Qhov kev tso tawm ntawm Linux faib Bottlerocket 1.8.0 tau tshaj tawm, tsim nrog kev koom tes ntawm Amazon rau kev ua haujlwm zoo thiab ruaj ntseg ntawm cov thawv cais. Cov cuab yeej faib khoom thiab cov khoom siv tswj hwm tau sau rau hauv Rust thiab faib raws li MIT thiab Apache 2.0 cov ntawv tso cai. Nws txhawb kev khiav Bottlerocket ntawm Amazon ECS, VMware thiab AWS EKS Kubernetes pawg, nrog rau kev tsim cov kev cai tsim thiab cov khoom tsim uas tso cai rau siv ntau yam orchestration thiab runtime cov cuab yeej rau ntim.
Qhov kev faib tawm muab ib qho atomically thiab tau hloov kho qhov tsis pom qhov system duab uas suav nrog Linux ntsiav thiab ib puag ncig tsawg, suav nrog tsuas yog cov khoom tsim nyog los khiav ntim. Ib puag ncig suav nrog tus thawj tswj hwm systemd, lub tsev qiv ntawv Glibc, Buildroot tsim cov cuab yeej, GRUB khau raj loader, lub network tsis zoo configurator, lub sijhawm ua haujlwm rau cov thawv cais, Kubernetes thawv orchestration platform, aws-iam-authenticator, thiab Amazon ECS tus neeg sawv cev.
Container orchestration tools tuaj nyob rau hauv ib lub thawv tswj cais uas tau qhib los ntawm lub neej ntawd thiab tswj hwm los ntawm API thiab AWS SSM Agent. Cov duab hauv paus tsis muaj lub plhaub hais kom ua, SSH neeg rau zaub mov thiab cov lus txhais (piv txwv li, tsis muaj Python lossis Perl) - cov cuab yeej tswj hwm thiab cov cuab yeej debugging tau muab tso rau hauv ib qho kev pabcuam cais, uas yog neeg xiam oob qhab los ntawm lub neej ntawd.
Qhov sib txawv tseem ceeb los ntawm cov kev faib tawm zoo sib xws xws li Fedora CoreOS, CentOS / Red Hat Atomic Host yog lub hom phiaj tseem ceeb ntawm kev muab kev ruaj ntseg siab tshaj plaws hauv cov ntsiab lus ntawm kev ntxiv dag zog rau kev tiv thaiv los ntawm kev hem thawj, ua rau nws nyuaj rau kev siv qhov tsis zoo hauv OS Cheebtsam thiab nce ntim cais. . Cov thawv ntim tau tsim los siv cov txheej txheem Linux kernel mechanisms - cgroups, namespaces thiab seccomp. Rau kev sib cais ntxiv, kev faib khoom siv SELinux hauv "kev tswj hwm" hom.
Lub hauv paus muab faib yog mounted nyeem nkaus xwb, thiab /etc chaw muab faib yog mounted nyob rau hauv tmpfs thiab rov qab mus rau nws thawj lub xeev tom qab ib tug restart. Kev hloov pauv ncaj qha ntawm cov ntaub ntawv hauv /etc directory, xws li /etc/resolv.conf thiab /etc/containerd/config.toml, tsis txaus siab - txhawm rau txuag chaw mus tas li, koj yuav tsum siv API lossis txav cov haujlwm mus rau hauv cov thawv cais. Lub dm-verity module yog siv los cryptographicly txheeb xyuas qhov ncaj ncees ntawm cov hauv paus muab faib, thiab yog tias ib qho kev sim hloov cov ntaub ntawv ntawm qib thaiv cov cuab yeej raug kuaj pom, lub kaw lus rov pib dua.
Feem ntau cov khoom siv hauv lub cev tau sau rau hauv Rust, uas muab cov yam ntxwv muaj kev nyab xeeb kom tsis txhob muaj qhov tsis zoo tshwm sim los ntawm kev nkag mus tsis tau tom qab lub cim xeeb, tsis muaj qhov taw qhia tsis ncaj ncees, thiab tsis muaj kev cuam tshuam. Thaum lub tsev los ntawm lub neej ntawd, cov kev sib sau ua ke "-enable-default-pie" thiab "-enable-default-ssp" yog siv los pab kom randomization ntawm qhov chaw nyob qhov chaw nyob (PIE) thiab tiv thaiv pawg overflows los ntawm canary hloov. Rau cov pob ntawv sau hauv C / C ++, tus chij "-Wall", "-Werror = format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" thiab "-fstack-clash" yog ntxiv. enabled -kev tiv thaiv".
Hauv qhov kev tso tawm tshiab:
- Cov ntsiab lus ntawm kev tswj hwm thiab tswj cov ntim tau raug hloov kho.
- Runtime rau cov thawv cais tau hloov kho rau lub thawv 1.6.x ceg.
- Xyuas kom meej tias cov txheej txheem keeb kwm yav dhau uas ua haujlwm ntawm cov ntim khoom tau rov pib dua tom qab hloov pauv rau lub khw muag khoom pov thawj.
- Nws muaj peev xwm teem caij kernel boot tsis los ntawm Boot Configuration seem.
- Enabled ignoring khoob blocks thaum saib xyuas kev ncaj ncees ntawm lub hauv paus muab faib siv dm-verity.
- Muaj peev xwm los khi hostnames hauv /etc/hosts tau muab.
- Lub peev xwm los tsim lub network teeb tsa siv lub netdog utility tau muab (cov lus txib generate-net-config tau ntxiv).
- Cov kev xaiv faib tshiab nrog kev txhawb nqa rau Kubernetes 1.23 tau thov. Lub sij hawm pib rau cov pods hauv Kubernetes tau raug txo los ntawm kev tsis ua haujlwm configMapAndSecretChangeDetectionStrategy hom. Ntxiv qhov kubelet tshiab: tus neeg muab kev pabcuam-id thiab podPidsLimit.
- Ib qho tshiab ntawm cov khoom siv faib khoom "aws-ecs-1-nvidia" rau Amazon Elastic Container Service (Amazon ECS), muab nrog NVIDIA cov tsav tsheb, tau thov.
- Ntxiv kev txhawb nqa rau Microchip Smart Storage thiab MegaRAID SAS cia khoom. Kev them nyiaj yug rau Ethernet phaib ntawm Broadcom chips tau nthuav dav.
- Hloov tshiab pob versions thiab dependencies rau Go thiab Rust hom lus, nrog rau cov versions ntawm pob khoom nrog cov kev pab cuam thib peb. Bottlerocket SDK tau hloov kho rau version 0.26.0.
Tau qhov twg los: opennet.ru