Kuburitswa kweLinux kugovera Bottlerocket 1.2.0 iripo, yakagadziridzwa nekutora chikamu kweAmazon kuitira kuvhurwa kwakanaka uye kwakachengeteka kwemidziyo yakasarudzika. Zvishandiso zvekugovera uye zvikamu zvekutonga zvakanyorwa muRust uye zvakagoverwa pasi peMIT uye Apache 2.0 marezinesi. Inotsigira kumhanya Bottlerocket muAmazon ECS, VMware uye AWS EKS Kubernetes masumbu, pamwe nekugadzira tsika inovaka uye editions inobvumira kushandiswa kwakasiyana-siyana orchestration uye runtime maturusi emidziyo.
Iko kugovera kunopa atomu uye otomatiki yakagadziridzwa indivisible system mufananidzo unosanganisira iyo Linux kernel uye yakaderera sisitimu nharaunda iyo inosanganisira chete zvinhu zvinodiwa kumhanyisa midziyo. Iyo nharaunda inosanganisira systemd system maneja, iyo Glibc raibhurari, iyo Buildroot yekuvaka chishandiso, iyo GRUB bootloader, iyo yakaipa network configurator, iyo yakavharwa yega mudziyo runtime, Kubernetes mudziyo orchestration chikuva, aws-iam-authenticator, uye Amazon ECS mumiriri. .
Maturusi emidziyo yemidziyo anouya mune yakaparadzana manejimendi mudziyo unogoneswa nekusarudzika uye unotungamirwa kuburikidza neAPI uye AWS SSM Mumiririri. Mufananidzo wepasi hauna ganda rekuraira, sevha yeSSH, uye mitauro yakadudzirwa (semuenzaniso, hapana Python kana Perl) - maturusi ekutonga uye ekugadzirisa zvinofambiswa kune yakaparadzana sevhisi mudziyo, iyo inovharwa nekusarudzika.
Musiyano wakakosha kubva mukugovaniswa kwakafanana seFedora CoreOS, CentOS/Red Hat Atomic Host ndiyo inonyanya kutariswa pakupa kuchengetedzwa kwakanyanya mumamiriro ekusimbisa kuchengetedzwa kwehurongwa kubva kune zvinogona kutyisidzira, kuomesera kushandiswa kwekusagadzikana muzvikamu zveOS uye kuwedzera kuparadzaniswa kwemidziyo. Midziyo inogadzirwa uchishandisa yakajairwa masisitimu eLinux kernel - cgroups, namespaces uye seccomp. Kuti uwedzere kuparadzaniswa, kugovera kunoshandisa SELinux mu "enforcing" mode.
Iyo midzi yekuparadzanisa inokwidziridzwa mukuverenga-chete modhi, uye kupatsanurwa ne / etc marongero akaiswa mu tmpfs uye anodzoserwa kumamiriro ayo ekutanga mushure mekutangazve. Kugadziriswa kwakananga kwemafaira mu /etc directory, yakadai se /etc/resolv.conf uye /etc/containerd/config.toml, haitsigirwi - kuchengetedza zvachose zvirongwa, unofanira kushandisa API kana kutamisa kushanda kuti uparadzanise midziyo. Nezve cryptographic verification yekuvimbika kwemudzi wechikamu, iyo dm-verity module inoshandiswa, uye kana kuyedza kugadzirisa data padanho redhijitari yakaonekwa, iyo system inotangazve.
Mazhinji masisitimu akanyorwa muRust, ayo anopa ndangariro-akachengeteka maturusi ekudzivirira njodzi inokonzereswa nekugadzirisa nzvimbo yekurangarira mushure mekunge yasunungurwa, kubvisa null pointers, uye buffer overruns. Paunenge uchivaka, nzira dzekubatanidza "--gonesa-default-pie" uye "--gonesa-default-ssp" dzinoshandiswa nekusarudzika kugonesa kuitisa kero nzvimbo randomisation (PIE) uye dziviriro kubva pakupfachukira kwechitunha kuburikidza ne canary label substitution. Zvepakeji zvakanyorwa muC/C++, "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" uye "-fstack-clash" mireza inowedzerwa. yaisanganisira -kudzivirira.
Mukuburitswa kutsva:
- Yakawedzera tsigiro yemidziyo yemifananidzo registry magirazi.
- Yakawedzera kugona kushandisa zvitupa zvakasaina.
- Yakawedzerwa sarudzo yekugadzirisa hostname.
- Iyo yakasarudzika vhezheni yedhizaini yekutonga yakagadziridzwa.
- Yakawedzerwa topologyManeja Policy uye topologyManagerScope marongero ekubelet.
- Yakawedzera rutsigiro rwekumanikidza kernel uchishandisa zstd algorithm.
- Iko kugona kurodha chaiwo muchina muVMware muOVA (Open Virtualization Format) fomati inopihwa.
- Iyo yekugovera vhezheni aws-k8s-1.21 yakagadziridzwa nerutsigiro rweKubernetes 1.21. Tsigiro yeaws-k8s-1.16 yakamiswa.
- Mapasuru eshanduro uye zvinoenderana nemutauro weRust.
Source: opennet.ru