Ntọhapụ nke Linux nkesa Bottlerocket 1.2.0 dị, mepụtara site na ntinye aka nke Amazon maka mmalite nke ọma na nchekwa nke arịa dịpụrụ adịpụ. Edere ngwa ọrụ nkesa na ihe njikwa njikwa na Rust wee kesaa n'okpuru ikikere MIT na Apache 2.0. Ọ na-akwado ịgba ọsọ Bottlerocket na Amazon ECS, VMware na AWS EKS Kubernetes ụyọkọ, yana ịmepụta omenala na-ewuli na mbipụta na-enye ohere iji ihe nhazi dị iche iche na oge ịgba ọsọ maka arịa.
Nkesa nkesa na-enye onyonyo sistemu a na-ekewaghị ekewa na akpaghị aka nke gụnyere kernel Linux na mpaghara sistemụ pere mpe, gụnyere naanị ihe ndị dị mkpa iji na-agba arịa. Gburugburu ebe a gụnyere onye njikwa sistemu sistemu, ụlọ ọba akwụkwọ Glibc, akụrụngwa Buildroot, onye nrụpụta GRUB bootloader, onye na-ahazi netwọọkụ ọjọọ, oge echekwabara maka arịa dịpụrụ adịpụ, ikpo okwu ihe egwu Kubernetes, aws-iam-authenticator, na Amazon Amazon. Onye nnọchi anya ECS.
Ngwa ngwa njide akpa na-abịa n'ime akpa njikwa dị iche nke enyere na ndabara ma jikwaa site na API na AWS SSM Agent. Foto dị n'okpuru enweghị shei iwu, ihe nkesa SSH na asụsụ ndị a kọwara (dịka ọmụmaatụ, enweghị Python ma ọ bụ Perl) - a na-etinye ngwaọrụ nhazi na ngwaọrụ debugging n'ime akpa ọrụ dị iche, nke nwere nkwarụ na ndabara.
Isi ihe dị iche na nkesa ndị yiri ya dị ka Fedora CoreOS, CentOS / Red Hat Atomic Host bụ isi ihe na-elekwasị anya n'inye nchekwa kachasị na ọnọdụ nke iwusi usoro nchebe pụọ n'ihe egwu nwere ike ime, na-eme ka ọ sie ike karị iji adịghị ike na ngwa OS na ịba ụba nke akpa. . A na-emepụta arịa site na iji usoro kernel Linux ọkọlọtọ - otu, oghere aha na seccomp. Maka ikewapụ ọzọ, nkesa na-eji SELinux na ọnọdụ "mmanye".
A na-agbanye mgbọrọgwụ nkebi na-agụ naanị, na /etc ntọala nkebi na-agbanye na tmpfs wee weghachi ya na ọnọdụ mbụ ya ka ịmalitegharịa. A naghị akwado mgbanwe faịlụ ozugbo na ndekọ ndekọ /etc, dị ka /etc/resolv.conf na /etc/containerd/config.toml - iji chekwaa ntọala kpamkpam, ị ga-eji API ma ọ bụ bugharịa ọrụ ahụ n'ime igbe dị iche iche. A na-eji modul dm-verity iji nyochaa n'ụzọ doro anya iguzosi ike n'ezi ihe nke nkebi mgbọrọgwụ, ma ọ bụrụ na achọpụtara mgbalị iji gbanwee data na ọkwa ngwaọrụ ngọngọ, usoro ahụ ga-amaliteghachi.
Edere ọtụtụ akụrụngwa sistemu n'ime nchara, nke na-enye atụmatụ nchekwa nchekwa iji zere adịghị ike sitere na ịnweta ebe nchekwa na-enweghị onwe, ndebiri pointer efu, na ihe nfefe gafere. Mgbe ị na-ewu na ndabara, a na-eji ụdị nchịkọta "-enable-default-pie" na "-enable-default-ssp" iji mee ka ohere nke oghere adreesị faịlụ executable (PIE) na nchebe pụọ na oke njupụta site na ngbanwe nke canary. Maka ngwugwu edere na C/C++, ọkọlọtọ "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" na "-fstack-clash" bụkwa ihe ọzọ. nyeere -echebe".
Na mwepụta ọhụrụ:
- Nkwado agbakwunyere maka enyo ndekọ ndekọ ihe oyiyi akpa.
- Etinyere ikike iji asambodo ejiri aka ya bịa.
- agbakwunyere nhọrọ iji hazie aha nnabata.
- Emelitela ụdị ndabara nke akpa nchịkwa.
- agbakwunyere topologyManagerPolicy na topologyManagerScope ntọala maka kubelet.
- Nkwado agbakwunyere maka mkpakọ kernel site na iji zstd algọridim.
- Enyere ikike ibunye igwe mebere n'ime VMware na usoro OVA (Open Virtualization Format).
- Emelitela ụdị nkesa aws-k8s-1.21 site na nkwado maka Kubernetes 1.21. Akwụsịla nkwado maka aws-k8s-1.16.
- Ụdị ngwungwu emelitere yana ndabere maka asụsụ Rust.
isi: opennet.ru