Inkampani yeAmazon malunga nokukhululwa kokugqibela - ulwabiwo olukhethekileyo lokuqhuba izikhongozeli kunye nokulawula ngokufanelekileyo.
I-Bottlerocket (ngendlela, igama elinikwe iirokethi ezincinci ezenziwe ekhaya zomgubo omnyama) ayisiyiyo yokuqala i-OS yezikhongozeli, kodwa kusenokwenzeka ukuba iya kusasazeka ngenxa yokudityaniswa okungagqibekanga kunye neenkonzo ze-AWS. Nangona inkqubo igxininise kwifu le-Amazon, ikhowudi yomthombo ovulekileyo ivumela ukuba yakhiwe naphi na: kwindawo kwi-server, kwi-Raspberry Pi, nakweyiphi na ifu ekhuphisanayo, kunye nakwindawo engenazikhonkwane.
Olu lutshintsho olufanelekileyo ngokupheleleyo kunikezelo lweCoreOS olwangcwatywa nguRed Hat.
Ngapha koko, icandelo leeNkonzo zeWebhu yeAmazon sele lineAmazon Linux, esandula kuphuma kuguqulelo lwayo lwesibini: kukusasazwa kwenjongo ngokubanzi enokuthi iqhutywe kwisitya seDocker okanye ngeLinux KVM, iMicrosoft Hyper-V, kunye neVMware. ESXi hypervisors. Yenzelwe ukuba iqhube kwilifu le-AWS, kodwa ngokukhululwa kwe-Bottlerocket, wonke umntu uyakhuthazwa ukuba aphucule kwinkqubo entsha ekhuselekileyo, yanamhlanje, kwaye isebenzisa izixhobo ezimbalwa.
I-AWS ibhengeze iBottlerocket . Wavuma kwangoko ukuba le ayisiyiyo yokuqala "iLinux yezikhongozeli," ecaphula iCoreOS, iRancher OS kunye neProjekthi yeAtomic njengemithombo yenkuthazo. Abaphuhlisi babhala ukuba inkqubo yokusebenza "sisiphumo sezifundo esizifundileyo ekusebenziseni iinkonzo zokuvelisa kwi-Amazon ixesha elide, kunye namava esiwafumene kwiminyaka emithandathu edlulileyo malunga nendlela yokuqhuba izitya."
Ubuncinci obugqithisileyo
I-Linux ihluthwe yonke into engafunekiyo ukuqhuba izikhongozeli. Olu luyilo, ngokwenkampani, lunciphisa indawo yokuhlaselwa.
Oku kuthetha ukuba iipakethe ezimbalwa zifakwe kwinkqubo yesiseko, eyenza kube lula ukugcina nokuhlaziya i-OS, kwaye kunciphisa amathuba okuba neengxaki ngenxa yokuxhomekeka, ukunciphisa ukusetyenziswa kwezibonelelo. Ngokusisiseko, yonke into elapha isebenza ngaphakathi kwizikhongozeli ezahlukeneyo, kwaye inkqubo engaphantsi ayinanto.
IAmazon iphinde yasusa onke amaqokobhe kunye neetoliki, isusa umngcipheko wokusetyenziswa okanye abasebenzisi ngengozi bakhulisa amalungelo. Ngenxa yobuncinci kunye nokhuseleko, umfanekiso osisiseko awubandakanyi iqokobhe lomyalelo, iseva ye-SSH, okanye iilwimi ezitolikwe njengePython. Izixhobo zomlawuli zifakwe kwisitya senkonzo esahlukileyo, esivaliwe ngokungagqibekanga.
Inkqubo ilawulwa ngeendlela ezimbini: nge-API kunye ne-orchestration.
Endaweni yomphathi wepakethe ohlaziya iziqwenga zesoftware, iBottlerocket ikhuphela umfanekiso opheleleyo wenkqubo yefayile kwaye iqalise kwakhona kuwo. Ukuba umthwalo awuphumeleli, ubuyela emva ngokuzenzekelayo, kwaye ukusilela komsebenzi kunokubangela ukubuyisela umva ngesandla (umyalelo nge-API).
Isakhelo (Isakhelo soHlaziyo) sikhuphela uhlaziyo olusekwe kwimifanekiso ukuya kwelinye okanye "ukunganyuswa" kwezahlulo. Izahlulo ezimbini zedisk zabelwe isistim, enye yazo iqulethe inkqubo esebenzayo, kwaye uhlaziyo lukhutshelwa okwesibini. Kule meko, ulwahlulo lweengcambu lufakwe kwindlela yokufunda kuphela, kunye nokwahlula /etc inyuswe ngesixokelelwano sefayile kwi-RAM kwaye ibuyisela imo yoqobo emva kokuqalisa ngokutsha. Ukuguqulwa ngokuthe ngqo kweefayile zoqwalaselo ngaphakathi /etc ayixhaswanga: ukugcina izicwangciso kufuneka usebenzise i-API okanye uhambise usebenziso kwizikhongozeli ezahlukeneyo.
Iskimu sohlaziyo lwe-API
Khu seleko
Izikhongozeli zenziwe ngeendlela eziqhelekileyo ze-Linux kernel - amaqela, izithuba zamagama kunye ne-seccomp, kwaye zisetyenziswa njengenkqubo yolawulo lokufikelela ngokunyanzeliswa, oko kukuthi, ukuhlukaniswa okongeziweyo. kwimo "yokunyanzeliswa".
Ngokungagqibekanga, imigaqo-nkqubo yenziwe ukuba kwabelwane ngezibonelelo phakathi kwezikhongozeli kunye nekernel. Iibhinari zikhuselwe ngeeflegi ukuthintela abasebenzisi okanye iinkqubo ukuba zizenze. Kwaye ukuba umntu ufika kwinkqubo yefayile, iBottlerocket ibonelela ngesixhobo sokujonga kunye nokulandelela naluphi na utshintsho olwenziweyo.
Imowudi "eqinisekisiweyo yesiqalo" iphunyezwa ngesixhobo-mapper-ukuqinisekisa umsebenzi (), ejonga ingqibelelo yolwahlulo lweengcambu ngexesha lokuqalisa. I-AWS ichaza i-dm-verrity njenge "inqaku leLinux kernel ebonelela ngokuhlolwa kwemfezeko ukuthintela i-malware ekusebenzeni kwi-OS, njengokubhala ngaphezulu kwesoftware yenkqubo engundoqo."
Kukho kwakhona isihluzo kwinkqubo (i-BPF eyandisiweyo, ), evumela iimodyuli ze-kernel ukuba zitshintshwe ngeenkqubo ezikhuselekileyo ze-BPF zokusebenza kwenkqubo yezinga eliphantsi.
Imodeli yokwenziwa
Umsebenzisi uchaziwe
Ukudityaniswa
Khu seleko
Imo yokusilela
Ukufikelela kwizibonelelo
Umsebenzisi
umsebenzi
ewe
nayiphi na
amalungelo omsebenzisi
phazamisa ukwenziwa
inkqubo umnxeba, impazamo
Eyona nto iphambili
umsebenzi
akukho
I-static
akukho
uvalo lwekernel
ngqo
I-BPF
isiganeko
ewe
I-JIT, CO-RE
uqinisekiso, JIT
umyalezo wemposiso
abancedisi abambalwa
I-BPF yahluke njani kumsebenzisi oqhelekileyo okanye ikhowudi yenqanaba le-kernel
I-AWS yathi i-Bottlerocket "isebenzisa imodeli yokusebenza eyongezelela ngakumbi ukhuseleko ngokuthintela uxhulumaniso kwiiseva zokuvelisa kunye namalungelo olawulo" kwaye "ifanelekile kwiinkqubo ezinkulu ezisasazwayo apho ulawulo phezu komninimzi ngamnye lulinganiselwe."
Isingxobo somlawuli sinikezelwe kubalawuli benkqubo. Kodwa i-AWS ayicingi ukuba umlawuli uya kufuna ukusebenza ngaphakathi kwe-Bottlerocket: "Isenzo sokungena kumzekelo we-Bottlerocket owahlukileyo senzelwe imisebenzi engaqhelekanga: ukulungisa ingxaki kunye nokusombulula ingxaki," abaphuhlisi.
Ulwimi lomhlwa
Isixhobo se-OS ngaphezulu kwekernel sibhalwe kakhulu kwiRust. Olu lwimi ngokwendalo yalo , kwakunye .
Iiflegi zisetyenziswa ngokungagqibekanga xa kusakhiwa --enable-default-pie ΠΈ --enable-default-ssp ukwenza i-randomization yesithuba sedilesi yeefayile eziphunyeziweyo (, PIE) kunye nokhuseleko lokuphuphuma kwesitaki.
Kwiiphakheji zeC / C ++, iiflegi ezongezelelweyo zibandakanyiwe -Wall, -Werror=format-security, -Wp,-D_FORTIFY_SOURCE=2, -Wp,-D_GLIBCXX_ASSERTIONS ΠΈ -fstack-clash-protection.
Ngaphandle kweRust kunye neC / C ++, ezinye iipakethe zibhalwe kwiGo.
Ukudityaniswa neenkonzo ze-AWS
Umahluko kwiinkqubo zokusebenza zesikhongozeli ezifanayo kukuba iAmazon iye yaphucula iBottlerocket ukuba isebenze kwi-AWS kwaye idibanise nezinye iinkonzo ze-AWS.
Eyona orchestrator yesikhongozeli ethandwa kakhulu yiKubernetes, ke i-AWS yazise ukudityaniswa ne-Enterprise Kubernetes Service (EKS) yayo. Izixhobo zeOkhestra ziza kwisikhongozeli solawulo esahlukileyo , eyenziwa ngokungagqibekanga kwaye ilawulwa nge-API kunye ne-AWS SSM Agent.
Kuya kuba mnandi ukubona ukuba i-Bottlerocket iyahamba, ngenxa yokungaphumeleli kwamanye amanyathelo afanayo kwixesha elidlulileyo. Ngokomzekelo, i-PhotonOS evela kwi-Vmware yajika yaba yinto engafunwayo, kwaye i-RedHat yathenga i-CoreOS kunye , owayegqalwa njengovulindlela entsimini.
Ukudityaniswa kwe-Bottlerocket kwiinkonzo ze-AWS kwenza le nkqubo ibe yodwa ngendlela yayo. Esi mhlawumbi sesona sizathu siphambili sokuba abanye abasebenzisi bakhethe iBottlerocket ngaphezulu kwezinye ii-distros ezinje ngeCoreOS okanye iAlpine. Inkqubo ekuqaleni yenzelwe ukusebenza kunye ne-EKS kunye ne-ECS, kodwa siyaphinda ukuba oku akuyimfuneko. Okokuqala, iBottlerocket inako kwaye uyisebenzise, ββumzekelo, njengesisombululo esibanjwe. Okwesibini, abasebenzisi be-EKS kunye ne-ECS baya kuba nakho ukukhetha i-OS yabo.
Ikhowudi yomthombo we-Bottlerocket ipapashwe kwi-GitHub phantsi kwelayisensi ye-Apache 2.0. Abaphuhlisi sele benabo .
Njengentengiso
VDSina ukubonelela . Kuyenzeka ukuba ufake nayiphi na inkqubo yokusebenza, kubandakanywa nomfanekiso wakho. Umncedisi ngamnye uqhagamshelwe kwitshaneli ye-Intanethi ye-500 Megabits kwaye ikhuselwe kuhlaselo lwe-DDoS simahla!
umthombo: www.habr.com