Nyaya yacho yaburitswa LinuxBottlerocket 1.3.0, kugoverwa kwakagadzirwa pamwe chete neAmazon, kwakagadzirirwa kushandisa magaba akaparadzana zvakanaka uye zvakachengeteka. Zvikamu zvekushandisa nekudzora zvemagaba zvakanyorwa muRust uye zvine rezinesi pasi peMIT neApache 2.0 licenses. Bottlerocket inoshanda paAmazon ECS, VMware, uye AWS EKS Kubernetes clusters, pamwe nekutsigira kuvakwa kwakagadzirwa nemaitiro uye maeditions anotsigira kushandiswa kwezvishandiso zvakasiyana-siyana zvemagaba uye maturusi ekushandisa nguva.
Kugoverwa uku kunopa mufananidzo wesystem isingapatsanurwe inovandudzwa otomatiki uye neatomu, kusanganisira kernel Linux uye nzvimbo shoma yesystem, kusanganisira zvinhu zvinodiwa chete pakushandisa macontainer. Nzvimbo iyi inosanganisira systemd system manager, Glibc library, Buildroot build toolchain, GRUB bootloader, wicked network configurator, contained runtime yemacontainer akaparadzana, Kubernetes container orchestration platform, aws-iam-authenticator authenticator, uye Amazon ECS agent.
Maturusi ekugadzira macontainer anounzwa mucontainer yakasiyana yekutarisira, iyo inogoneswa nedefault uye inodzorwa kuburikidza neAPI neAWS SSM Agent. Mufananidzo wekutanga hauna ganda rekuraira. server SSH nemitauro yakadudzirwa (semuenzaniso hapana Python kana Perl) - maturusi ekutonga uye ekugadzirisa matambudziko ari mumudziyo webasa wakasiyana, uyo unodzimwa nekusingaperi.
Musiyano mukuru kubva mukugoverwa kwakafanana kwakadai seFedora CoreOS ndewekuti CentOSRed Hat Atomic Host inonyanya kutarisa pakupa kuchengetedzeka kwakanyanya nekuwedzera dziviriro yesisitimu kubva kunjodzi dzinogona kuitika, zvichiita kuti zviome kushandisa zvikanganiso zviri muzvikamu zveOS, uye kuwedzera kupatsanurwa kwemidziyo. Matangi anogadzirwa achishandisa nzira dzekernel dzemuno. Linux — cgroups, namespaces, uye seccomp. Kuti uwane mamwe mashoko ekuwedzera, kugoverwa kunoshandisa SELinux mu "kumanikidza" mode.
Iyo midzi yekuparadzanisa inokwidziridzwa mukuverenga-chete modhi, uye kupatsanurwa ne / etc marongero akaiswa mu tmpfs uye anodzoserwa kumamiriro ayo ekutanga mushure mekutangazve. Kugadziriswa kwakananga kwemafaira mu /etc directory, yakadai se /etc/resolv.conf uye /etc/containerd/config.toml, haitsigirwi - kuchengetedza zvachose zvirongwa, unofanira kushandisa API kana kutamisa kushanda kuti uparadzanise midziyo. Nezve cryptographic verification yekuvimbika kwemudzi wechikamu, iyo dm-verity module inoshandiswa, uye kana kuyedza kugadzirisa data padanho redhijitari yakaonekwa, iyo system inotangazve.
Mazhinji masisitimu akanyorwa muRust, ayo anopa ndangariro-akachengeteka maturusi ekudzivirira njodzi inokonzereswa nekugadzirisa nzvimbo yekurangarira mushure mekunge yasunungurwa, kubvisa null pointers, uye buffer overruns. Paunenge uchivaka, nzira dzekubatanidza "--gonesa-default-pie" uye "--gonesa-default-ssp" dzinoshandiswa nekusarudzika kugonesa kuitisa kero nzvimbo randomisation (PIE) uye dziviriro kubva pakupfachukira kwechitunha kuburikidza ne canary label substitution. Zvepakeji zvakanyorwa muC/C++, "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" uye "-fstack-clash" mireza inowedzerwa. yaisanganisira -kudzivirira.
Mukuburitswa kutsva:
- Yakagadziriswa kusasimba mudocker uye runtime midziyo yemidziyo (CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, CVE-2021-41103) ine chekuita nekuisa zvisizvo kodzero dzekuwana, izvo zvakabvumira vashandisi vasina rusaruro kuti vaende kunze kweiyo base dhairekitori.
- Yakawedzerwa ku kubelet na pluto Rutsigiro rweIPv6.
- Inopa kugona kutangazve mudziyo mushure mekuchinja marongero ayo.
- Iyo eni-max-pods package yakagadziridzwa kutsigira Amazon EC2 M6i zviitiko.
- open-vm-tools ikozvino inotsigira mafirita emudziyo, zvichienderana neCilium toolkit.
- Kune x86_64 chikuva, hybrid boot mode inoshandiswa (nerutsigiro rweEFI neBIOS).
- Mapasuru eshanduro uye zvinoenderana nemutauro weRust.
- Iyo aws-k8s-1.17 yekugovera musiyano yakavakirwa paKubernetes 1.17 yakabviswa. Inokurudzirwa kushandisa iyo aws-k8s-1.21 musiyano nerutsigiro rweKubernetes 1.21. Mhando dze k8s dzinoshandisa cgroup runtime.slice uye system.slice settings.
Source: opennet.ru
