Kuburitswa kweBottlerocket 1.7.0 Linux kugovera kwakabudiswa, kwakagadziridzwa nekutora chikamu kweAmazon kuti imhanye zvinobudirira uye zvakachengeteka midziyo yakasarudzika. Iyo yekushandisa uye yekudzora zvikamu zvekugovera zvakanyorwa muRust uye zvakagoverwa pasi peMIT uye Apache 2.0 marezinesi. Inotsigira kumhanya Bottlerocket paAmazon ECS, VMware, uye AWS EKS Kubernetes masumbu, pamwe nekugadzira tsika inovaka uye editions inobvumira akasiyana orchestration uye yekumhanyisa maturusi emidziyo.
Iko kugovera kunopa atomu uye otomatiki yakagadziridzwa indivisible system mufananidzo unosanganisira iyo Linux kernel uye yakaderera sisitimu nharaunda iyo inosanganisira chete zvinhu zvinodiwa kumhanyisa midziyo. Iyo nharaunda inosanganisira systemd system maneja, iyo Glibc raibhurari, iyo Buildroot yekuvaka chishandiso, iyo GRUB bootloader, iyo yakaipa network configurator, iyo yakavharwa yega mudziyo runtime, Kubernetes mudziyo orchestration chikuva, aws-iam-authenticator, uye Amazon ECS mumiriri. .
Maturusi emidziyo yemidziyo anouya mune yakaparadzana manejimendi mudziyo unogoneswa nekusarudzika uye unotungamirwa kuburikidza neAPI uye AWS SSM Mumiririri. Mufananidzo wepasi hauna ganda rekuraira, sevha yeSSH, uye mitauro yakadudzirwa (semuenzaniso, hapana Python kana Perl) - maturusi ekutonga uye ekugadzirisa zvinofambiswa kune yakaparadzana sevhisi mudziyo, iyo inovharwa nekusarudzika.
Musiyano wakakosha kubva mukugovaniswa kwakafanana seFedora CoreOS, CentOS/Red Hat Atomic Host ndiyo inonyanya kutariswa pakupa kuchengetedzwa kwakanyanya mumamiriro ekusimbisa kuchengetedzwa kwehurongwa kubva kune zvinogona kutyisidzira, kuomesera kushandiswa kwekusagadzikana muzvikamu zveOS uye kuwedzera kuparadzaniswa kwemidziyo. Midziyo inogadzirwa uchishandisa yakajairwa masisitimu eLinux kernel - cgroups, namespaces uye seccomp. Kuti uwedzere kuparadzaniswa, kugovera kunoshandisa SELinux mu "enforcing" mode.
Iyo midzi yekuparadzanisa inokwidziridzwa mukuverenga-chete modhi, uye kupatsanurwa ne / etc marongero akaiswa mu tmpfs uye anodzoserwa kumamiriro ayo ekutanga mushure mekutangazve. Kugadziriswa kwakananga kwemafaira mu /etc directory, yakadai se /etc/resolv.conf uye /etc/containerd/config.toml, haitsigirwi - kuchengetedza zvachose zvirongwa, unofanira kushandisa API kana kutamisa kushanda kuti uparadzanise midziyo. Nezve cryptographic verification yekuvimbika kwemudzi wechikamu, iyo dm-verity module inoshandiswa, uye kana kuyedza kugadzirisa data padanho redhijitari yakaonekwa, iyo system inotangazve.
Mazhinji masisitimu akanyorwa muRust, ayo anopa ndangariro-akachengeteka maturusi ekudzivirira njodzi inokonzereswa nekugadzirisa nzvimbo yekurangarira mushure mekunge yasunungurwa, kubvisa null pointers, uye buffer overruns. Paunenge uchivaka, nzira dzekubatanidza "--gonesa-default-pie" uye "--gonesa-default-ssp" dzinoshandiswa nekusarudzika kugonesa kuitisa kero nzvimbo randomisation (PIE) uye dziviriro kubva pakupfachukira kwechitunha kuburikidza ne canary label substitution. Zvepakeji zvakanyorwa muC/C++, "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" uye "-fstack-clash" mireza inowedzerwa. yaisanganisira -kudzivirira.
Mukuburitswa kutsva:
- Paunenge uchiisa RPM mapakeji, zvinokwanisika kugadzira runyoro rwezvirongwa muJSON fomati uye kuiisa mumudziyo wekugamuchira se /var/lib/bottlerocket/inventory/application.json faira kuti uwane ruzivo nezvemapakeji aripo.
- Iyo "admin" uye "control" midziyo yakagadziridzwa.
- Yakagadziridzwa pasuru shanduro uye zvinoenderana neGo uye Rust mitauro.
- Yakagadziridzwa vhezheni yemapakeji ane yechitatu-bato zvirongwa.
- Yakagadziriswa tmpfilesd kugadzirisa nyaya dze kmod-5.10-nvidia.
- Paunenge uchiisa tuftool, kutsamira shanduro dzakabatana.
Source: opennet.ru