Kev tso tawm ntawm Linux faib Bottlerocket 1.1.0 yog muaj, tsim nrog kev koom tes ntawm Amazon rau kev ua haujlwm zoo thiab ruaj ntseg ntawm cov thawv cais. Cov cuab yeej faib khoom thiab cov khoom siv tswj hwm tau sau rau hauv Rust thiab faib raws li MIT thiab Apache 2.0 cov ntawv tso cai. Nws txhawb kev khiav Bottlerocket hauv Amazon ECS thiab AWS EKS Kubernetes pawg, nrog rau kev tsim cov kev cai tsim thiab cov qauv uas tso cai rau siv ntau yam orchestration thiab runtime cov cuab yeej rau ntim.
Qhov kev faib tawm muab ib qho atomically thiab tau hloov kho qhov tsis pom qhov system duab uas suav nrog Linux ntsiav thiab ib puag ncig tsawg, suav nrog tsuas yog cov khoom tsim nyog los khiav ntim. Ib puag ncig suav nrog tus thawj tswj hwm systemd, lub tsev qiv ntawv Glibc, Buildroot tsim cov cuab yeej, GRUB khau raj loader, lub network tsis zoo configurator, lub sijhawm ua haujlwm rau cov thawv cais, Kubernetes thawv orchestration platform, aws-iam-authenticator, thiab Amazon ECS tus neeg sawv cev.
Container orchestration tools tuaj nyob rau hauv ib lub thawv tswj cais uas tau qhib los ntawm lub neej ntawd thiab tswj hwm los ntawm API thiab AWS SSM Agent. Cov duab hauv paus tsis muaj lub plhaub hais kom ua, SSH neeg rau zaub mov thiab cov lus txhais (piv txwv li, tsis muaj Python lossis Perl) - cov cuab yeej tswj hwm thiab cov cuab yeej debugging tau muab tso rau hauv ib qho kev pabcuam cais, uas yog neeg xiam oob qhab los ntawm lub neej ntawd.
Qhov sib txawv tseem ceeb los ntawm cov kev faib tawm zoo sib xws xws li Fedora CoreOS, CentOS / Red Hat Atomic Host yog lub hom phiaj tseem ceeb ntawm kev muab kev ruaj ntseg siab tshaj plaws hauv cov ntsiab lus ntawm kev ntxiv dag zog rau kev tiv thaiv los ntawm kev hem thawj, ua rau nws nyuaj rau kev siv qhov tsis zoo hauv OS Cheebtsam thiab nce ntim cais. . Cov thawv ntim tau tsim los siv cov txheej txheem Linux kernel mechanisms - cgroups, namespaces thiab seccomp. Rau kev sib cais ntxiv, kev faib khoom siv SELinux hauv "kev tswj hwm" hom.
Lub hauv paus muab faib yog mounted nyeem nkaus xwb, thiab /etc chaw muab faib yog mounted nyob rau hauv tmpfs thiab rov qab mus rau nws thawj lub xeev tom qab ib tug restart. Kev hloov pauv ncaj qha ntawm cov ntaub ntawv hauv /etc directory, xws li /etc/resolv.conf thiab /etc/containerd/config.toml, tsis txaus siab - txhawm rau txuag chaw mus tas li, koj yuav tsum siv API lossis txav cov haujlwm mus rau hauv cov thawv cais. Lub dm-verity module yog siv los cryptographicly txheeb xyuas qhov ncaj ncees ntawm cov hauv paus muab faib, thiab yog tias ib qho kev sim hloov cov ntaub ntawv ntawm qib thaiv cov cuab yeej raug kuaj pom, lub kaw lus rov pib dua.
Feem ntau cov khoom siv hauv lub cev tau sau rau hauv Rust, uas muab cov yam ntxwv muaj kev nyab xeeb kom tsis txhob muaj qhov tsis zoo tshwm sim los ntawm kev nkag mus tsis tau tom qab lub cim xeeb, tsis muaj qhov taw qhia tsis ncaj ncees, thiab tsis muaj kev cuam tshuam. Thaum lub tsev los ntawm lub neej ntawd, cov kev sib sau ua ke "-enable-default-pie" thiab "-enable-default-ssp" yog siv los pab kom randomization ntawm qhov chaw nyob qhov chaw nyob (PIE) thiab tiv thaiv pawg overflows los ntawm canary hloov. Rau cov pob ntawv sau hauv C / C ++, tus chij "-Wall", "-Werror = format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" thiab "-fstack-clash" yog ntxiv. enabled -kev tiv thaiv".
Hauv qhov kev tso tawm tshiab:
- Ob txoj kev faib tawm tshiab aws-k8s-1.20 thiab vmware-k8s-1.20 nrog kev txhawb nqa rau Kubernetes 1.20 tau thov. Cov kev hloov pauv no, nrog rau cov hloov kho tshiab aws-ecs-1, siv cov tshiab Linux kernel 5.10 tso tawm. Hom kev kaw cia yog teem rau "kev ncaj ncees" los ntawm lub neej ntawd (lub peev xwm uas tso cai rau kev hloov pauv mus rau cov ntsiav khiav los ntawm cov neeg siv qhov chaw raug thaiv). Kev them nyiaj yug rau aws-k8s-1.15 variant raws li Kubernetes 1.15 tau raug txiav lawm.
- Amazon ECS txhawb awsvpc network hom, uas tso cai rau koj los faib cais network interfaces thiab IP chaw nyob sab hauv rau txhua txoj haujlwm.
- Ntxiv cov kev teeb tsa los tswj ntau yam Kubernetes tsis muaj, suav nrog QPS, kev txwv lub pas dej, thiab muaj peev xwm txuas mus rau cov chaw muab kev pabcuam huab uas tsis yog AWS.
- Lub thawv bootstrap muab kev txwv kev nkag mus rau cov neeg siv cov ntaub ntawv siv SELinux.
- Ntxiv resize2fs kev siv hluav taws xob.
Tau qhov twg los: opennet.ru