Kambani yeAmazon pamusoro pekusunungurwa kwekupedzisira - kugovera kwakasarudzika kwekumhanyisa midziyo uye nekuibata nemazvo.
Bottlerocket (nenzira, zita rakapihwa kune diki dema dema roketi) haisi yekutanga OS yemidziyo, asi ingangoita kuti ichave yakapararira nekutenda nekusarudzika kubatanidzwa neAWS masevhisi. Kunyangwe iyo sisitimu yakatarisana neAmazon gore, iyo yakavhurika sosi kodhi inobvumira kuti ivakwe chero kupi: munharaunda pane server, paRaspberry Pi, mune chero gore rinokwikwidza, uye kunyangwe munzvimbo isina mudziyo.
Uku ndiko kutsiva kwakakodzera zvachose kwekugovera kweCoreOS kwakavigwa Red Hat.
Muchokwadi, iyo Amazon Web Services division yatove neAmazon Linux, iyo ichangobva kubuda mune yayo yechipiri vhezheni: ndeyekugovera-chinangwa kugovera iyo inogona kumhanyisa mumudziyo weDocker kana neLinux KVM, Microsoft Hyper-V, uye VMware. ESXi hypervisors. Yakagadziridzwa kuti imhanye paAWS gore, asi nekuburitswa kweBottlerocket, munhu wese anokurudzirwa kukwidziridza kuhurongwa hutsva hwakachengeteka, hwazvino, uye hunoshandisa zviwanikwa zvishoma.
AWS yakazivisa Bottlerocket . Akabva abvuma kuti iyi haisi yekutanga "Linux yemidziyo," achitaura CoreOS, Rancher OS uye Project Atomic semanyuko ekukurudzira. Vagadziri vakanyora kuti sisitimu yekushandisa ndeye "mhedzisiro yezvidzidzo zvatakadzidza kubva mukumhanyisa masevhisi ekugadzira pachiyero cheAmazon kwenguva yakareba, uye ruzivo rwatakawana mumakore matanhatu apfuura nezve maitirwo emidziyo."
Yakanyanya minimalism
Linux inobviswa zvese zvisingadiwe kumhanya midziyo. Iyi dhizaini, maererano nekambani, inoderedza nzvimbo yekurwisa.
Izvi zvinoreva kuti mashoma mapakeji akaiswa pane base system, izvo zvinoita kuti zvive nyore kuchengetedza nekuvandudza OS, uye zvakare inoderedza mukana wezvinetso nekuda kwekutsamira, kuderedza kushandiswa kwezviwanikwa. Chaizvoizvo, zvese pano zvinoshanda mukati memidziyo yakaparadzana, uye iyo yepasi sisitimu yakashama.
Amazon yakabvisawo mabhomba uye vaturikiri, ichibvisa njodzi yekuti vashandise kana vashandisi netsaona vachiwedzera maropafadzo. Nekuda kweminimalism uye chengetedzo, mufananidzo wepasi hausanganisire goko rekuraira, sevha yeSSH, kana mitauro yakadudzirwa sePython. Maturusi emutongi anoiswa mune yakaparadzana sevhisi mudziyo, iyo inovharwa nekusarudzika.
Iyo sisitimu inotungamirwa nenzira mbiri: kuburikidza neAPI uye orchestration.
Panzvimbo pemaneja wepakeji inogadziridza zvidimbu zvesoftware, Bottlerocket inodhawunirodha yakazara filesystem mufananidzo uye inotangazve mairi. Kana mutoro ukatadza, unongodzokera kumashure, uye kutadza kwebasa kunogona kukonzeresa kudzoreredza nemaoko (command via API).
Framework (Iyo Yekuvandudza Framework) inodhawunirodha mifananidzo-yakavakirwa zvigadziriso kune imwe kana "isina kukwira" zvikamu. Maviri disk partitions akagoverwa kune sisitimu, imwe yacho ine inoshanda sisitimu, uye iyo yekuvandudza inoteedzerwa kune yechipiri. Muchiitiko ichi, chikamu chemidzi chakaiswa mukuverenga-chete mode, uye chikamu /etc yakaiswa neiyo faira system mu RAM uye inodzoreredza mamiriro ekutanga mushure mekutangazve. Kugadziriswa kwakananga kwemafaira ekugadzirisa mukati /etc haitsigirwe: kuchengetedza marongero unofanirwa kushandisa iyo API kana kufambisa iyo mashandiro mumidziyo yakasiyana.
API yekuvandudza chirongwa
Chengetedzo
Midziyo inogadzirwa neyakajairwa masisitimu eLinux kernel - mapoka, namespaces uye seccomp, uye anoshandiswa seyakamanikidzwa yekupinda yekudzora system, ndiko kuti, yekuwedzera kuzviparadzanisa. mu "enforcing" mode.
Nekutadza, marongero anogoneswa kugovera zviwanikwa pakati pemidziyo nekernel. Mabhinari anodzivirirwa nemireza kudzivirira vashandisi kana mapurogiramu kuti asaaite. Uye kana munhu akasvika kune iyo faira system, Bottlerocket inopa chishandiso chekutarisa uye kuona chero shanduko dzakaitwa.
Iyo "verified boot" modhi inoshandiswa kuburikidza nemudziyo-mapper-verity basa (), iyo inotarisa kutendeseka kwemudziyo wekuparadzanisa panguva yebhoti. AWS inotsanangura dm-verity se "chimwe chinhu cheLinux kernel chinopa kutendeseka cheki kudzivirira malware kuti isashande paOS, senge kunyora core system software."
Panewo sefa muhurongwa (yakawedzerwa BPF, )
Kuuraya muenzaniso
Mushandisi anotsanangurwa
Kuumbwa
Chengetedzo
Kukundikana mode
Kuwana zviwanikwa
Mushandisi
basa racho
hongu
chero
kodzero dzevashandisi
kukangaidza kuuraya
system call, kukanganisa
Nucleus
basa racho
kwete
static
kwete
kernel panic
kururamiswa
GMP
chiitiko
hongu
JIT, CO-RE
kuongorora, JIT
mhosho meseji
vashoma vabatsiri
BPF inosiyana sei neyakajairwa mushandisi kana kernel level kodhi
AWS yakati Bottlerocket "inoshandisa modhi yekushanda iyo inowedzera kuchengetedzwa nekudzivirira kubatanidza kune maseva ekugadzira ane kodzero dzekutonga" uye "yakakodzera masisitimu makuru akaparadzirwa uko kutonga pamusoro peumwe neumwe mugadziri akaganhurirwa."
Chigadziko chemutungamiri chinopihwa kune vatariri vehurongwa. Asi AWS haifunge kuti maneja anowanzo kuda kushanda mukati meBottlerocket: "Chiito chekupinda mune yakaparadzana Bottlerocket muenzaniso inoitirwa zvisingaite: kugadzirisa kwepamberi uye kugadzirisa," vagadziri.
Mutauro we ngura
Iyo OS chiridzwa pamusoro pe kernel inonyanya kunyorwa muRust. Mutauro uyu nehunhu hwawo , pamwe chete .
Mireza inoshandiswa nekusingaperi pakuvaka --enable-default-pie ΠΈ --enable-default-ssp kugonesa randomisation yekero nzvimbo yemafaira anogona kuitwa (, PIE) uye stack yekudzivirira mafashama.
Kune C/C++ mapakeji, mamwe mareza anosanganisirwa -Wall, -Werror=format-security, -Wp,-D_FORTIFY_SOURCE=2, -Wp,-D_GLIBCXX_ASSERTIONS ΠΈ -fstack-clash-protection.
Kunze kweRust uye C/C ++, mamwe mapakeji akanyorwa muGo.
Kubatanidzwa neAWS masevhisi
Musiyano kubva kune akafanana midziyo yekushandisa masisitimu ndewekuti Amazon yakagadzirisa Bottlerocket kuti imhanye paAWS uye kubatanidza nemamwe masevhisi eAWS.
Iyo inonyanya kufarirwa mudziyo orchestrator ndeye Kubernetes, saka AWS yakaunza kubatanidzwa neyayo Enterprise Kubernetes Service (EKS). Maturusi eOrchestration anouya mune yakaparadzana control container , iyo inogoneswa nekusarudzika uye inotungamirwa kuburikidza neAPI uye AWS SSM Agent.
Zvichave zvinonakidza kuona kana Bottlerocket ikasimuka, zvichipihwa kutadza kwemamwe matanho akafanana munguva yakapfuura. Semuenzaniso, PhotonOS kubva kuVmware yakave isina kutaurwa, uye RedHat yakatenga CoreOS uye , aionekwa sapiyona mumunda.
Kubatanidzwa kweBottlerocket mumasevhisi eAWS kunoita kuti sisitimu iyi ive yakasarudzika nenzira yayo. Ichi pamwe ndicho chikonzero chikuru nei vamwe vashandisi vangade Bottlerocket pane mamwe distros akadai seCoreOS kana Alpine. Iyo sisitimu yakatanga kugadzirirwa kushanda neEKS neECS, asi tinodzokorora kuti izvi hazvidiwi. Chekutanga, Bottlerocket inogona uye shandisa iyo, semuenzaniso, seyakagadziriswa mhinduro. Kechipiri, vashandisi veEKS neECS vachange vachine kugona kusarudza OS yavo.
Iyo Bottlerocket source code inoburitswa paGitHub pasi peApache 2.0 rezinesi. Vagadziri vatove .
Pamusoro pekodzero dzekutsvaga
VDSina anopa . Zvinokwanisika kuisa chero system yekushandisa, kusanganisira kubva pamufananidzo wako. Sevha yega yega yakabatana neInternet chiteshi che500 Megabits uye inodzivirirwa kubva kuDDoS kurwiswa mahara!
Source: www.habr.com