Amazon tuam txhab qhov teeb meem tseem ceeb thawj zaug ntawm kev tshwj xeeb Linux-kev faib khoom , tsim los kom khiav cov thawv cais tawm tau zoo thiab ruaj ntseg. Cov cuab yeej faib khoom thiab cov khoom tswj hwm tau sau ua lus Rust thiab Muaj daim ntawv tso cai raws li daim ntawv tso cai MIT thiab Apache 2.0. Qhov project no tab tom raug tsim tawm ntawm GitHub thiab qhib rau cov neeg koom tes hauv zej zog. Daim duab tso tawm ntawm lub system yog tsim los rau x86_64 thiab Aarch64 architectures. Lub OS tau hloov kho rau kev khiav ntawm Amazon ECS thiab AWS EKS Kubernetes clusters. cov cuab yeej rau kev tsim cov kev cai tsim thiab cov ntawv tshaj tawm uas tuaj yeem siv lwm cov cuab yeej orchestration, kernels, thiab runtimes rau cov thawv.
Qhov kev faib tawm muab cov kernel Linux thiab ib puag ncig ntawm lub kaw lus tsawg kawg nkaus, suav nrog tsuas yog cov khoom tsim nyog rau kev khiav cov thawv. Cov pob khoom siv hauv qhov project suav nrog tus thawj tswj hwm systemd, lub tsev qiv ntawv Glibc, thiab cov cuab yeej tsim.
Buildroot, GRUB bootloader, network configurator , lub sijhawm khiav rau cov thawv cais tawm , lub platform Kubernetes container orchestration, lub aws-iam-authenticator authenticator, thiab tus neeg sawv cev Amazon ECS.
Qhov kev faib tawm tau hloov kho tshiab thiab xa tawm ua ib daim duab system uas tsis tuaj yeem faib tau. Ob lub disk partitions tau muab faib rau lub system, ib qho muaj lub system uas ua haujlwm, thiab qhov thib ob yog siv rau kev theej qhov hloov tshiab. Tom qab qhov hloov tshiab tau xa tawm, qhov kev faib thib ob yuav ua haujlwm, thaum qhov kev faib thawj zaug khaws cov version dhau los ntawm lub system kom txog thaum qhov hloov tshiab tom ntej tuaj txog, tso cai rau cov neeg siv rov qab mus rau nws yog tias muaj teeb meem tshwm sim. Cov kev hloov tshiab tau teeb tsa tsis siv neeg, tsis muaj kev cuam tshuam ntawm tus thawj coj.
Qhov sib txawv tseem ceeb ntawm cov kev faib tawm zoo sib xws xws li Fedora CoreOS yog CentOS/Red Hat Atomic Host feem ntau tsom mus rau kev muab kev pabcuam nyob rau hauv cov ntsiab lus ntawm kev txhawb nqa lub kaw lus tiv thaiv tiv thaiv kev hem thawj, ua rau muaj kev nyuaj rau kev siv cov qhov tsis muaj zog hauv OS cov khoom, thiab nce kev cais cov thawv. Cov thawv tau tsim los ntawm kev siv cov txheej txheem kernel txheem. Linux — cgroups, namespaces, thiab seccomp. Rau kev cais ntxiv, qhov kev faib tawm siv SELinux nyob rau hauv hom "enforceing", thiab lub module yog siv rau kev txheeb xyuas cryptographic ntawm kev ncaj ncees ntawm cov hauv paus faib Yog tias pom muaj kev sim hloov kho cov ntaub ntawv ntawm theem block device, lub system yuav rov pib dua.
Lub hauv paus faib yog mounted nyeem-xwb, thiab lub /etc configuration faib yog mounted rau ntawm ib qho tmpfs faib thiab rov qab kho nws lub xeev qub tom qab reboot. Kev hloov kho ncaj qha ntawm cov ntaub ntawv hauv /etc directory, xws li /etc/resolv.conf thiab /etc/containerd/config.toml, tsis txhawb nqa. Txhawm rau kom khaws cov chaw, siv API lossis txav cov haujlwm no mus rau cov thawv sib cais.
Feem ntau cov khoom siv hauv lub system yog sau ua Rust, uas muab cov yam ntxwv zoo rau kev nco kom tiv thaiv kev tsis muaj zog los ntawm kev siv tom qab tsis muaj dab tsi, kev tsis lees paub qhov taw qhia, thiab kev siv buffer ntau dhau. Lub neej ntawd tsim siv cov hom kev sib sau ua ke "--enable-default-pie" thiab "--enable-default-ssp" los pab kom muaj chaw nyob randomization rau cov executables () thiab kev tiv thaiv stack overflow los ntawm kev hloov canary.
Rau cov pob khoom sau ua C/C++, cov chij ntxiv suav nrog.
"-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" thiab "-fstack-clash-protection".
Cov cuab yeej orchestration thawv tau muab cais , uas yog qhib los ntawm lub neej ntawd thiab tswj hwm los ntawm thiab AWS SSM Agent. Daim duab pib tsis muaj lub plhaub hais kom ua, SSH server, thiab cov lus txhais (piv txwv li, tsis muaj Python lossis Perl) - cov cuab yeej tswj hwm thiab cov cuab yeej debugging nyob hauv , uas yog kaw los ntawm lub neej ntawd.
Tau qhov twg los: opennet.ru
