ΠΠΎΡΡΡΠΏΠ΅Π½ Π²ΡΠΏΡΡΠΊ Linux-Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° Bottlerocket 1.1.0, ΡΠ°Π·Π²ΠΈΠ²Π°Π΅ΠΌΠΎΠ³ΠΎ ΠΏΡΠΈ ΡΡΠ°ΡΡΠΈΠΈ ΠΊΠΎΠΌΠΏΠ°Π½ΠΈΠΈ Amazon Π΄Π»Ρ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΠ³ΠΎ ΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΠ³ΠΎ Π·Π°ΠΏΡΡΠΊΠ° ΠΈΠ·ΠΎΠ»ΠΈΡΠΎΠ²Π°Π½Π½ΡΡ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ². ΠΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠ°ΡΠΈΠΉ ΠΈ ΡΠΏΡΠ°Π²Π»ΡΡΡΠΈΠ΅ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΡ Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° Π½Π°ΠΏΠΈΡΠ°Π½Ρ Π½Π° ΡΠ·ΡΠΊΠ΅ Rust ΠΈ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½ΡΡΡΡΡ ΠΏΠΎΠ΄ Π»ΠΈΡΠ΅Π½Π·ΠΈΡΠΌΠΈ MIT ΠΈ Apache 2.0. ΠΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅ΡΡΡ Π·Π°ΠΏΡΡΠΊ Bottlerocket Π² ΠΊΠ»Π°ΡΡΠ΅ΡΠ°Ρ Amazon ECS ΠΈ AWS EKS Kubernetes, Π° ΡΠ°ΠΊΠΆΠ΅ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ»ΡΠ½ΡΡ ΡΠ±ΠΎΡΠΎΠΊ ΠΈ ΡΠ΅Π΄Π°ΠΊΡΠΈΠΉ, Π΄ΠΎΠΏΡΡΠΊΠ°ΡΡΠΈΡ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠΎΠ² ΠΎΡΠΊΠ΅ΡΡΡΠΎΠ²ΠΊΠΈ ΠΈ runtime Π΄Π»Ρ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ².
Kugawaku kumapereka chithunzithunzi cha atomiki komanso chosinthika chokha chomwe chimaphatikizapo kernel ya Linux komanso malo ocheperako, kuphatikiza zida zokhazo zofunika kuyendetsa zotengera. Chilengedwe chimaphatikizapo woyang'anira systemd system, laibulale ya Glibc, chida chomangira cha Buildroot, GRUB boot loader, woyimba network configurator, nthawi yosungiramo zida zakutali, nsanja ya Kubernetes yoimba nyimbo, aws-iam-authenticator, ndi Amazon. Wothandizira ECS.
Zida zoyimba ma Container zimabwera mu chidebe choyang'anira chosiyana chomwe chimayatsidwa mwachisawawa ndikuyendetsedwa kudzera pa API ndi AWS SSM Agent. Chithunzi choyambira chilibe chipolopolo cholamula, seva ya SSH ndi zilankhulo zotanthauziridwa (mwachitsanzo, palibe Python kapena Perl) - zida zoyang'anira ndi zida zowonongeka zimayikidwa mumtsuko wosiyana, womwe umayimitsidwa mwachisawawa.
Kusiyanitsa kwakukulu kuchokera ku magawo ofanana monga Fedora CoreOS, CentOS / Red Hat Atomic Host ndiye cholinga chachikulu chopereka chitetezo chokwanira pakulimbikitsa chitetezo cha machitidwe ku zoopsa zomwe zingatheke, zomwe zimapangitsa kuti zikhale zovuta kugwiritsa ntchito chiwopsezo mu zigawo za OS ndikuwonjezera kudzipatula kwa chidebe. . Zotengera zimapangidwa pogwiritsa ntchito makina a Linux kernel - magulu, malo a mayina ndi seccomp. Kudzipatula kwina, kugawa kumagwiritsa ntchito SELinux mu "kukakamiza" mode.
Gawo la mizu limayikidwa powerenga-pokha, ndipo gawo la / etc limayikidwa mu tmpfs ndikubwezeretsedwa ku chikhalidwe chake choyambirira mutayambiranso. Kusintha kwachindunji kwa mafayilo mu / etc directory, monga /etc/resolv.conf ndi /etc/containerd/config.toml, sikuthandizidwa - kuti musunge zoikamo kwamuyaya, muyenera kugwiritsa ntchito API kapena kusuntha ntchitoyo muzitsulo zosiyana. Gawo la dm-verity limagwiritsidwa ntchito kutsimikizira mwachinsinsi kukhulupirika kwa magawo a mizu, ndipo ngati kuyesa kusintha data pamlingo wa block chipangizo kuzindikirika, dongosolo limayambiranso.
Zida zambiri zamakina zimalembedwa mu Rust, zomwe zimapereka zinthu zoteteza kukumbukira kuti zipewe zovuta zomwe zimadza chifukwa cha kukumbukira kwaulere, kuchotsedwa kwa null pointer, ndi kupitilira kwa buffer. Mukamanga mwachisawawa, mitundu yophatikizira "-enable-default-pie" ndi "-enable-default-ssp" amagwiritsidwa ntchito kuti athetse kusanja kwa malo adilesi yafayilo (PIE) ndikutetezedwa ku kusefukira kwa stack kudzera m'malo mwa canary. Pamapaketi olembedwa mu C/C++, mbendera β-Wallβ, β-Werror=format-securityβ, β-Wp,-D_FORTIFY_SOURCE=2β, β-Wp,-D_GLIBCXX_ASSERTIONSβ ndi β-fstack-clashβ ndi zinanso. kuthandizira -chitetezo".
M'kutulutsa kwatsopano:
- ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ΠΎ Π΄Π²Π° Π½ΠΎΠ²ΡΡ Π²Π°ΡΠΈΠ°Π½ΡΠ° Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° aws-k8s-1.20 ΠΈ vmware-k8s-1.20 c ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠΎΠΉ Kubernetes 1.20. Π Π΄Π°Π½Π½ΡΡ Π²Π°ΡΠΈΠ°Π½ΡΠ°Ρ , Π° ΡΠ°ΠΊΠΆΠ΅ Π² ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ½Π½ΠΎΠΌ Π²Π°ΡΠΈΠ°Π½ΡΠ΅ aws-ecs-1, Π·Π°Π΄Π΅ΠΉΡΡΠ²ΠΎΠ²Π°Π½ Π½ΠΎΠ²ΡΠΉ Π²ΡΠΏΡΡΠΊ ΡΠ΄ΡΠ° Linux 5.10. Π Π΅ΠΆΠΈΠΌ lockdown ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ ΠΏΠ΅ΡΠ΅Π²Π΅Π΄ΡΠ½ Π² Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ Β«integrityΒ» (Π±Π»ΠΎΠΊΠΈΡΡΡΡΡΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡΠΈΠ΅ Π²Π½ΠΎΡΠΈΡΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡ Π² ΡΠ°Π±ΠΎΡΠ°ΡΡΠ΅Π΅ ΡΠ΄ΡΠΎ ΠΈΠ· ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π° ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ). ΠΡΠ΅ΠΊΡΠ°ΡΠ΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° Π²Π°ΡΠΈΠ°Π½ΡΠ° aws-k8s-1.15 Π½Π° Π±Π°Π·Π΅ Kubernetes 1.15.
- ΠΠ»Ρ Amazon ECS ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠ΅ΡΠ΅Π²ΠΎΠ³ΠΎ ΡΠ΅ΠΆΠΈΠΌΠ° awsvpc, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡΠ΅Π³ΠΎ Π²ΡΠ΄Π΅Π»ΡΡΡ ΠΎΡΠ΄Π΅Π»ΡΠ½ΡΠ΅ ΡΠ΅ΡΠ΅Π²ΡΡ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΡ ΠΈ Π²Π½ΡΡΡΠ΅Π½Π½ΠΈΠ΅ IP-Π°Π΄ΡΠ΅ΡΠ° Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠΉ Π·Π°Π΄Π°ΡΠΈ.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Ρ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ Π΄Π»Ρ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ ΡΠ°Π·Π»ΠΈΡΠ½ΡΠΌΠΈ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ°ΠΌΠΈ Kubernetes, Π²ΠΊΠ»ΡΡΠ°Ρ QPS, Π»ΠΈΠΌΠΈΡΡ Π½Π° ΠΏΡΠ»Ρ ΠΈ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΠΊ ΠΎΠ±Π»Π°ΡΠ½ΡΠΌ ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅ΡΠ°ΠΌ, ΠΎΡΠ»ΠΈΡΠ½ΡΠΌ ΠΎΡ AWS.
- Π bootstrap-ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠ΅ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΎ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΠ΅ Π΄ΠΎΡΡΡΠΏΠ° ΠΊ Π΄Π°Π½Π½ΡΠΌ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ SELinux.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΡΡΠΈΠ»ΠΈΡΠ° resize2fs.
Source: opennet.ru