Rilis distribusi Linux Bottlerocket 1.8.0 wis diterbitake, dikembangake kanthi partisipasi Amazon kanggo mbukak wadhah sing terisolasi kanthi efektif lan aman. Komponen toolkit lan kontrol distribusi ditulis ing Rust lan disebarake miturut lisensi MIT lan Apache 2.0. Ndhukung mbukak Bottlerocket ing Amazon ECS, VMware, lan AWS EKS Kubernetes kluster, uga nggawe mbangun lan edisi khusus sing ngidini orkestrasi lan alat runtime sing beda kanggo kontaner.
Distribusi kasebut nyedhiyakake gambar sistem sing ora bisa dibagi kanthi otomatis lan otomatis dianyari sing kalebu kernel Linux lan lingkungan sistem minimal sing kalebu mung komponen sing dibutuhake kanggo mbukak wadhah. Lingkungan kasebut kalebu manajer sistem sistem, perpustakaan Glibc, alat mbangun Buildroot, bootloader GRUB, konfigurator jaringan sing jahat, wadhah kontainer terisolasi, platform orkestrasi wadah Kubernetes, aws-iam-authenticator, lan agen Amazon ECS .
Piranti orkestrasi wadhah kasedhiya ing wadhah manajemen sing kapisah sing diaktifake kanthi standar lan dikelola liwat Agen API lan AWS SSM. Gambar dhasar ora duwe cangkang perintah, server SSH, lan basa sing diinterpretasikake (contone, ora ana Python utawa Perl) - alat administratif lan debugging dipindhah menyang wadhah layanan sing kapisah, sing dipateni kanthi standar.
Bentenane utama saka distribusi sing padha kayata Fedora CoreOS, CentOS / Red Hat Atomic Host yaiku fokus utamane kanggo nyedhiyakake keamanan maksimal ing konteks nguatake proteksi sistem nglawan ancaman sing bisa ditindakake, nyepetake eksploitasi kerentanan ing komponen OS lan nambah isolasi wadah. Wadah digawe nggunakake mekanisme biasa saka kernel Linux - cgroups, namespaces lan seccomp. Kanggo isolasi tambahan, distribusi nggunakake SELinux ing mode "menerapake".
Partisi root dipasang ing mode mung maca, lan partisi kanthi setelan / etc dipasang ing tmpfs lan dibalekake menyang negara asline sawise diwiwiti maneh. Modifikasi langsung file ing direktori /etc, kayata /etc/resolv.conf lan /etc/containerd/config.toml, ora didhukung - kanggo nyimpen setelan permanen, sampeyan kudu nggunakake API utawa mindhah fungsi kanggo kontaner kapisah. Kanggo verifikasi kriptografi saka integritas partisi ROOT, modul dm-verity digunakake, lan yen nyoba kanggo ngowahi data ing tingkat piranti pamblokiran dideteksi, sistem reboots.
Umume komponen sistem ditulis ing Rust, sing nyedhiyakake alat sing aman kanggo memori kanggo ngindhari kerentanan sing disebabake dening ngatasi area memori sawise dibebasake, nuli null pointer, lan overruns buffer. Nalika mbangun, mode kompilasi "--enable-default-pie" lan "--enable-default-ssp" digunakake kanthi gawan kanggo ngaktifake acak spasi alamat file eksekusi (PIE) lan pangayoman marang tumpukan overflows liwat substitusi label kenari. Kanggo paket sing ditulis ing C/C++, gendΓ©ra "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" lan "-fstack-clash" minangka tambahan. klebu - pangayoman.
Ing release anyar:
- ΠΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΎ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΠΎΠ΅ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΈΠ²Π½ΠΎΠ³ΠΎ ΠΈ ΡΠΏΡΠ°Π²Π»ΡΡΡΠ΅Π³ΠΎ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ².
- Runtime Π΄Π»Ρ ΠΈΠ·ΠΎΠ»ΠΈΡΠΎΠ²Π°Π½Π½ΡΡ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ² ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ½ Π΄ΠΎ Π²Π΅ΡΠΊΠΈ containerd 1.6.x.
- ΠΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ ΠΏΠ΅ΡΠ΅Π·Π°ΠΏΡΡΠΊ ΡΠΎΠ½ΠΎΠ²ΡΡ ΠΏΡΠΎΡΠ΅ΡΡΠΎΠ², ΠΊΠΎΠΎΡΠ΄ΠΈΠ½ΠΈΡΡΡΡΠΈΡ ΡΠ°Π±ΠΎΡΡ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ², ΠΏΠΎΡΠ»Π΅ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ Π² Ρ ΡΠ°Π½ΠΈΠ»ΠΈΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ².
- ΠΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ Π²ΡΡΡΠ°Π²Π»Π΅Π½ΠΈΡ Π·Π°Π³ΡΡΠ·ΠΎΡΠ½ΡΡ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² ΡΠ΄ΡΠ° ΡΠ΅ΡΠ΅Π· ΡΠ΅ΠΊΡΠΈΡ Boot Configuration.
- ΠΠΊΠ»ΡΡΠ΅Π½ΠΎ ΠΈΠ³Π½ΠΎΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΏΡΡΡΡΡ Π±Π»ΠΎΠΊΠΎΠ² ΠΏΡΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Π΅ ΡΠ΅Π»ΠΎΡΡΠ½ΠΎΡΡΠΈ ΠΊΠΎΡΠ½Π΅Π²ΠΎΠ³ΠΎ ΡΠ°Π·Π΄Π΅Π»Π° ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ dm-verity.
- ΠΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΠΏΡΠΈΠ²ΡΠ·ΠΊΠΈ ΠΈΠΌΡΠ½ Ρ ΠΎΡΡΠΎΠ² Π² /etc/hosts.
- ΠΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ Π³Π΅Π½Π΅ΡΠ°ΡΠΈΠΈ ΡΠ΅ΡΠ΅Π²ΠΎΠΉ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ ΡΡΠΈΠ»ΠΈΡΡ netdog (Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΊΠΎΠΌΠ°Π½Π΄Π° generate-net-config).
- ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Ρ Π½ΠΎΠ²ΡΠ΅ Π²Π°ΡΠΈΠ°Π½ΡΡ Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° c ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠΎΠΉ Kubernetes 1.23. Π‘ΠΎΠΊΡΠ°ΡΠ΅Π½ΠΎ Π²ΡΠ΅ΠΌΡ Π·Π°ΠΏΡΡΠΊΠ° pod-ΠΎΠ² Π² Kubernetes Π·Π° ΡΡΡΡ ΠΎΡΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠ΅ΠΆΠΈΠΌΠ° configMapAndSecretChangeDetectionStrategy. ΠΠΎΠ±Π°Π²Π»Π΅Π½Ρ Π½ΠΎΠ²ΡΠ΅ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ kubelet-ΠΎΠ²: provider-id ΠΈ podPidsLimit.
- ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ Π½ΠΎΠ²ΡΠΉ Π²Π°ΡΠΈΠ°Π½Ρ Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° Β«aws-ecs-1-nvidiaΒ» Π΄Π»Ρ Amazon Elastic Container Service (Amazon ECS), ΠΏΠΎΡΡΠ°Π²Π»ΡΠ΅ΠΌΡΠΉ Ρ Π΄ΡΠ°ΠΉΠ²Π΅ΡΠ°ΠΌΠΈ NVIDIA.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΡΡΡΠΎΠΉΡΡΠ² Ρ ΡΠ°Π½Π΅Π½ΠΈΡ Microchip Smart Storage ΠΈ MegaRAID SAS. Π Π°ΡΡΠΈΡΠ΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° Ethernet-ΠΊΠ°ΡΡ Π½Π° ΡΠΈΠΏΠ°Ρ Broadcom.
- ΠΠ±Π½ΠΎΠ²Π»Π΅Π½Ρ Π²Π΅ΡΡΠΈΠΈ ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² ΠΈ Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠΈ Π΄Π»Ρ ΡΠ·ΡΠΊΠΎΠ² Go ΠΈ Rust, Π° ΡΠ°ΠΊΠΆΠ΅ Π²Π΅ΡΡΠΈΠΈ ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² ΡΠΎ ΡΡΠΎΡΠΎΠ½Π½ΠΈΠΌΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ°ΠΌΠΈ. Bottlerocket SDK ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ½ Π΄ΠΎ Π²Π΅ΡΡΠΈΠΈ 0.26.0.
Source: opennet.ru