KwaGoogle, sikholelwa ukuba ikamva lecomputing yelifu liya kuguqukela kwiinkonzo zabucala, ezifihliweyo ezinika abasebenzisi ukuzithemba okupheleleyo kubumfihlo bedatha yabo.
ILifu likaGoogle sele liyifihlile idatha yomthengi xa uhamba kwaye uphumle, kodwa kusafuneka icocwe ukuze iqwalaselwe. Ikhompuyutha eyimfihlo bubuchwephesha obutshintshayo obusetyenziselwa ukufihla idatha ngexesha lokucubungula. Iimeko zekhompyutha eziyimfihlo zikuvumela ukuba ugcine idatha efihliweyo kwi-RAM nakwezinye iindawo ezingaphandle kweprosesa (CPU).
Ii-VM eziyimfihlo okwangoku zikuvavanyo lwe-beta kwaye yimveliso yokuqala kumgca we-Google Cloud Confidential Computing. Sele sisebenzisa iindlela ezahlukeneyo zokuzahlula kunye nebhokisi yesanti kwiziseko zethu zamafu ukuze siqinisekise ukhuseleko lolwakhiwo lwezakhiwo ezininzi. Ii-VM eziyimfihlo zithatha ukhuseleko kwinqanaba elilandelayo ngokunikezela nge-encryption kwimemori ukuze bahlukanise ngakumbi imisebenzi yabo efini, ukunceda abathengi bethu ukukhusela idatha ebuthathaka. Sicinga ukuba oku kuya kuba nomdla ngakumbi kwabo basebenza kumashishini alawulwayo (mhlawumbi malunga ne-GDPR kunye nezinye izinto ezinxulumene nazo, malunga. umguquleli).
Ukuvula amathuba amatsha
Kakade kunye ne-Asylo, iqonga lomthombo ovulekileyo wekhompyutheni eyimfihlo, sigxininise ekwenzeni iindawo ezifihlakeleyo zekhompiyutha kulula ukuyisebenzisa kunye nokusetyenziswa, ukubonelela ngokusebenza okuphezulu kunye nesicelo sawo nawuphi na umsebenzi okhetha ukuwuqhuba efini. Sikholelwa ukuba awunyanzelekanga ukuba ulalanise ekusebenziseni, ukuguquguquka, ukusebenza kunye nokhuseleko.
Ngee-VM eziMfihlo zingena kwi-beta, singoyena mboneleli welifu wokuqala omkhulu ukubonelela ngeli nqanaba lokhuseleko kunye nokwahlukaniswa-kwaye sinikeze abathengi ngokulula, kulula ukuyisebenzisa ukhetho kuzo zombini usetyenziso ezitsha kunye "ezifakwe" (mhlawumbi malunga nezicelo inokuqhutywa efini ngaphandle kotshintsho olubalulekileyo, malunga. umguquleli). Sibonelela:
Ubungasese obungahambelaniyo: Abathengi banokukhusela ubumfihlo bedatha yabo ebuthathaka kwilifu, nangona isenziwa. Ii-VM eziyimfihlo zixhathisa i-Secure Encrypted Virtualization (SEV) yesizukulwana sesibini se-AMD EPYC processors. Idatha yakho ihlala ifihliwe ngexesha lokusetyenziswa, isalathisi, ukubuza, kunye noqeqesho. Izitshixo ze-encryption zenziwe kwi-hardware ngokwahlukeneyo kumatshini ngamnye kwaye ungaze ushiye i-hardware.
Ukuphuculwa kokusungula izinto ezintsha: Ikhompyuter eyimfihlo inokuvula iimeko zokusetyenzwa ebezingenzeki ngaphambili. Iinkampani ngoku zinokubelana ngeeseti zedatha ehleliweyo kwaye zisebenzisane kuphando kwilifu ngelixa zigcina imfihlo.
Ubumfihlo bemithwalo yemisebenzi exhonyiweyo: Injongo yethu kukwenza lula ikhompuyutha eyimfihlo. Utshintsho oluya kwii-VM eziMfihlo alunamthungo - yonke imisebenzi kwi-GCP esebenza koomatshini benyani inokufudukela kwii-VM eziMfihlo. Ilula - jonga nje ibhokisi enye.
Ukhuseleko Lwezoyikiso Olukwinqanaba Eliphezulu: Ikhompuyutha eyimfihlo yakhela kukhuseleko lwe-VMs eziKhuselweyo ngokuchasene ne-rootkits kunye nee-bootkits, inceda ekuqinisekiseni imfezeko yenkqubo yokusebenza ekhethiweyo ukuba iqhube kwi-VM eyiMfihlo.
Iziseko zeeMfihlo ze-VMs
Ii-VM eziyimfihlo zisebenza koomatshini benyani be-N2D abasebenza kwi-AMD EPYC yesizukulwana sesibini. Inqaku le-SEV le-AMD linikezela ukusebenza okuphezulu kowona msebenzi unzima wekhompyuter ngelixa ugcina umatshini we-RAM ofihliweyo ngesitshixo se-VM esenziwe kwaye silawulwa yiprosesa ye-EPYC. Izitshixo zenziwa yi-AMD Secure Processor coprocessor xa umatshini wenyani wenziwa kwaye ubekwe kuphela kuwo, okwenza ukuba bangakwazi ukufikelela kuzo zombini iGoogle kunye nabanye oomatshini abasebenza kwi-node efanayo.
Ukongeza kwi-hardware eyakhelwe-ngaphakathi uguqulelo oluntsonkothileyo lwe-RAM, sakha ii-VM eziMfihlo ngaphezulu kwe-Shielded VMs ukunika imifanekiso ye-tamper-resistant operating system, ukuhlolwa kokuthembeka kwe-firmware, i-kernel binaries, kunye nabaqhubi. Imifanekiso enikezelwa nguGoogle iquka Ubuntu 18.04, Ubuntu 20.04, Container Optimized OS (COS v81) kunye neRHEL 8.2. Sisebenza kwi-Centos, i-Debian kunye nabanye ukubonelela ngeminye imifanekiso yenkqubo yokusebenza.
Sikwasebenza ngokusondeleyo neqela lobunjineli be-AMD Cloud Solution ukuqinisekisa ukuba ukubethelwa kwememori yomatshini okubonakalayo akuchaphazeli ukusebenza. Songeze inkxaso yabaqhubi abatsha be-OSS (i-nvme kunye ne-gvnic) ukujongana nezicelo zokugcina kunye ne-traffic yenethiwekhi kwi-throughput ephezulu kuneprothokholi ezindala. Oku kwenze ukuba kube nokwenzeka ukuqinisekisa ukuba izalathisi zokusebenza zeeMfihlo zeVM zikufutshane nezo zoomatshini abaqhelekileyo.
I-Virtualization Efihliweyo eKhuselekileyo, eyakhelwe kwisizukulwana sesibini se-AMD EPYC processors, ibonelela ngezinto ezintsha zokhuseleko zehardware ezinceda ukukhusela idatha kwindawo ebonakalayo. Ukuxhasa i-GCE Confidential VMs N2D entsha, sisebenze noGoogle ukunceda abathengi bakhusele idatha yabo kunye nokuqinisekisa ukusebenza komsebenzi wabo. Kuyasivuyisa ukubona ukuba ii-VM eziMfihlo zizisa umgangatho ofanayo wokusebenza okuphezulu kuyo yonke imithwalo yomsebenzi njengee-VM ze-N2D eziqhelekileyo.
URaghu Nambiar, uSekela Mongameli, iZiko leDatha ye-Ecosystem, i-AMD
Umdlalo wokutshintsha iTekhnoloji
Ikhompyuter eyimfihlo inokunceda ukutshintsha indlela amashishini aqhuba ngayo idatha kwilifu ngelixa egcina ubumfihlo kunye nokhuseleko. Kwakhona, phakathi kwezinye izibonelelo, iinkampani ziya kukwazi ukusebenzisana ngaphandle kokuthomalalisa imfihlo yeesethi zedatha. Intsebenziswano enjalo, emva koko, inokukhokelela ekuphuhliseni ngakumbi itekhnoloji yenguqu kunye neengcinga, ezinjengokukwazi ukwenza ngokukhawuleza izitofu zokugonya kunye nokunyanga izifo ngenxa yentsebenziswano ekhuselekileyo enjalo.
Asinakulinda ukubona amathuba obu buchwepheshe buvulelwa inkampani yakho. Jonga ukufumana okungakumbi.
PS Ayikokokuqala, kwaye ngethemba hayi okokugqibela, uGoogle ukhupha itekhnoloji etshintsha umhlaba. Njengoko kwenzeka kuKubernetes mva nje. Sixhasa kwaye sisasaza ubugcisa be-Goggle kangangoko sinakho kwaye siqeqeshe iingcali ze-IT eRashiya. Inkampani yethu yenye yezi-3 Kubernetes uMboneleli weNkonzo oQinisekisiweyo kunye nenye kuphela I-Kubernetes Training Partner eRashiya. Yiyo loo nto siqhuba iiseshoni zoqeqesho ezinzulu ze-Kubernetes rhoqo entwasahlobo nasekwindla. Iikhosi ezinzulu ezilandelayo ziya kubanjwa nge-28-30 kaSeptemba kunye no-Oktobha 14–16 .
umthombo: www.habr.com
