Kampani ya Amazon Kutulutsidwa koyamba kofunikira pakugawa kodzipereka kwa Linux , opangidwa kuti aziyendetsa zotengera zakutali moyenera komanso motetezeka. Zida zogawa ndi zida zowongolera zidalembedwa mu Rust ndi pansi pa ziphaso za MIT ndi Apache 2.0. Ntchitoyi ikupangidwa pa GitHub ndipo ikupezeka kuti anthu ammudzi atenge nawo mbali. Chithunzi chotumizira makina chimapangidwira x86_64 ndi Aarch64 zomangamanga. OS imasinthidwa kuti ikhale pamagulu a Amazon ECS ndi AWS EKS Kubernetes. zida zopangira magulu anu ndi zolemba zanu, zomwe zitha kugwiritsa ntchito zida zina zoyimba, maso ndi nthawi yothamangitsira zotengera.
Kugawa kumapereka kernel ya Linux komanso malo ocheperako, kuphatikiza zida zokhazo zomwe zimafunikira kuyendetsa zotengera. Mwa ma phukusi omwe akukhudzidwa ndi ntchitoyi ndi systemd manager, laibulale ya Glibc, ndi zida zochitira msonkhano
Buildroot, GRUB bootloader, network configurator , nthawi yogwiritsira ntchito zotengera zakutali , Kubernetes Container orchestration platform, aws-iam-authenticator, ndi Amazon ECS wothandizira.
Kugawa kumasinthidwa ma atomu ndipo kumaperekedwa ngati mawonekedwe a dongosolo losawoneka. Magawo awiri a disk amaperekedwa kwa dongosolo, imodzi yomwe ili ndi machitidwe ogwira ntchito, ndipo zosinthazo zimakopera chachiwiri. Zosinthazo zitatumizidwa, gawo lachiwiri limakhala logwira ntchito, ndipo koyambirira, mpaka kusinthidwa kotsatira kudzafika, mawonekedwe am'mbuyomu amasungidwa, omwe mutha kubweza ngati mavuto abuka. Zosintha zimayikidwa zokha popanda wotsogolera.
Kusiyanitsa kwakukulu kuchokera ku magawo ofanana monga Fedora CoreOS, CentOS/Red Hat Atomic Host ndiye cholinga chachikulu pakupereka. pakulimbikitsa chitetezo cha machitidwe ku zoopsa zomwe zingatheke, zomwe zimapangitsa kuti zikhale zovuta kugwiritsa ntchito zofooka mu zigawo za OS ndikuwonjezera kudzipatula kwa zotengera. Zotengera zimapangidwa pogwiritsa ntchito makina a Linux kernel - magulu, malo a mayina ndi seccomp. Kudzipatula kwina, kugawa kumagwiritsa ntchito SELinux mu "kukakamiza", ndipo gawoli limagwiritsidwa ntchito potsimikizira chinsinsi cha kukhulupirika kwa magawo a mizu. . Ngati kuyesa kusintha deta pamlingo wa chipangizo chotchinga kuzindikiridwa, dongosolo limayambiranso.
Gawo la mizu limayikidwa powerenga-pokha, ndipo gawo la / etc limayikidwa mu tmpfs ndikubwezeretsedwa ku chikhalidwe chake choyambirira mutayambiranso. Kusintha kwachindunji kwa mafayilo mu /etc directory, monga /etc/resolv.conf ndi /etc/containerd/config.toml, sikuthandizidwa - kuti musunge zoikamo kwamuyaya, muyenera kugwiritsa ntchito API kapena kusuntha ntchitoyo muzotengera zosiyana.
Zigawo zambiri zamakina zimalembedwa mu Rust, zomwe zimapereka zinthu zoteteza kukumbukira kuti zipewe zovuta zomwe zimadza chifukwa cha kukumbukira kwaulere, kuchotsedwa kwa null pointer, ndi kupitilira kwa buffer. Mukamanga mwachisawawa, njira zophatikizira za "-enable-default-pie" ndi "-enable-default-ssp" zimagwiritsidwa ntchito kuti zitheke kusasintha kwa adilesi yamafayilo omwe angathe kukwaniritsidwa () ndi chitetezo kusefukira kwa stack kudzera m'malo mwa canary.
Pamaphukusi olembedwa mu C/C++, mbendera zowonjezera zimaphatikizidwa
"-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" ndi "-fstack-clash-protection".
Zida zoyimba nkhonya zimaperekedwa mosiyana , yomwe imayatsidwa mwachisawawa ndikuwongoleredwa kudzera ndi AWS SSM Agent. Chithunzi choyambira chilibe chipolopolo cholamula, seva ya SSH ndi zilankhulo zotanthauziridwa (mwachitsanzo, palibe Python kapena Perl) - zida zowongolera ndi zida zowongolera zili mkati. , yomwe imayimitsidwa mwachisawawa.
Source: opennet.ru