E bipụtala okwu a LinuxBottlerocket 1.3.0, nkesa e mepụtara na mmekorita ya na Amazon, ka ọ rụọ ọrụ nke ọma ma nwee nchekwa n'ime akpa ndị dịpụrụ adịpụ. E dere ihe eji arụ ọrụ na njikwa nkesa ahụ na Rust ma nye ikike n'okpuru ikike MIT na Apache 2.0. Bottlerocket na-agba ọsọ na Amazon ECS, VMware, na AWS EKS Kubernetes clusters, yana ịkwado nrụpụta na mbipụta omenala nke na-akwado iji ngwaọrụ nhazi na oge ọrụ dị iche iche.
Nkesa ahụ na-enye onyonyo sistemụ nke a na-apụghị ikewapụ na nke atom na akpaghị aka, gụnyere kernel Linux na obere gburugburu sistemụ, gụnyere naanị ihe ndị dị mkpa maka ịgbasa akpa. Gburugburu a gụnyere onye njikwa sistemụ sistemụ, ọbá akwụkwọ Glibc, ngwa ọrụ Buildroot build, GRUB bootloader, wild network configurator, oge ọrụ maka akpa ndị dịpụrụ adịpụ, ikpo okwu nhazi akpa Kubernetes, aws-iam-authenticator authenticator authenticator, na onye nnọchi anya Amazon ECS.
A na-ebuga ngwa nhazi akpa n'ime akpa njikwa dị iche, nke a na-eme ka ọ rụọ ọrụ na ndabara ma jikwaa ya site na API na AWS SSM Agent. Foto ntọala ahụ enweghị shei iwu. nkesa Asụsụ SSH na asụsụ a sụgharịrị (dịka ọmụmaatụ enweghị Python ma ọ bụ Perl) - ngwaọrụ nchịkwa na nchọpụta nsogbu dị na akpa ọrụ dị iche, nke ndabara na-agbanyụ.
Isi ihe dị iche na nkesa ndị yiri ya dịka Fedora CoreOS bụ CentOSRed Hat Atomic Host lekwasịrị anya n'inye nchekwa kachasị elu site n'ime ka nchekwa sistemụ dịkwuo mma megide ihe egwu nwere ike ịdị, na-eme ka ojiji nke adịghị ike na akụkụ OS dịkwuo njọ, na ịbawanye mwepụta nke akpa. A na-eji usoro kernel nke obodo emepụta akpa. Linux — cgroups, namespaces, na seccomp. Maka mwepụta ọzọ, nkesa ahụ na-eji SELinux n'ụdị "mmanye".
A na-agbanye mgbọrọgwụ nkebi na-agụ naanị, na /etc ntọala nkebi na-agbanye na tmpfs wee weghachi ya na ọnọdụ mbụ ya ka ịmalitegharịa. A naghị akwado mgbanwe faịlụ ozugbo na ndekọ ndekọ /etc, dị ka /etc/resolv.conf na /etc/containerd/config.toml - iji chekwaa ntọala kpamkpam, ị ga-eji API ma ọ bụ bugharịa ọrụ ahụ n'ime igbe dị iche iche. A na-eji modul dm-verity iji nyochaa n'ụzọ doro anya iguzosi ike n'ezi ihe nke nkebi mgbọrọgwụ, ma ọ bụrụ na achọpụtara mgbalị iji gbanwee data na ọkwa ngwaọrụ ngọngọ, usoro ahụ ga-amaliteghachi.
Edere ọtụtụ akụrụngwa sistemu n'ime nchara, nke na-enye atụmatụ nchekwa nchekwa iji zere adịghị ike sitere na ịnweta ebe nchekwa na-enweghị onwe, ndebiri pointer efu, na ihe nfefe gafere. Mgbe ị na-ewu na ndabara, a na-eji ụdị nchịkọta "-enable-default-pie" na "-enable-default-ssp" iji mee ka ohere nke oghere adreesị faịlụ executable (PIE) na nchebe pụọ na oke njupụta site na ngbanwe nke canary. Maka ngwugwu edere na C/C++, ọkọlọtọ "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" na "-fstack-clash" bụkwa ihe ọzọ. nyeere -echebe".
Na mwepụta ọhụrụ:
- Ọdịmma edobere na docker na ngwa ngwa ngwa ngwa (CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, CVE-2021-41103) metụtara ntọala ezighi ezi nke ikike ịnweta, nke nyere ndị ọrụ enweghị ohere ịgafe ikike ikike. ndekọ ma mee mmemme mpụga.
- Agbakwunyere na kubelet na pluto Nkwado IPv6.
- Ọ ga-ekwe omume ịmalitegharị akpa ahụ mgbe ọ gbanwee ntọala ya.
- Agbakwunyela nkwado maka ikpe Amazon EC2 M6i na ngwungwu eni-max-pods.
- Ngwa Open-vm agbakwunyela nkwado maka nzacha ngwaọrụ, dabere na ngwa ọrụ Cilium.
- Maka ikpo okwu x86_64, a na-emejuputa ụdị ngwakọ ngwakọ (na nkwado maka EFI na BIOS).
- Ụdị ngwungwu emelitere yana ndabere maka asụsụ Rust.
- Akwụsịla nkwado maka ụdị nkesa aws-k8s-1.17 dabere na Kubernetes 1.17. A na-atụ aro ka iji ụdị aws-k8s-1.21 na nkwado maka Kubernetes 1.21. Ụdị k8s na-eji cgroup runtime.slice na system.slice ntọala.
isi: opennet.ru
