Kambani yeAmazon yekutanga kuburitswa kwakakosha kwekugoverwa kweLinux , rakagadzirirwa kuita midziyo iri yoga zvakanaka uye zvakachengeteka. Zvishandiso zvekugovera uye zvikamu zvekutonga zvakanyorwa muRust uye pasi peMIT uye Apache 2.0 marezinesi. Iyo purojekiti iri kuvandudzwa paGitHub uye inowanikwa kuti itore chikamu nenhengo dzenharaunda. Iyo system deployment image inogadzirwa x86_64 uye Aarch64 zvivakwa. Iyo OS inogadziridzwa kuti imhanye paAmazon ECS uye AWS EKS Kubernetes masumbu. maturusi ekugadzira ako magungano uye edition, ayo anogona kushandisa mamwe maturusi ekuimba, kernels uye nguva yekumhanya yemidziyo.
Iko kugovera kunopa iyo Linux kernel uye yakaderera system nharaunda, kusanganisira chete zvinhu zvinodikanwa kumhanya midziyo. Pakati pemapakeji anobatanidzwa muprojekiti pane system maneja systemd, iyo Glibc raibhurari, uye maturusi egungano
Buildroot, GRUB bootloader, network configurator , nguva yekumhanya yemidziyo iri yoga , Kubernetes mudziyo orchestration chikuva, aws-iam-authenticator, uye Amazon ECS mumiririri.
Iyo yekugovera inovandudzwa atomu uye inounzwa muchimiro cheiyo indivisible system mufananidzo. Maviri disk partitions akagoverwa kune sisitimu, imwe yacho ine inoshanda sisitimu, uye iyo yekuvandudza inoteedzerwa kune yechipiri. Mushure mekunge iyo yekuvandudza yaiswa, chikamu chechipiri chinotanga kushanda, uye mune yekutanga, kusvika iyo inotevera update yasvika, iyo yapfuura vhezheni yehurongwa inochengetwa, kwaunogona kudzosera kumashure kana matambudziko amuka. Zvigadziriso zvinoiswa otomatiki pasina kupindira kwemaneja.
Musiyano wakakosha kubva kugovera kwakafanana seFedora CoreOS, CentOS/Red Hat Atomic Host ndiyo inonyanya kutariswa pakupa. mumamiriro ekusimbisa kuchengetedzwa kwehurongwa kubva kune zvinogona kutyisidzira, zvichiita kuti zvinyanye kuoma kushandisa kusasimba muzvikamu zveOS uye kuwedzera kuparadzaniswa kwemidziyo. Midziyo inogadzirwa uchishandisa yakajairwa Linux kernel maitiro - mapoka, mazita enzvimbo uye seccomp. Kuti uwedzere kuparadzaniswa, kugovera kunoshandisa SELinux mu "enforcing" modhi, uye module inoshandiswa kune cryptographic verification yekuvimbika kwemudzi wechikamu. . Kana kuyedza kugadzirisa data padanho remudziyo weblock ukaonekwa, system yacho inotangazve.
Midzi yekuparadzanisa inokwidziridzwa kuverenga-chete, uye iyo /etc zvigadziriso chikamu chakaiswa mutmpfs uye chakadzoserwa kumamiriro ayo ekutanga mushure mekutangazve. Kugadziriswa kwakananga kwemafaira mu /etc directory, yakadai se /etc/resolv.conf uye /etc/containerd/config.toml, haitsigirwi - kuchengetedza zvachose zvirongwa, unofanira kushandisa API kana kutamisa kushanda mumidziyo yakasiyana.
Mazhinji masisitimu akanyorwa muRust, ayo anopa ndangariro-akachengeteka maficha kudzivirira kusagadzikana kunokonzerwa nekumashure-yemahara ndangariro kupinda, null pointer dereferences, uye buffer overruns. Paunenge uchivaka nekusarudzika, iyo "-enable-default-pie" uye "--enable-default-ssp" nzira dzekubatanidza dzinoshandiswa kugonesa kusarongeka kwekero nzvimbo yemafaira anoteedzera.) uye chengetedzo yekufashukira kuburikidza ne canary substitution.
Kune mapakeji akanyorwa muC/C++, mamwe mareza anosanganisirwa
"-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" uye "-fstack-clash-protection".
Container orchestration zvishandiso zvinopihwa zvakasiyana , iyo inogoneswa neiyo default uye inodzorwa kuburikidza uye AWS SSM Mumiririri. Iyo yepasi mufananidzo inoshaya yekuraira shell, SSH server uye yakadudzirwa mitauro (semuenzaniso, hapana Python kana Perl) - maturusi ekutonga uye maturusi ekugadzirisa ari mukati. , iyo yakadzimwa nekusingaperi.
Source: opennet.ru