Inkampani yeAmazon
I-Bottlerocket (ngendlela, igama elinikwe iirokethi ezincinci ezenziwe ekhaya zomgubo omnyama) ayisiyiyo yokuqala i-OS yezikhongozeli, kodwa kusenokwenzeka ukuba iya kusasazeka ngenxa yokudityaniswa okungagqibekanga kunye neenkonzo ze-AWS. Nangona inkqubo igxininise kwifu le-Amazon, ikhowudi yomthombo ovulekileyo ivumela ukuba yakhiwe naphi na: kwindawo kwi-server, kwi-Raspberry Pi, nakweyiphi na ifu ekhuphisanayo, kunye nakwindawo engenazikhonkwane.
Olu lutshintsho olufanelekileyo ngokupheleleyo kunikezelo lweCoreOS olwangcwatywa nguRed Hat.
Ngapha koko, icandelo leeNkonzo zeWebhu yeAmazon sele lineAmazon Linux, esandula kuphuma kuguqulelo lwayo lwesibini: kukusasazwa kwenjongo ngokubanzi enokuthi iqhutywe kwisitya seDocker okanye ngeLinux KVM, iMicrosoft Hyper-V, kunye neVMware. ESXi hypervisors. Yenzelwe ukuba iqhube kwilifu le-AWS, kodwa ngokukhululwa kwe-Bottlerocket, wonke umntu uyakhuthazwa ukuba aphucule kwinkqubo entsha ekhuselekileyo, yanamhlanje, kwaye isebenzisa izixhobo ezimbalwa.
I-AWS ibhengeze iBottlerocket
Ubuncinci obugqithisileyo
I-Linux ihluthwe yonke into engafunekiyo ukuqhuba izikhongozeli. Olu luyilo, ngokwenkampani, lunciphisa indawo yokuhlaselwa.
Oku kuthetha ukuba iipakethe ezimbalwa zifakwe kwinkqubo yesiseko, eyenza kube lula ukugcina nokuhlaziya i-OS, kwaye kunciphisa amathuba okuba neengxaki ngenxa yokuxhomekeka, ukunciphisa ukusetyenziswa kwezibonelelo. Ngokusisiseko, yonke into elapha isebenza ngaphakathi kwizikhongozeli ezahlukeneyo, kwaye inkqubo engaphantsi ayinanto.
IAmazon iphinde yasusa onke amaqokobhe kunye neetoliki, isusa umngcipheko wokusetyenziswa okanye abasebenzisi ngengozi bakhulisa amalungelo. Ngenxa yobuncinci kunye nokhuseleko, umfanekiso osisiseko awubandakanyi iqokobhe lomyalelo, iseva ye-SSH, okanye iilwimi ezitolikwe njengePython. Izixhobo zomlawuli zifakwe kwisitya senkonzo esahlukileyo, esivaliwe ngokungagqibekanga.
Inkqubo ilawulwa ngeendlela ezimbini: nge-API kunye ne-orchestration.
Endaweni yomphathi wepakethe ohlaziya iziqwenga zesoftware, iBottlerocket ikhuphela umfanekiso opheleleyo wenkqubo yefayile kwaye iqalise kwakhona kuwo. Ukuba umthwalo awuphumeleli, ubuyela emva ngokuzenzekelayo, kwaye ukusilela komsebenzi kunokubangela ukubuyisela umva ngesandla (umyalelo nge-API).
Isakhelo /etc
inyuswe ngesixokelelwano sefayile kwi-RAM /etc
ayixhaswanga: ukugcina izicwangciso kufuneka usebenzise i-API okanye uhambise usebenziso kwizikhongozeli ezahlukeneyo.
Iskimu sohlaziyo lwe-API
Khu seleko
Izikhongozeli zenziwe ngeendlela eziqhelekileyo ze-Linux kernel - amaqela, izithuba zamagama kunye ne-seccomp, kwaye zisetyenziswa njengenkqubo yolawulo lokufikelela ngokunyanzeliswa, oko kukuthi, ukuhlukaniswa okongeziweyo.
Ngokungagqibekanga, imigaqo-nkqubo yenziwe ukuba kwabelwane ngezibonelelo phakathi kwezikhongozeli kunye nekernel. Iibhinari zikhuselwe ngeeflegi ukuthintela abasebenzisi okanye iinkqubo ukuba zizenze. Kwaye ukuba umntu ufika kwinkqubo yefayile, iBottlerocket ibonelela ngesixhobo sokujonga kunye nokulandelela naluphi na utshintsho olwenziweyo.
Imowudi "eqinisekisiweyo yesiqalo" iphunyezwa ngesixhobo-mapper-ukuqinisekisa umsebenzi (
Kukho kwakhona isihluzo kwinkqubo
Imodeli yokwenziwa
Umsebenzisi uchaziwe
Ukudityaniswa
Khu seleko
Imo yokusilela
Ukufikelela kwizibonelelo
Umsebenzisi
umsebenzi
ewe
nayiphi na
amalungelo omsebenzisi
phazamisa ukwenziwa
inkqubo umnxeba, impazamo
Eyona nto iphambili
umsebenzi
akukho
I-static
akukho
uvalo lwekernel
ngqo
I-BPF
isiganeko
ewe
I-JIT, CO-RE
uqinisekiso, JIT
umyalezo wemposiso
abancedisi abambalwa
I-BPF yahluke njani kumsebenzisi oqhelekileyo okanye ikhowudi yenqanaba le-kernel
I-AWS yathi i-Bottlerocket "isebenzisa imodeli yokusebenza eyongezelela ngakumbi ukhuseleko ngokuthintela uxhulumaniso kwiiseva zokuvelisa kunye namalungelo olawulo" kwaye "ifanelekile kwiinkqubo ezinkulu ezisasazwayo apho ulawulo phezu komninimzi ngamnye lulinganiselwe."
Isingxobo somlawuli sinikezelwe kubalawuli benkqubo. Kodwa i-AWS ayicingi ukuba umlawuli uya kufuna ukusebenza ngaphakathi kwe-Bottlerocket: "Isenzo sokungena kumzekelo we-Bottlerocket owahlukileyo senzelwe imisebenzi engaqhelekanga: ukulungisa ingxaki kunye nokusombulula ingxaki,"
Ulwimi lomhlwa
Isixhobo se-OS ngaphezulu kwekernel sibhalwe kakhulu kwiRust. Olu lwimi ngokwendalo yalo
Iiflegi zisetyenziswa ngokungagqibekanga xa kusakhiwa --enable-default-pie
ΠΈ --enable-default-ssp
ukwenza i-randomization yesithuba sedilesi yeefayile eziphunyeziweyo (
Kwiiphakheji zeC / C ++, iiflegi ezongezelelweyo zibandakanyiwe -Wall
, -Werror=format-security
, -Wp,-D_FORTIFY_SOURCE=2
, -Wp,-D_GLIBCXX_ASSERTIONS
ΠΈ -fstack-clash-protection
.
Ngaphandle kweRust kunye neC / C ++, ezinye iipakethe zibhalwe kwiGo.
Ukudityaniswa neenkonzo ze-AWS
Umahluko kwiinkqubo zokusebenza zesikhongozeli ezifanayo kukuba iAmazon iye yaphucula iBottlerocket ukuba isebenze kwi-AWS kwaye idibanise nezinye iinkonzo ze-AWS.
Eyona orchestrator yesikhongozeli ethandwa kakhulu yiKubernetes, ke i-AWS yazise ukudityaniswa ne-Enterprise Kubernetes Service (EKS) yayo. Izixhobo zeOkhestra ziza kwisikhongozeli solawulo esahlukileyo
Kuya kuba mnandi ukubona ukuba i-Bottlerocket iyahamba, ngenxa yokungaphumeleli kwamanye amanyathelo afanayo kwixesha elidlulileyo. Ngokomzekelo, i-PhotonOS evela kwi-Vmware yajika yaba yinto engafunwayo, kwaye i-RedHat yathenga i-CoreOS kunye
Ukudityaniswa kwe-Bottlerocket kwiinkonzo ze-AWS kwenza le nkqubo ibe yodwa ngendlela yayo. Esi mhlawumbi sesona sizathu siphambili sokuba abanye abasebenzisi bakhethe iBottlerocket ngaphezulu kwezinye ii-distros ezinje ngeCoreOS okanye iAlpine. Inkqubo ekuqaleni yenzelwe ukusebenza kunye ne-EKS kunye ne-ECS, kodwa siyaphinda ukuba oku akuyimfuneko. Okokuqala, iBottlerocket inako
Ikhowudi yomthombo we-Bottlerocket ipapashwe kwi-GitHub phantsi kwelayisensi ye-Apache 2.0. Abaphuhlisi sele benabo
Njengentengiso
VDSina ukubonelela
umthombo: www.habr.com