An buga sakin Bottlerocket 1.3.0 na rarraba Linux, wanda aka haɓaka tare da sa hannun Amazon don ingantaccen kuma amintaccen ƙaddamar da kwantena. An rubuta kayan aikin rarraba da abubuwan sarrafawa cikin Rust kuma an rarraba su ƙarƙashin lasisin MIT da Apache 2.0. Yana goyan bayan Gudun Bottlerocket akan Amazon ECS, VMware da AWS EKS Kubernetes clusters, da kuma ƙirƙirar gine-ginen al'ada da bugu waɗanda ke ba da damar yin amfani da nau'ikan kade-kade da kayan aikin lokaci don kwantena.
Rarraba yana ba da hoton tsarin da ba za a iya ganuwa ba ta atomatik da sabuntawa ta atomatik wanda ya haɗa da kernel Linux da ƙaramin tsarin tsarin, gami da abubuwan da ake buƙata kawai don gudanar da kwantena. Yanayin ya haɗa da mai sarrafa tsarin, ɗakin karatu na Glibc, kayan aikin ginawa, GRUB boot loader, muguwar hanyar sadarwa ta hanyar sadarwa, lokacin kwantena na kwantena da keɓaɓɓe, dandamalin kwantena na Kubernetes, aws-iam-authenticator, da Amazon. Wakilin ECS.
Kayan aikin kaɗe-kaɗe na kwantena suna zuwa a cikin wani akwati daban wanda aka kunna ta tsohuwa kuma ana sarrafa ta API da AWS SSM Agent. Hoton tushe ba shi da harsashi na umarni, uwar garken SSH da harsunan da aka fassara (misali, babu Python ko Perl) - kayan aikin gudanarwa da kayan aikin gyara ana sanya su a cikin kwandon sabis na daban, wanda aka kashe ta tsohuwa.
Bambanci mai mahimmanci daga irin wannan rarraba kamar Fedora CoreOS, CentOS / Red Hat Atomic Mai watsa shiri shine babban mayar da hankali ga samar da matsakaicin tsaro a cikin mahallin ƙarfafa tsarin kariya daga barazanar da zai yiwu, yana sa ya fi wuya a yi amfani da rashin ƙarfi a cikin abubuwan da aka gyara na OS da kuma ƙara wariyar kwantena. . Ana ƙirƙira kwantena ta amfani da daidaitattun hanyoyin kernel na Linux - ƙungiyoyi, wuraren suna da seccomp. Don ƙarin keɓancewa, rarraba yana amfani da SELinux a cikin yanayin “ƙarfafa”.
Tushen partition ana hawa karanta-kawai, kuma /etc settings partition ana hawa a tmpfs kuma a mayar da shi zuwa yadda yake a asali bayan an sake farawa. Gyaran fayiloli kai tsaye a cikin /etc directory, kamar /etc/resolv.conf da /etc/containerd/config.toml, ba a tallafawa - don adana saituna na dindindin, dole ne ku yi amfani da API ko matsar da ayyukan cikin kwantena daban. Ana amfani da tsarin dm-verity don tantance amincin tushen ɓangaren, kuma idan an gano ƙoƙarin gyara bayanai a matakin toshewar na'urar, tsarin zai sake yin aiki.
Yawancin abubuwan haɗin tsarin an rubuta su a cikin Rust, wanda ke ba da fasalulluka masu aminci don guje wa raunin da ya faru ta hanyar samun damar ƙwaƙwalwar ajiya kyauta, ɓangarorin null pointer, da buffer overruns. Lokacin da aka gina ta tsohuwa, ana amfani da hanyoyin tattarawa "-enable-default-pie" da "-enable-default-ssp" don ba da damar bazuwar sararin adireshi na fayil mai aiwatarwa (PIE) da kariya daga tari ta hanyar maye gurbin canary. Don fakitin da aka rubuta a cikin C/C++, tutocin “-Wall”, “-Werror=tsaro-tsaro”, “-Wp,-D_FORTIFY_SOURCE=2”, “-Wp,-D_GLIBCXX_ASSERTIONS” da “-fstack-karo” su ma. kunna -kariya".
A cikin sabon saki:
- Kafaffen lahani a cikin docker da kayan aikin kwantena na lokaci-lokaci (CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, CVE-2021-41103) dangane da saitin da ba daidai ba na haƙƙin samun dama, wanda ya ba da damar masu amfani da ba su da gata su wuce gona da iri. directory da aiwatar da shirye-shiryen waje.
- An ƙara tallafin IPv6 zuwa kubelet da pluto.
- Yana yiwuwa a sake kunna akwati bayan canza saitunan sa.
- An ƙara tallafi don misalin Amazon EC2 M6i zuwa kunshin eni-max-pods.
- Buɗe-vm-kayan aikin ya ƙara tallafi don masu tace na'urar, dangane da kayan aikin Cilium.
- Don dandalin x86_64, ana aiwatar da yanayin taya matasan (tare da goyan bayan EFI da BIOS).
- Sabbin fakitin da aka sabunta da abubuwan dogaro ga harshen Rust.
- An dakatar da goyan bayan bambance-bambancen rarraba aws-k8s-1.17 dangane da Kubernetes 1.17. Ana ba da shawarar yin amfani da sigar aws-k8s-1.21 tare da goyan bayan Kubernetes 1.21. Bambance-bambancen k8s suna amfani da rukunin runtime.slice da tsarin saitin yanki na system.slice.
source: budenet.ru