Kuburitswa kweBottlerocket 1.8.0 Linux kugovera kwakabudiswa, kwakagadziridzwa nekutora chikamu kweAmazon kuti imhanye zvinobudirira uye zvakachengeteka midziyo yakasarudzika. Iyo yekushandisa uye yekudzora zvikamu zvekugovera zvakanyorwa muRust uye zvakagoverwa pasi peMIT uye Apache 2.0 marezinesi. Inotsigira kumhanya Bottlerocket paAmazon ECS, VMware, uye AWS EKS Kubernetes masumbu, pamwe nekugadzira tsika inovaka uye editions inobvumira akasiyana orchestration uye yekumhanyisa maturusi emidziyo.
Iko kugovera kunopa atomu uye otomatiki yakagadziridzwa indivisible system mufananidzo unosanganisira iyo Linux kernel uye yakaderera sisitimu nharaunda iyo inosanganisira chete zvinhu zvinodiwa kumhanyisa midziyo. Iyo nharaunda inosanganisira systemd system maneja, iyo Glibc raibhurari, iyo Buildroot yekuvaka chishandiso, iyo GRUB bootloader, iyo yakaipa network configurator, iyo yakavharwa yega mudziyo runtime, Kubernetes mudziyo orchestration chikuva, aws-iam-authenticator, uye Amazon ECS mumiriri. .
Maturusi emidziyo yemidziyo anouya mune yakaparadzana manejimendi mudziyo unogoneswa nekusarudzika uye unotungamirwa kuburikidza neAPI uye AWS SSM Mumiririri. Mufananidzo wepasi hauna ganda rekuraira, sevha yeSSH, uye mitauro yakadudzirwa (semuenzaniso, hapana Python kana Perl) - maturusi ekutonga uye ekugadzirisa zvinofambiswa kune yakaparadzana sevhisi mudziyo, iyo inovharwa nekusarudzika.
Musiyano wakakosha kubva mukugovaniswa kwakafanana seFedora CoreOS, CentOS/Red Hat Atomic Host ndiyo inonyanya kutariswa pakupa kuchengetedzwa kwakanyanya mumamiriro ekusimbisa kuchengetedzwa kwehurongwa kubva kune zvinogona kutyisidzira, kuomesera kushandiswa kwekusagadzikana muzvikamu zveOS uye kuwedzera kuparadzaniswa kwemidziyo. Midziyo inogadzirwa uchishandisa yakajairwa masisitimu eLinux kernel - cgroups, namespaces uye seccomp. Kuti uwedzere kuparadzaniswa, kugovera kunoshandisa SELinux mu "enforcing" mode.
Iyo midzi yekuparadzanisa inokwidziridzwa mukuverenga-chete modhi, uye kupatsanurwa ne / etc marongero akaiswa mu tmpfs uye anodzoserwa kumamiriro ayo ekutanga mushure mekutangazve. Kugadziriswa kwakananga kwemafaira mu /etc directory, yakadai se /etc/resolv.conf uye /etc/containerd/config.toml, haitsigirwi - kuchengetedza zvachose zvirongwa, unofanira kushandisa API kana kutamisa kushanda kuti uparadzanise midziyo. Nezve cryptographic verification yekuvimbika kwemudzi wechikamu, iyo dm-verity module inoshandiswa, uye kana kuyedza kugadzirisa data padanho redhijitari yakaonekwa, iyo system inotangazve.
Mazhinji masisitimu akanyorwa muRust, ayo anopa ndangariro-akachengeteka maturusi ekudzivirira njodzi inokonzereswa nekugadzirisa nzvimbo yekurangarira mushure mekunge yasunungurwa, kubvisa null pointers, uye buffer overruns. Paunenge uchivaka, nzira dzekubatanidza "--gonesa-default-pie" uye "--gonesa-default-ssp" dzinoshandiswa nekusarudzika kugonesa kuitisa kero nzvimbo randomisation (PIE) uye dziviriro kubva pakupfachukira kwechitunha kuburikidza ne canary label substitution. Zvepakeji zvakanyorwa muC/C++, "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" uye "-fstack-clash" mireza inowedzerwa. yaisanganisira -kudzivirira.
Mukuburitswa kutsva:
- Izvo zviri mukati mekutonga uye kutonga midziyo zvakagadziridzwa.
- Runtime yemidziyo yakavharirwa yakagadziridzwa kune ine 1.6.x bazi.
- Inovimbisa kuti kumashure maitiro anoronga kushanda kwemidziyo anotangwazve mushure mekuchinja kuchitoro chezvitupa.
- Izvo zvinokwanisika kuseta kernel boot paramita kuburikidza neBoot Configuration chikamu.
- Inogonesa kufuratira mabhuroko asina chinhu paunenge uchitarisisa kutendeseka kwemudzi wechikamu uchishandisa dm-verity.
- Iko kugona kusunga statically kusunga mazita ekugamuchira mukati /etc/hosts kwakapihwa.
- Iko kugona kugadzira network kumisikidza uchishandisa netdog utility yakapihwa (iyo gadzira-net-config command yakawedzerwa).
- Sarudzo nyowani dzekugovera nerutsigiro rweKubernetes 1.23 dzakakurudzirwa. Nguva yekutanga yemapods muKubernetes yakaderedzwa nekudzima configMapAndSecretChangeDetectionStrategy mode. Yakawedzera nyowani kubelet marongero: mupi-id uye podPidsLimit.
- Imwe vhezheni nyowani yekugovera kit "aws-ecs-1-nvidia" yeAmazon Elastic Container Service (Amazon ECS), yakapihwa nevatyairi veNVIDIA, yakatsanangurwa.
- Yakawedzerwa rutsigiro rweMicrochip Smart Storage uye MegaRAID SAS midziyo yekuchengetedza. Tsigiro yemakadhi eEthernet paBroadcom machipisi akawedzerwa.
- Yakagadziridzwa pasuru mavhezheni uye zvinoenderana neGo uye Rust mitauro, pamwe neshanduro yemapakeji ane yechitatu-bato zvirongwa. Bottlerocket SDK yakagadziridzwa kuita shanduro 0.26.0.
Source: opennet.ru