Qhov kev tso tawm ntawm Linux faib Bottlerocket 1.7.0 tau tshaj tawm, tsim nrog kev koom tes ntawm Amazon rau kev ua haujlwm zoo thiab ruaj ntseg ntawm cov thawv cais. Cov cuab yeej faib khoom thiab cov khoom siv tswj hwm tau sau rau hauv Rust thiab faib raws li MIT thiab Apache 2.0 cov ntawv tso cai. Nws txhawb kev khiav Bottlerocket ntawm Amazon ECS, VMware thiab AWS EKS Kubernetes pawg, nrog rau kev tsim cov kev cai tsim thiab cov khoom tsim uas tso cai rau siv ntau yam orchestration thiab runtime cov cuab yeej rau ntim.
Qhov kev faib tawm muab ib qho atomically thiab tau hloov kho qhov tsis pom qhov system duab uas suav nrog Linux ntsiav thiab ib puag ncig tsawg, suav nrog tsuas yog cov khoom tsim nyog los khiav ntim. Ib puag ncig suav nrog tus thawj tswj hwm systemd, lub tsev qiv ntawv Glibc, Buildroot tsim cov cuab yeej, GRUB khau raj loader, lub network tsis zoo configurator, lub sijhawm ua haujlwm rau cov thawv cais, Kubernetes thawv orchestration platform, aws-iam-authenticator, thiab Amazon ECS tus neeg sawv cev.
Container orchestration tools tuaj nyob rau hauv ib lub thawv tswj cais uas tau qhib los ntawm lub neej ntawd thiab tswj hwm los ntawm API thiab AWS SSM Agent. Cov duab hauv paus tsis muaj lub plhaub hais kom ua, SSH neeg rau zaub mov thiab cov lus txhais (piv txwv li, tsis muaj Python lossis Perl) - cov cuab yeej tswj hwm thiab cov cuab yeej debugging tau muab tso rau hauv ib qho kev pabcuam cais, uas yog neeg xiam oob qhab los ntawm lub neej ntawd.
Qhov sib txawv tseem ceeb los ntawm cov kev faib tawm zoo sib xws xws li Fedora CoreOS, CentOS / Red Hat Atomic Host yog lub hom phiaj tseem ceeb ntawm kev muab kev ruaj ntseg siab tshaj plaws hauv cov ntsiab lus ntawm kev ntxiv dag zog rau kev tiv thaiv los ntawm kev hem thawj, ua rau nws nyuaj rau kev siv qhov tsis zoo hauv OS Cheebtsam thiab nce ntim cais. . Cov thawv ntim tau tsim los siv cov txheej txheem Linux kernel mechanisms - cgroups, namespaces thiab seccomp. Rau kev sib cais ntxiv, kev faib khoom siv SELinux hauv "kev tswj hwm" hom.
Lub hauv paus muab faib yog mounted nyeem nkaus xwb, thiab /etc chaw muab faib yog mounted nyob rau hauv tmpfs thiab rov qab mus rau nws thawj lub xeev tom qab ib tug restart. Kev hloov pauv ncaj qha ntawm cov ntaub ntawv hauv /etc directory, xws li /etc/resolv.conf thiab /etc/containerd/config.toml, tsis txaus siab - txhawm rau txuag chaw mus tas li, koj yuav tsum siv API lossis txav cov haujlwm mus rau hauv cov thawv cais. Lub dm-verity module yog siv los cryptographicly txheeb xyuas qhov ncaj ncees ntawm cov hauv paus muab faib, thiab yog tias ib qho kev sim hloov cov ntaub ntawv ntawm qib thaiv cov cuab yeej raug kuaj pom, lub kaw lus rov pib dua.
Feem ntau cov khoom siv hauv lub cev tau sau rau hauv Rust, uas muab cov yam ntxwv muaj kev nyab xeeb kom tsis txhob muaj qhov tsis zoo tshwm sim los ntawm kev nkag mus tsis tau tom qab lub cim xeeb, tsis muaj qhov taw qhia tsis ncaj ncees, thiab tsis muaj kev cuam tshuam. Thaum lub tsev los ntawm lub neej ntawd, cov kev sib sau ua ke "-enable-default-pie" thiab "-enable-default-ssp" yog siv los pab kom randomization ntawm qhov chaw nyob qhov chaw nyob (PIE) thiab tiv thaiv pawg overflows los ntawm canary hloov. Rau cov pob ntawv sau hauv C / C ++, tus chij "-Wall", "-Werror = format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" thiab "-fstack-clash" yog ntxiv. enabled -kev tiv thaiv".
Hauv qhov kev tso tawm tshiab:
- Thaum txhim kho RPM tej pob khoom, nws muaj peev xwm tsim tau ib daim ntawv teev cov kev pab cuam nyob rau hauv JSON hom thiab mount nws mus rau hauv lub host container li lub /var/lib/bottlerocket/inventory/application.json cov ntaub ntawv kom tau txais cov ntaub ntawv hais txog tej pob khoom.
- Cov "admin" thiab "tswj" ntim tau hloov kho.
- Hloov tshiab pob versions thiab dependencies rau Go thiab Rust hom lus.
- Hloov tshiab versions ntawm pob khoom nrog cov kev pab cuam thib peb.
- daws teeb meem tmpfilesd teeb tsa rau kmod-5.10-nvidia.
- Thaum txhim kho tuftool, kev vam meej versions txuas.
Tau qhov twg los: opennet.ru