Kuburitswa kweLinux kugovera Bottlerocket 1.1.0 iripo, yakagadziridzwa nekutora chikamu kweAmazon kwekuita kwakanaka uye kwakachengeteka kuvhurwa kwemidziyo yakasarudzika. Zvishandiso zvekugovera uye zvikamu zvekutonga zvakanyorwa muRust uye zvakagoverwa pasi peMIT uye Apache 2.0 marezinesi. Inotsigira kumhanya Bottlerocket muAmazon ECS uye AWS EKS Kubernetes masumbu, pamwe nekugadzira tsika inovaka uye editions inobvumira kushandiswa kwakasiyana-siyana orchestration uye runtime maturusi emidziyo.
Iko kugovera kunopa atomu uye otomatiki yakagadziridzwa indivisible system mufananidzo unosanganisira iyo Linux kernel uye yakaderera sisitimu nharaunda iyo inosanganisira chete zvinhu zvinodiwa kumhanyisa midziyo. Iyo nharaunda inosanganisira systemd system maneja, iyo Glibc raibhurari, iyo Buildroot yekuvaka chishandiso, iyo GRUB bootloader, iyo yakaipa network configurator, iyo yakavharwa yega mudziyo runtime, Kubernetes mudziyo orchestration chikuva, aws-iam-authenticator, uye Amazon ECS mumiriri. .
Maturusi emidziyo yemidziyo anouya mune yakaparadzana manejimendi mudziyo unogoneswa nekusarudzika uye unotungamirwa kuburikidza neAPI uye AWS SSM Mumiririri. Mufananidzo wepasi hauna ganda rekuraira, sevha yeSSH, uye mitauro yakadudzirwa (semuenzaniso, hapana Python kana Perl) - maturusi ekutonga uye ekugadzirisa zvinofambiswa kune yakaparadzana sevhisi mudziyo, iyo inovharwa nekusarudzika.
Musiyano wakakosha kubva mukugovaniswa kwakafanana seFedora CoreOS, CentOS/Red Hat Atomic Host ndiyo inonyanya kutariswa pakupa kuchengetedzwa kwakanyanya mumamiriro ekusimbisa kuchengetedzwa kwehurongwa kubva kune zvinogona kutyisidzira, kuomesera kushandiswa kwekusagadzikana muzvikamu zveOS uye kuwedzera kuparadzaniswa kwemidziyo. Midziyo inogadzirwa uchishandisa yakajairwa masisitimu eLinux kernel - cgroups, namespaces uye seccomp. Kuti uwedzere kuparadzaniswa, kugovera kunoshandisa SELinux mu "enforcing" mode.
Iyo midzi yekuparadzanisa inokwidziridzwa mukuverenga-chete modhi, uye kupatsanurwa ne / etc marongero akaiswa mu tmpfs uye anodzoserwa kumamiriro ayo ekutanga mushure mekutangazve. Kugadziriswa kwakananga kwemafaira mu /etc directory, yakadai se /etc/resolv.conf uye /etc/containerd/config.toml, haitsigirwi - kuchengetedza zvachose zvirongwa, unofanira kushandisa API kana kutamisa kushanda kuti uparadzanise midziyo. Nezve cryptographic verification yekuvimbika kwemudzi wechikamu, iyo dm-verity module inoshandiswa, uye kana kuyedza kugadzirisa data padanho redhijitari yakaonekwa, iyo system inotangazve.
Mazhinji masisitimu akanyorwa muRust, ayo anopa ndangariro-akachengeteka maturusi ekudzivirira njodzi inokonzereswa nekugadzirisa nzvimbo yekurangarira mushure mekunge yasunungurwa, kubvisa null pointers, uye buffer overruns. Paunenge uchivaka, nzira dzekubatanidza "--gonesa-default-pie" uye "--gonesa-default-ssp" dzinoshandiswa nekusarudzika kugonesa kuitisa kero nzvimbo randomisation (PIE) uye dziviriro kubva pakupfachukira kwechitunha kuburikidza ne canary label substitution. Zvepakeji zvakanyorwa muC/C++, "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" uye "-fstack-clash" mireza inowedzerwa. yaisanganisira -kudzivirira.
Mukuburitswa kutsva:
- Sarudzo mbiri nyowani dzekugovera aws-k8s-1.20 uye vmware-k8s-1.20 nerutsigiro rweKubernetes 1.20 dzakatsanangurwa. Aya akasiyana, pamwe neyakagadziridzwa vhezheni aws-ecs-1, shandisa iyo itsva Linux kernel 5.10 kuburitswa. Iyo yekuvhara modhi inoiswa ku "kutendeseka" nekukasira (mano anobvumira shanduko kuti iitwe kune inomhanya kernel kubva munzvimbo yemushandisi yakavharwa). Tsigiro yeaws-k8s-1.15 musiyano yakavakirwa paKubernetes 1.15 yakamiswa.
- Amazon ECS inotsigira awsvpc network mode, iyo inokutendera iwe kugovera yakaparadzana network interfaces uye yemukati IP kero pabasa rega rega.
- Yakawedzerwa marongero ekudzora akasiyana Kubernetes maparamendi, anosanganisira QPS, dziva muganho, uye kugona kubatana kune vanopa makore kunze kweAWS.
- Iyo bootstrap chigadziko chinopa kurambidzwa kwekuwana data remushandisi uchishandisa SELinux.
- Yakawedzera resize2fs utility.
Source: opennet.ru