗe-kaɗe na kwantena suna zuwa a cikin wani akwati daban wanda aka kunna ta tsohuwa kuma ana sarrafa ta API da AWS SSM Agent. Hoton tushe ba shi da harsashi na umarni, uwar garken SSH da harsunan da aka fassara (misali, babu Python ko Perl) - kayan aikin gudanarwa da kayan aikin gyara ana sanya su a cikin kwandon sabis na daban, wanda aka kashe ta tsohuwa.
Bambanci mai mahimmanci daga irin wannan rarraba kamar Fedora CoreOS, CentOS / Red Hat Atomic Mai watsa shiri shine babban mayar da hankali ga samar da matsakaicin tsaro a cikin mahallin ƙarfafa tsarin kariya daga barazanar da zai yiwu, yana sa ya fi wuya a yi amfani da rashin ƙarfi a cikin abubuwan da aka gyara na OS da kuma ƙara wariyar kwantena. . Ana ƙirƙira kwantena ta amfani da daidaitattun hanyoyin kernel na Linux - ƙungiyoyi, wuraren suna da seccomp. Don ƙarin keɓancewa, rarraba yana amfani da SELinux a cikin yanayin “ƙarfafa”.
Tushen partition ana hawa karanta-kawai, kuma /etc settings partition ana hawa a tmpfs kuma a mayar da shi zuwa yadda yake a asali bayan an sake farawa. Gyaran fayiloli kai tsaye a cikin /etc directory, kamar /etc/resolv.conf da /etc/containerd/config.toml, ba a tallafawa - don adana saituna na dindindin, dole ne ku yi amfani da API ko matsar da ayyukan cikin kwantena daban. Ana amfani da tsarin dm-verity don tantance amincin tushen ɓangaren, kuma idan an gano ƙoƙarin gyara bayanai a matakin toshewar na'urar, tsarin zai sake yin aiki.
Yawancin abubuwan haɗin tsarin an rubuta su a cikin Rust, wanda ke ba da fasalulluka masu aminci don guje wa raunin da ya faru ta hanyar samun damar ƙwaƙwalwar ajiya kyauta, ɓangarorin null pointer, da buffer overruns. Lokacin da aka gina ta tsohuwa, ana amfani da hanyoyin tattarawa "-enable-default-pie" da "-enable-default-ssp" don ba da damar bazuwar sararin adireshi na fayil mai aiwatarwa (PIE) da kariya daga tari ta hanyar maye gurbin canary. Don fakitin da aka rubuta a cikin C/C++, tutocin “-Wall”, “-Werror=tsaro-tsaro”, “-Wp,-D_FORTIFY_SOURCE=2”, “-Wp,-D_GLIBCXX_ASSERTIONS” da “-fstack-karo” su ma. kunna -kariya".
A cikin sabon saki:
- Ƙara tallafi don madubin rajistar hoton ganga.
- Ƙara ikon yin amfani da takaddun shaida mai sa hannu.
- Ƙara wani zaɓi don saita sunan mai masauki.
- An sabunta sigar tsohuwar kwandon gudanarwa.
- Ƙara topologyManagerPolicy da topologyManagerScope saituna don kubelet.
- Ƙara goyon baya don matsawar kwaya ta amfani da zstd algorithm.
- Ana ba da ikon loda injunan kama-da-wane cikin VMware a cikin tsarin OVA (Open Virtualization Format).
- An sabunta sigar rarraba aws-k8s-1.21 tare da goyan bayan Kubernetes 1.21. An daina goyan bayan aws-k8s-1.16.
- Sabbin fakitin da aka sabunta da abubuwan dogaro ga harshen Rust.
source: budenet.ru