ΠΠΎΡΡΡΠΏΠ΅Π½ Π²ΡΠΏΡΡΠΊ Linux-Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° Bottlerocket 1.1.0, ΡΠ°Π·Π²ΠΈΠ²Π°Π΅ΠΌΠΎΠ³ΠΎ ΠΏΡΠΈ ΡΡΠ°ΡΡΠΈΠΈ ΠΊΠΎΠΌΠΏΠ°Π½ΠΈΠΈ Amazon Π΄Π»Ρ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΠ³ΠΎ ΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΠ³ΠΎ Π·Π°ΠΏΡΡΠΊΠ° ΠΈΠ·ΠΎΠ»ΠΈΡΠΎΠ²Π°Π½Π½ΡΡ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ². ΠΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠ°ΡΠΈΠΉ ΠΈ ΡΠΏΡΠ°Π²Π»ΡΡΡΠΈΠ΅ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΡ Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° Π½Π°ΠΏΠΈΡΠ°Π½Ρ Π½Π° ΡΠ·ΡΠΊΠ΅ Rust ΠΈ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½ΡΡΡΡΡ ΠΏΠΎΠ΄ Π»ΠΈΡΠ΅Π½Π·ΠΈΡΠΌΠΈ MIT ΠΈ Apache 2.0. ΠΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅ΡΡΡ Π·Π°ΠΏΡΡΠΊ Bottlerocket Π² ΠΊΠ»Π°ΡΡΠ΅ΡΠ°Ρ Amazon ECS ΠΈ AWS EKS Kubernetes, Π° ΡΠ°ΠΊΠΆΠ΅ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ»ΡΠ½ΡΡ ΡΠ±ΠΎΡΠΎΠΊ ΠΈ ΡΠ΅Π΄Π°ΠΊΡΠΈΠΉ, Π΄ΠΎΠΏΡΡΠΊΠ°ΡΡΠΈΡ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠΎΠ² ΠΎΡΠΊΠ΅ΡΡΡΠΎΠ²ΠΊΠΈ ΠΈ runtime Π΄Π»Ρ ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠΎΠ².
Unikezelo lubonelela ngomfanekiso wenkqubo engahlukaniyo ne-athom ehlaziywa ngokuzenzekelayo equka i-Linux kernel kunye nemekobume yenkqubo encinci, kuquka kuphela amacandelo ayimfuneko okuqhuba izikhongozeli. Imo engqongileyo ibandakanya umphathi wenkqubo yenkqubo, ithala leencwadi leGlibc, isixhobo sokwakha i-Buildroot, i-GRUB bootloader, umqwalaseli womnatha okhohlakeleyo, ixesha lokuqhuba eliqulathiweyo kwizikhongozeli ezizimeleyo, iqonga le-orchestration ye-Kubernetes, i-aws-iam-authenticator, kunye neAmazon. Ummeli we-ECS.
Izixhobo ze-orchestration ze-Container ziza kwi-container yolawulo eyahlukileyo eyenziwa ngokungagqibekanga kwaye ilawulwa nge-API kunye ne-AWS SSM Agent. Umfanekiso wesiseko awunalo iqokobhe lomyalelo, iseva ye-SSH kunye neelwimi ezitolikwayo (umzekelo, akukho Python okanye iPerl) - izixhobo zolawulo kunye nezixhobo zokucoca zibekwe kwisitya senkonzo esahlukileyo, esikhutshaziwe ngokungagqibekanga.
Umahluko ophambili ukusuka kwizabelo ezifanayo ezifana ne-Fedora CoreOS, i-CentOS / i-Red Hat Atomic Host yeyona nto igxininisekile ekuboneleleni ukhuseleko oluphezulu kumxholo wokuqinisa ukhuseleko lwenkqubo kwizisongelo ezinokwenzeka, okwenza kube nzima ngakumbi ukuxhaphaza ubuthathaka kumacandelo e-OS kunye nokwandisa ukwahlukaniswa kwesikhongozeli. . Izikhongozeli zenziwe kusetyenziswa iindlela eziqhelekileyo ze-Linux kernel - amaqela, izithuba zamagama kunye ne-seccomp. Ukongezwa okongeziweyo, ukuhanjiswa kusebenzisa i-SELinux kwimodi "yokunyanzeliswa".
Ulwahlulo lweengcambu lunyuswe ukufunda-kuphela, kwaye i/etc izahlulelo zeseto zifakwe kwi-tmpfs kwaye zibuyiselwe kwimeko yayo yokuqala emva kokuphinda kuqalwe. Ukuguqulwa ngokuthe ngqo kweefayile kwi-directory / etc, njenge /etc/resolv.conf kunye /etc/containerd/config.toml, ayixhaswanga - ukugcina ngokusisigxina izicwangciso, kufuneka usebenzise i-API okanye uhambise ukusebenza kwiibhokisi ezahlukeneyo. Imodyuli ye-dm yokuqinisekisa isetyenziselwa ukungqinisisa ngokufihlakeleyo ingqibelelo yolwahlulo lweengcambu, kwaye ukuba umzamo wokuguqula idata kwinqanaba lesixhobo sokubhloka ichongiwe, inkqubo iphinda iqalise.
Uninzi lwamalungu enkqubo abhalwe kwiRust, ebonelela ngeempawu ezikhuselekileyo kwimemori ukunqanda ubuthathaka obubangelwa kukufikelela kwimemori yasemva kwasimahla, ukuchaswa kwesalathi esingenanto, kunye nokugqithiswa kwe-buffer. Xa ukwakhiwa ngokungagqibekanga, iindlela zokuhlanganisa "-enable-default-pie" kunye ne "-enable-default-ssp" zisetyenziselwa ukwenza i-randomization yendawo yedilesi yefayile ephunyeziweyo (PIE) kunye nokukhuselwa kwi-stack ephuphumayo ngokutshintshwa kwe-canary. Kwiipakethe ezibhalwe ngeC/C++, iiflegi β-Wallβ, β-Werror=format-securityβ, β-Wp,-D_FORTIFY_SOURCE=2β, β-Wp,-D_GLIBCXX_ASSERTIONSβ kunye β-fstack-clashβ nazo zongezwa yenziwe -ukhuseleko".
Kukhupho olutsha:
- ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ΠΎ Π΄Π²Π° Π½ΠΎΠ²ΡΡ Π²Π°ΡΠΈΠ°Π½ΡΠ° Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²Π° aws-k8s-1.20 ΠΈ vmware-k8s-1.20 c ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠΎΠΉ Kubernetes 1.20. Π Π΄Π°Π½Π½ΡΡ Π²Π°ΡΠΈΠ°Π½ΡΠ°Ρ , Π° ΡΠ°ΠΊΠΆΠ΅ Π² ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ½Π½ΠΎΠΌ Π²Π°ΡΠΈΠ°Π½ΡΠ΅ aws-ecs-1, Π·Π°Π΄Π΅ΠΉΡΡΠ²ΠΎΠ²Π°Π½ Π½ΠΎΠ²ΡΠΉ Π²ΡΠΏΡΡΠΊ ΡΠ΄ΡΠ° Linux 5.10. Π Π΅ΠΆΠΈΠΌ lockdown ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ ΠΏΠ΅ΡΠ΅Π²Π΅Π΄ΡΠ½ Π² Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ Β«integrityΒ» (Π±Π»ΠΎΠΊΠΈΡΡΡΡΡΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡΠΈΠ΅ Π²Π½ΠΎΡΠΈΡΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡ Π² ΡΠ°Π±ΠΎΡΠ°ΡΡΠ΅Π΅ ΡΠ΄ΡΠΎ ΠΈΠ· ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π° ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ). ΠΡΠ΅ΠΊΡΠ°ΡΠ΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° Π²Π°ΡΠΈΠ°Π½ΡΠ° aws-k8s-1.15 Π½Π° Π±Π°Π·Π΅ Kubernetes 1.15.
- ΠΠ»Ρ Amazon ECS ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠ΅ΡΠ΅Π²ΠΎΠ³ΠΎ ΡΠ΅ΠΆΠΈΠΌΠ° awsvpc, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡΠ΅Π³ΠΎ Π²ΡΠ΄Π΅Π»ΡΡΡ ΠΎΡΠ΄Π΅Π»ΡΠ½ΡΠ΅ ΡΠ΅ΡΠ΅Π²ΡΡ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΡ ΠΈ Π²Π½ΡΡΡΠ΅Π½Π½ΠΈΠ΅ IP-Π°Π΄ΡΠ΅ΡΠ° Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠΉ Π·Π°Π΄Π°ΡΠΈ.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Ρ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ Π΄Π»Ρ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ ΡΠ°Π·Π»ΠΈΡΠ½ΡΠΌΠΈ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ°ΠΌΠΈ Kubernetes, Π²ΠΊΠ»ΡΡΠ°Ρ QPS, Π»ΠΈΠΌΠΈΡΡ Π½Π° ΠΏΡΠ»Ρ ΠΈ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΠΊ ΠΎΠ±Π»Π°ΡΠ½ΡΠΌ ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅ΡΠ°ΠΌ, ΠΎΡΠ»ΠΈΡΠ½ΡΠΌ ΠΎΡ AWS.
- Π bootstrap-ΠΊΠΎΠ½ΡΠ΅ΠΉΠ½Π΅ΡΠ΅ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΎ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΠ΅ Π΄ΠΎΡΡΡΠΏΠ° ΠΊ Π΄Π°Π½Π½ΡΠΌ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ SELinux.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΡΡΠΈΠ»ΠΈΡΠ° resize2fs.
umthombo: opennet.ru