Kambani yeAmazon nyaya yekutanga yakakosha yehunyanzvi Linux-kugovera , rakagadzirirwa kuita midziyo iri yoga zvakanaka uye zvakachengeteka. Zvishandiso zvekugovera uye zvikamu zvekutonga zvakanyorwa muRust uye pasi peMIT uye Apache 2.0 marezinesi. Iyo purojekiti iri kuvandudzwa paGitHub uye inowanikwa kuti itore chikamu nenhengo dzenharaunda. Iyo system deployment image inogadzirwa x86_64 uye Aarch64 zvivakwa. Iyo OS inogadziridzwa kuti imhanye paAmazon ECS uye AWS EKS Kubernetes masumbu. maturusi ekugadzira ako magungano uye edition, ayo anogona kushandisa mamwe maturusi ekuimba, kernels uye nguva yekumhanya yemidziyo.
Kugoverwa kunopa kernel Linux uye nzvimbo shoma yesystem, kusanganisira zvinhu zvinodiwa chete pakushandisa macontainer. Mapakeji anoshandiswa muprojekiti anosanganisira systemd system manager, Glibc library, uye build tools.
Buildroot, GRUB bootloader, network configurator , nguva yekumhanya yemidziyo iri yoga , Kubernetes mudziyo orchestration chikuva, aws-iam-authenticator, uye Amazon ECS mumiririri.
Iyo yekugovera inovandudzwa atomu uye inounzwa muchimiro cheiyo indivisible system mufananidzo. Maviri disk partitions akagoverwa kune sisitimu, imwe yacho ine inoshanda sisitimu, uye iyo yekuvandudza inoteedzerwa kune yechipiri. Mushure mekunge iyo yekuvandudza yaiswa, chikamu chechipiri chinotanga kushanda, uye mune yekutanga, kusvika iyo inotevera update yasvika, iyo yapfuura vhezheni yehurongwa inochengetwa, kwaunogona kudzosera kumashure kana matambudziko amuka. Zvigadziriso zvinoiswa otomatiki pasina kupindira kwemaneja.
Musiyano mukuru kubva mukugoverwa kwakafanana kwakadai seFedora CoreOS ndewekuti CentOS/Red Hat Atomic Host inonyanya kutarisa pakupa muchimiro chekusimbisa dziviriro yesystem kubva kunjodzi dzinogona kuitika, zvichiita kuti kushandiswa kwezvipingamupinyi muzvikamu zveOS kuve kwakaoma, uye kuwedzera kupatsanurwa kwemidziyo. Mamidziyo anogadzirwa achishandisa nzira dzakajairwa dzekernel. Linux — cgroups, namespaces, uye seccomp. Kuti uwane mamwe mashoko ekuwedzera, kugoverwa kunoshandisa SELinux mu "enforcement" mode, uye module inoshandiswa kusimbisa cryptographic yekuvimbika kwe root partition . Kana kuyedza kugadzirisa data padanho remudziyo weblock ukaonekwa, system yacho inotangazve.
Midzi yekuparadzanisa inokwidziridzwa kuverenga-chete, uye iyo /etc zvigadziriso chikamu chakaiswa mutmpfs uye chakadzoserwa kumamiriro ayo ekutanga mushure mekutangazve. Kugadziriswa kwakananga kwemafaira mu /etc directory, yakadai se /etc/resolv.conf uye /etc/containerd/config.toml, haitsigirwi - kuchengetedza zvachose zvirongwa, unofanira kushandisa API kana kutamisa kushanda mumidziyo yakasiyana.
Mazhinji masisitimu akanyorwa muRust, ayo anopa ndangariro-akachengeteka maficha kudzivirira kusagadzikana kunokonzerwa nekumashure-yemahara ndangariro kupinda, null pointer dereferences, uye buffer overruns. Paunenge uchivaka nekusarudzika, iyo "-enable-default-pie" uye "--enable-default-ssp" nzira dzekubatanidza dzinoshandiswa kugonesa kusarongeka kwekero nzvimbo yemafaira anoteedzera.) uye chengetedzo yekufashukira kuburikidza ne canary substitution.
Kune mapakeji akanyorwa muC/C++, mamwe mareza anosanganisirwa
"-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" uye "-fstack-clash-protection".
Container orchestration zvishandiso zvinopihwa zvakasiyana , iyo inogoneswa neiyo default uye inodzorwa kuburikidza uye AWS SSM Mumiririri. Iyo yepasi mufananidzo inoshaya yekuraira shell, SSH server uye yakadudzirwa mitauro (semuenzaniso, hapana Python kana Perl) - maturusi ekutonga uye maturusi ekugadzirisa ari mukati. , iyo yakadzimwa nekusingaperi.
Source: opennet.ru
