Amazon tuam txhab thawj qhov tseem ceeb tshaj tawm ntawm kev faib Linux faib , tsim los khiav cov thawv cais kom zoo thiab ruaj ntseg. Cov khoom faib khoom siv thiab cov khoom siv tswj tau sau rau hauv Rust thiab nyob rau hauv MIT thiab Apache 2.0 ntawv tso cai. Qhov project yog tsim los ntawm GitHub thiab muaj rau kev koom tes los ntawm cov neeg hauv zej zog. Lub kaw lus xa tawm duab yog tsim rau x86_64 thiab Aarch64 architectures. OS tau yoog kom khiav ntawm Amazon ECS thiab AWS EKS Kubernetes pawg. cov cuab yeej tsim koj tus kheej cov rooj sib txoos thiab cov khoom siv, uas tuaj yeem siv lwm cov cuab yeej orchestration, kernels thiab runtime rau ntim.
Qhov kev faib tawm muab Linux ntsiav thiab ib puag ncig tsawg kawg nkaus, suav nrog tsuas yog cov khoom tsim nyog los khiav cov thawv. Ntawm cov pob khoom koom nrog hauv qhov project yog tus tswj hwm qhov systemd, lub tsev qiv ntawv Glibc, thiab cov cuab yeej sib dhos
Buildroot, GRUB bootloader, network configurator , runtime rau cov thawv cais , Kubernetes container orchestration platform, aws-iam-authenticator, and Amazon ECS agent.
Kev faib tawm yog hloov kho atomically thiab xa tuaj rau hauv daim ntawv ntawm cov duab tsis pom kev. Ob lub disk faib tau faib rau lub kaw lus, ib qho ntawm cov uas muaj cov kab ke nquag, thiab qhov hloov tshiab tau theej rau qhov thib ob. Tom qab qhov hloov tshiab tau xa mus, qhov kev faib thib ob tau ua haujlwm, thiab thawj zaug, kom txog rau thaum qhov hloov tshiab tom ntej tuaj txog, cov txheej txheem dhau los tau txais kev cawmdim, uas koj tuaj yeem thim rov qab yog tias muaj teeb meem tshwm sim. Kev hloov kho tshiab raug teeb tsa tsis muaj kev cuam tshuam rau tus thawj tswj hwm.
Qhov sib txawv tseem ceeb los ntawm cov khoom sib xws xws li Fedora CoreOS, CentOS / Red Hat Atomic Host yog qhov tseem ceeb ntawm kev muab nyob rau hauv cov ntsiab lus ntawm kev ntxiv dag zog rau kev tiv thaiv los ntawm kev hem thawj, ua rau nws nyuaj rau kev siv qhov tsis zoo hauv OS Cheebtsam thiab ua kom muaj kev sib cais ntawm cov ntim khoom. Cov thawv ntim tau tsim los siv cov txheej txheem Linux kernel mechanisms - cgroups, namespaces thiab seccomp. Rau kev sib cais ntxiv, kev faib khoom siv SELinux hauv "kev tswj hwm" hom, thiab cov qauv siv rau kev txheeb xyuas cryptographic ntawm kev ncaj ncees ntawm cov hauv paus muab faib. . Yog tias ib qho kev sim hloov cov ntaub ntawv ntawm qib thaiv cov cuab yeej raug kuaj pom, lub kaw lus rov pib dua.
Lub hauv paus muab faib yog mounted nyeem nkaus xwb, thiab /etc chaw muab faib yog mounted nyob rau hauv tmpfs thiab rov qab mus rau nws thawj lub xeev tom qab ib tug restart. Kev hloov pauv ncaj qha ntawm cov ntaub ntawv hauv /etc directory, xws li /etc/resolv.conf thiab /etc/containerd/config.toml, tsis txaus siab - txhawm rau txuag chaw mus tas li, koj yuav tsum siv API lossis txav cov haujlwm mus rau hauv cov thawv cais.
Feem ntau cov khoom siv hauv lub cev tau sau rau hauv Rust, uas muab cov yam ntxwv muaj kev nyab xeeb kom tsis txhob muaj qhov tsis zoo tshwm sim los ntawm kev nkag mus tsis tau tom qab lub cim xeeb, tsis muaj qhov taw qhia tsis zoo, thiab tsis muaj kev cuam tshuam. Thaum tsim los ntawm lub neej ntawd, cov "--enable-default-pie" thiab "--enable-default-ssp" compilation hom yog siv los pab kom randomization ntawm qhov chaw nyob ntawm cov ntaub ntawv executable () thiab pawg overflow tiv thaiv ntawm canary hloov.
Rau cov pob ntawv sau hauv C / C ++, cov chij ntxiv suav nrog
"-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" thiab "-fstack-clash-protection".
Thawv orchestration cuab yeej muab cais , uas yog enabled los ntawm lub neej ntawd thiab tswj ntawm and AWS SSM Agent. Cov duab hauv paus tsis muaj lub plhaub hais kom ua, SSH server thiab cov lus txhais (piv txwv li, tsis muaj Python lossis Perl) - cov cuab yeej tswj hwm thiab cov cuab yeej debugging nyob hauv , uas yog neeg xiam los ntawm lub neej ntawd.
Tau qhov twg los: opennet.ru