Ukukhutshwa kwe-Linux yokuhanjiswa kwe-Bottlerocket 1.8.0 ishicilelwe, iphuhliswe ngokuthatha inxaxheba kwe-Amazon ukwenzela ukuqaliswa okusebenzayo nokukhuselekileyo kwezikhongozeli ezizimeleyo. Izixhobo zokusasaza kunye namacandelo olawulo abhalwe kwi-Rust kwaye isasazwe phantsi kwe-MIT kunye neelayisensi ze-Apache 2.0. Ixhasa ukuqhuba i-Bottlerocket kwi-Amazon ECS, i-VMware kunye ne-AWS EKS Kubernetes amaqela, kunye nokudala ukwakhiwa kwesiko kunye nokuhlelwa okuvumela ukusetyenziswa kwe-orchestration eyahlukeneyo kunye nezixhobo zexesha lokugijima kwizikhongozeli.
Unikezelo lubonelela ngomfanekiso wenkqubo engahlukaniyo ne-athom ehlaziywa ngokuzenzekelayo equka i-Linux kernel kunye nemekobume yenkqubo encinci, kuquka kuphela amacandelo ayimfuneko okuqhuba izikhongozeli. Imo engqongileyo ibandakanya umphathi wenkqubo yenkqubo, ithala leencwadi leGlibc, isixhobo sokwakha i-Buildroot, i-GRUB bootloader, umqwalaseli womnatha okhohlakeleyo, ixesha lokuqhuba eliqulathiweyo kwizikhongozeli ezizimeleyo, iqonga le-orchestration ye-Kubernetes, i-aws-iam-authenticator, kunye neAmazon. Ummeli we-ECS.
Izixhobo ze-orchestration ze-Container ziza kwi-container yolawulo eyahlukileyo eyenziwa ngokungagqibekanga kwaye ilawulwa nge-API kunye ne-AWS SSM Agent. Umfanekiso wesiseko awunalo iqokobhe lomyalelo, iseva ye-SSH kunye neelwimi ezitolikwayo (umzekelo, akukho Python okanye iPerl) - izixhobo zolawulo kunye nezixhobo zokucoca zibekwe kwisitya senkonzo esahlukileyo, esikhutshaziwe ngokungagqibekanga.
Umahluko ophambili ukusuka kwizabelo ezifanayo ezifana ne-Fedora CoreOS, i-CentOS / i-Red Hat Atomic Host yeyona nto igxininisekile ekuboneleleni ukhuseleko oluphezulu kumxholo wokuqinisa ukhuseleko lwenkqubo kwizisongelo ezinokwenzeka, okwenza kube nzima ngakumbi ukuxhaphaza ubuthathaka kumacandelo e-OS kunye nokwandisa ukwahlukaniswa kwesikhongozeli. . Izikhongozeli zenziwe kusetyenziswa iindlela eziqhelekileyo ze-Linux kernel - amaqela, izithuba zamagama kunye ne-seccomp. Ukongezwa okongeziweyo, ukuhanjiswa kusebenzisa i-SELinux kwimodi "yokunyanzeliswa".
Ulwahlulo lweengcambu lunyuswe ukufunda-kuphela, kwaye i/etc izahlulelo zeseto zifakwe kwi-tmpfs kwaye zibuyiselwe kwimeko yayo yokuqala emva kokuphinda kuqalwe. Ukuguqulwa ngokuthe ngqo kweefayile kwi-directory / etc, njenge /etc/resolv.conf kunye /etc/containerd/config.toml, ayixhaswanga - ukugcina ngokusisigxina izicwangciso, kufuneka usebenzise i-API okanye uhambise ukusebenza kwiibhokisi ezahlukeneyo. Imodyuli ye-dm yokuqinisekisa isetyenziselwa ukungqinisisa ngokufihlakeleyo ingqibelelo yolwahlulo lweengcambu, kwaye ukuba umzamo wokuguqula idata kwinqanaba lesixhobo sokubhloka ichongiwe, inkqubo iphinda iqalise.
Uninzi lwamalungu enkqubo abhalwe kwiRust, ebonelela ngeempawu ezikhuselekileyo kwimemori ukunqanda ubuthathaka obubangelwa kukufikelela kwimemori yasemva kwasimahla, ukuchaswa kwesalathi esingenanto, kunye nokugqithiswa kwe-buffer. Xa ukwakhiwa ngokungagqibekanga, iindlela zokuhlanganisa "-enable-default-pie" kunye ne "-enable-default-ssp" zisetyenziselwa ukwenza i-randomization yendawo yedilesi yefayile ephunyeziweyo (PIE) kunye nokukhuselwa kwi-stack ephuphumayo ngokutshintshwa kwe-canary. Kwiipakethe ezibhalwe ngeC/C++, iiflegi β-Wallβ, β-Werror=format-securityβ, β-Wp,-D_FORTIFY_SOURCE=2β, β-Wp,-D_GLIBCXX_ASSERTIONSβ kunye β-fstack-clashβ nazo zongezwa yenziwe -ukhuseleko".
Kukhupho olutsha:
- ΠΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΎ ΡΠΎΠ΄Π΅ΡΠΆΠΈΠΌΠΎΠ΅ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΈΠ²Π½ΠΎΠ³ΠΎ ΠΈ ΡΠΏΡΠ°Π²Π»ΡΡΡΠ΅Π³ΠΎ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ².
- Runtime Π΄Π»Ρ ΠΈΠ·ΠΎΠ»ΠΈΡΠΎΠ²Π°Π½Π½ΡΡ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ² ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ½ Π΄ΠΎ Π²Π΅ΡΠΊΠΈ containerd 1.6.x.
- ΠΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ ΠΏΠ΅ΡΠ΅Π·Π°ΠΏΡΡΠΊ ΡΠΎΠ½ΠΎΠ²ΡΡ ΠΏΡΠΎΡΠ΅ΡΡΠΎΠ², ΠΊΠΎΠΎΡΠ΄ΠΈΠ½ΠΈΡΡΡΡΠΈΡ ΡΠ°Π±ΠΎΡΡ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ², ΠΏΠΎΡΠ»Π΅ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ Π² Ρ ΡΠ°Π½ΠΈΠ»ΠΈΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ².
- ΠΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ Π²ΡΡΡΠ°Π²Π»Π΅Π½ΠΈΡ Π·Π°Π³ΡΡΠ·ΠΎΡΠ½ΡΡ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² ΡΠ΄ΡΠ° ΡΠ΅ΡΠ΅Π· ΡΠ΅ΠΊΡΠΈΡ Boot Configuration.
- ΠΠΊΠ»ΡΡΠ΅Π½ΠΎ ΠΈΠ³Π½ΠΎΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΏΡΡΡΡΡ Π±Π»ΠΎΠΊΠΎΠ² ΠΏΡΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Π΅ ΡΠ΅Π»ΠΎΡΡΠ½ΠΎΡΡΠΈ ΠΊΠΎΡΠ½Π΅Π²ΠΎΠ³ΠΎ ΡΠ°Π·Π΄Π΅Π»Π° ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ dm-verity.
- ΠΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΠΏΡΠΈΠ²ΡΠ·ΠΊΠΈ ΠΈΠΌΡΠ½ Ρ ΠΎΡΡΠΎΠ² Π² /etc/hosts.
- ΠΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ Π³Π΅Π½Π΅ΡΠ°ΡΠΈΠΈ ΡΠ΅ΡΠ΅Π²ΠΎΠΉ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ ΡΡΠΈΠ»ΠΈΡΡ netdog (Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΊΠΎΠΌΠ°Π½Π΄Π° generate-net-config).
- ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Ρ Π½ΠΎΠ²ΡΠ΅ Π²Π°ΡΠΈΠ°Π½ΡΡ Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° c ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠΎΠΉ Kubernetes 1.23. Π‘ΠΎΠΊΡΠ°ΡΠ΅Π½ΠΎ Π²ΡΠ΅ΠΌΡ Π·Π°ΠΏΡΡΠΊΠ° pod-ΠΎΠ² Π² Kubernetes Π·Π° ΡΡΡΡ ΠΎΡΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠ΅ΠΆΠΈΠΌΠ° configMapAndSecretChangeDetectionStrategy. ΠΠΎΠ±Π°Π²Π»Π΅Π½Ρ Π½ΠΎΠ²ΡΠ΅ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ kubelet-ΠΎΠ²: provider-id ΠΈ podPidsLimit.
- ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ Π½ΠΎΠ²ΡΠΉ Π²Π°ΡΠΈΠ°Π½Ρ Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° Β«aws-ecs-1-nvidiaΒ» Π΄Π»Ρ Amazon Elastic Container Service (Amazon ECS), ΠΏΠΎΡΡΠ°Π²Π»ΡΠ΅ΠΌΡΠΉ Ρ Π΄ΡΠ°ΠΉΠ²Π΅ΡΠ°ΠΌΠΈ NVIDIA.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΡΡΡΠΎΠΉΡΡΠ² Ρ ΡΠ°Π½Π΅Π½ΠΈΡ Microchip Smart Storage ΠΈ MegaRAID SAS. Π Π°ΡΡΠΈΡΠ΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° Ethernet-ΠΊΠ°ΡΡ Π½Π° ΡΠΈΠΏΠ°Ρ Broadcom.
- ΠΠ±Π½ΠΎΠ²Π»Π΅Π½Ρ Π²Π΅ΡΡΠΈΠΈ ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² ΠΈ Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠΈ Π΄Π»Ρ ΡΠ·ΡΠΊΠΎΠ² Go ΠΈ Rust, Π° ΡΠ°ΠΊΠΆΠ΅ Π²Π΅ΡΡΠΈΠΈ ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² ΡΠΎ ΡΡΠΎΡΠΎΠ½Π½ΠΈΠΌΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ°ΠΌΠΈ. Bottlerocket SDK ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ½ Π΄ΠΎ Π²Π΅ΡΡΠΈΠΈ 0.26.0.
umthombo: opennet.ru