Kutulutsidwa kwa kugawa kwa Linux Bottlerocket 1.8.0 kwasindikizidwa, kopangidwa ndi Amazon kutenga nawo gawo pakukhazikitsa koyenera komanso kotetezeka kwa zida zakutali. Zida zogawa ndi zida zowongolera zimalembedwa mu Rust ndikugawidwa pansi pa MIT ndi Apache 2.0. Imathandizira kuthamanga kwa Bottlerocket pamagulu a Amazon ECS, VMware ndi AWS EKS Kubernetes, komanso kupanga zomangira ndi zosintha zomwe zimalola kugwiritsa ntchito zida zosiyanasiyana zoyimba ndi nthawi yothamangitsira zotengera.
Kugawaku kumapereka chithunzithunzi cha atomiki komanso chosinthika chokha chomwe chimaphatikizapo kernel ya Linux komanso malo ocheperako, kuphatikiza zida zokhazo zofunika kuyendetsa zotengera. Chilengedwe chimaphatikizapo woyang'anira systemd system, laibulale ya Glibc, chida chomangira cha Buildroot, GRUB boot loader, woyimba network configurator, nthawi yosungiramo zida zakutali, nsanja ya Kubernetes yoimba nyimbo, aws-iam-authenticator, ndi Amazon. Wothandizira ECS.
Zida zoyimba ma Container zimabwera mu chidebe choyang'anira chosiyana chomwe chimayatsidwa mwachisawawa ndikuyendetsedwa kudzera pa API ndi AWS SSM Agent. Chithunzi choyambira chilibe chipolopolo cholamula, seva ya SSH ndi zilankhulo zotanthauziridwa (mwachitsanzo, palibe Python kapena Perl) - zida zoyang'anira ndi zida zowonongeka zimayikidwa mumtsuko wosiyana, womwe umayimitsidwa mwachisawawa.
Kusiyanitsa kwakukulu kuchokera ku magawo ofanana monga Fedora CoreOS, CentOS / Red Hat Atomic Host ndiye cholinga chachikulu chopereka chitetezo chokwanira pakulimbikitsa chitetezo cha machitidwe ku zoopsa zomwe zingatheke, zomwe zimapangitsa kuti zikhale zovuta kugwiritsa ntchito chiwopsezo mu zigawo za OS ndikuwonjezera kudzipatula kwa chidebe. . Zotengera zimapangidwa pogwiritsa ntchito makina a Linux kernel - magulu, malo a mayina ndi seccomp. Kudzipatula kwina, kugawa kumagwiritsa ntchito SELinux mu "kukakamiza" mode.
Gawo la mizu limayikidwa powerenga-pokha, ndipo gawo la / etc limayikidwa mu tmpfs ndikubwezeretsedwa ku chikhalidwe chake choyambirira mutayambiranso. Kusintha kwachindunji kwa mafayilo mu / etc directory, monga /etc/resolv.conf ndi /etc/containerd/config.toml, sikuthandizidwa - kuti musunge zoikamo kwamuyaya, muyenera kugwiritsa ntchito API kapena kusuntha ntchitoyo muzitsulo zosiyana. Gawo la dm-verity limagwiritsidwa ntchito kutsimikizira mwachinsinsi kukhulupirika kwa magawo a mizu, ndipo ngati kuyesa kusintha data pamlingo wa block chipangizo kuzindikirika, dongosolo limayambiranso.
Zida zambiri zamakina zimalembedwa mu Rust, zomwe zimapereka zinthu zoteteza kukumbukira kuti zipewe zovuta zomwe zimadza chifukwa cha kukumbukira kwaulere, kuchotsedwa kwa null pointer, ndi kupitilira kwa buffer. Mukamanga mwachisawawa, mitundu yophatikizira "-enable-default-pie" ndi "-enable-default-ssp" amagwiritsidwa ntchito kuti athetse kusanja kwa malo adilesi yafayilo (PIE) ndikutetezedwa ku kusefukira kwa stack kudzera m'malo mwa canary. Pamapaketi olembedwa mu C/C++, mbendera “-Wall”, “-Werror=format-security”, “-Wp,-D_FORTIFY_SOURCE=2”, “-Wp,-D_GLIBCXX_ASSERTIONS” ndi “-fstack-clash” ndi zinanso. kuthandizira -chitetezo".
M'kutulutsa kwatsopano:
- Zomwe zili m'mipando yoyang'anira ndi zowongolera zasinthidwa.
- Nthawi yogwiritsira ntchito zotengera zapayokha zasinthidwa kukhala nthambi ya 1.6.x.
- Imawonetsetsa kuti njira zakumbuyo zomwe zimagwirizanitsa magwiridwe antchito a zotengera zimayambiranso pambuyo pakusintha kwa sitolo ya satifiketi.
- Ndizotheka kukhazikitsa magawo a kernel boot kudzera pagawo la Boot Configuration.
- Yayatsa kunyalanyaza midadada yopanda kanthu poyang'anira kukhulupirika kwa magawo a mizu pogwiritsa ntchito dm-verity.
- Kutha kumangirira ma hostnames mu /etc/hosts kwaperekedwa.
- Kutha kupanga masinthidwe a netiweki pogwiritsa ntchito zida za netdog kwaperekedwa (lamulo la kupanga-net-config lawonjezeredwa).
- Zosankha zatsopano zogawa ndi chithandizo cha Kubernetes 1.23 zaperekedwa. Nthawi yoyambira ma pods ku Kubernetes yachepetsedwa ndikuletsa configMapAndSecretChangeDetectionStrategy mode. Onjezani zoikamo zatsopano za kubelet: provider-id ndi podPidsLimit.
- Mtundu watsopano wa zida zogawa "aws-ecs-1-nvidia" za Amazon Elastic Container Service (Amazon ECS), zoperekedwa ndi madalaivala a NVIDIA, zaperekedwa.
- Thandizo lowonjezera la Microchip Smart Storage ndi zida zosungira za MegaRAID SAS. Kuthandizira kwamakhadi a Ethernet pa tchipisi ta Broadcom kwakulitsidwa.
- Zosinthidwa za phukusi ndi zodalira pa zilankhulo za Go ndi Rust, komanso mitundu yamaphukusi okhala ndi mapulogalamu ena. Bottlerocket SDK yasinthidwa kuti ikhale 0.26.0.
Source: opennet.ru