Le ngxaki ipapashwe LinuxI-Bottlerocket 1.3.0, usasazo oluphuhliswe ngokubambisana ne-Amazon, yenzelwe ukusebenzisa izikhongozeli ezizimeleyo ngokufanelekileyo nangokukhuselekileyo. Izixhobo zokuhambisa kunye nokulawula ezi zibhalwe kwi-Rust kwaye zinelayisenisi phantsi kweelayisenisi ze-MIT kunye ne-Apache 2.0. I-Bottlerocket isebenza kwiikluster ze-Amazon ECS, VMware, kunye ne-AWS EKS Kubernetes, kwaye ixhasa ukwakhiwa okwenziwe ngokwezifiso kunye nohlelo oluxhasa ukusetyenziswa kwezixhobo ezahlukeneyo zokucwangcisa izikhongozeli kunye nezixhobo zexesha lokusebenza.
Usasazo lubonelela ngomfanekiso wenkqubo engahlukaniyo ehlaziyiweyo ngokweathom nangokuzenzekelayo, kuquka i-kernel Linux kunye nendawo encinci yenkqubo, kuquka kuphela izinto ezifunekayo ekusebenziseni izikhongozeli. Le ndawo ibandakanya umphathi wenkqubo ye-systemd, ilayibrari yeGlibc, i-Buildroot build toolchain, i-bootloader ye-GRUB, i-wicked network configurator, i-contained runtime yeekhongozeli ezizimeleyo, iqonga le-Kubernetes container orchestration, i-aws-iam-authenticator authenticator, kunye ne-arhente ye-Amazon ECS.
Izixhobo zokucwangcisa iikhonteyina zihanjiswa kwikhonteyina yolawulo eyahlukileyo, evulwa ngokuzenzekelayo kwaye ilawulwa nge-API kunye ne-AWS SSM Agent. Umfanekiso osisiseko awubandakanyi igobolondo yomyalelo. umncedisi I-SSH kunye neelwimi ezitolikiweyo (umz. akukho Python okanye iPerl) - izixhobo zolawulo kunye nokulungisa iimpazamo zifumaneka kwisikhongozeli senkonzo esahlukileyo, esingasebenzi ngokuzenzekelayo.
Umahluko ophambili kulwabiwo olufanayo olufana neFedora CoreOS ngu CentOSI-Red Hat Atomic Host igxile kakhulu ekuboneleleni ngokhuseleko oluphezulu ngokuphucula ukhuseleko lwenkqubo kwiingozi ezinokubakho, okwenza kube nzima ukusetyenziswa kobuthathaka kwiinxalenye ze-OS, kunye nokwandisa ukwahlulwa kwesikhongozeli. Izikhongozeli zenziwa kusetyenziswa iindlela ze-kernel zasekhaya. Linux — ii-cgroups, izithuba zamagama, kunye ne-seccomp. Ukwahlulahlula okongezelelweyo, usasazo lusebenzisa i-SELinux kwimo "yokunyanzelisa".
Ulwahlulo lweengcambu lunyuswe ukufunda-kuphela, kwaye i/etc izahlulelo zeseto zifakwe kwi-tmpfs kwaye zibuyiselwe kwimeko yayo yokuqala emva kokuphinda kuqalwe. Ukuguqulwa ngokuthe ngqo kweefayile kwi-directory / etc, njenge /etc/resolv.conf kunye /etc/containerd/config.toml, ayixhaswanga - ukugcina ngokusisigxina izicwangciso, kufuneka usebenzise i-API okanye uhambise ukusebenza kwiibhokisi ezahlukeneyo. Imodyuli ye-dm yokuqinisekisa isetyenziselwa ukungqinisisa ngokufihlakeleyo ingqibelelo yolwahlulo lweengcambu, kwaye ukuba umzamo wokuguqula idata kwinqanaba lesixhobo sokubhloka ichongiwe, inkqubo iphinda iqalise.
Uninzi lwamalungu enkqubo abhalwe kwiRust, ebonelela ngeempawu ezikhuselekileyo kwimemori ukunqanda ubuthathaka obubangelwa kukufikelela kwimemori yasemva kwasimahla, ukuchaswa kwesalathi esingenanto, kunye nokugqithiswa kwe-buffer. Xa ukwakhiwa ngokungagqibekanga, iindlela zokuhlanganisa "-enable-default-pie" kunye ne "-enable-default-ssp" zisetyenziselwa ukwenza i-randomization yendawo yedilesi yefayile ephunyeziweyo (PIE) kunye nokukhuselwa kwi-stack ephuphumayo ngokutshintshwa kwe-canary. Kwiipakethe ezibhalwe ngeC/C++, iiflegi “-Wall”, “-Werror=format-security”, “-Wp,-D_FORTIFY_SOURCE=2”, “-Wp,-D_GLIBCXX_ASSERTIONS” kunye “-fstack-clash” nazo zongezwa yenziwe -ukhuseleko".
Kukhupho olutsha:
- Ubuthathaka obulungisiweyo kwi-docker kunye nezixhobo ezifakwe ngexesha lokubaleka (CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, CVE-2021-41103) ezinxulumene nokusetwa okungachanekanga kwamalungelo okufikelela, okuvumele abasebenzisi abangenalungelo ukuba badlulele ngaphaya kwesiseko. ulawulo kwaye uphumeze iinkqubo zangaphandle.
- Yongezwe kwi-kubelet nakwi-pluto Inkxaso ye-IPv6.
- Kuyenzeka ukuba uqale kabusha isikhongozeli emva kokutshintsha izicwangciso zayo.
- Inkxaso yemizekelo ye-Amazon EC2 M6i yongezwe kwiphakheji ye-eni-max-pods.
- I-Open-vm-izixhobo zongeze inkxaso kwiifilitha zesixhobo, ngokusekelwe kwi-toolkit ye-Cilium.
- Kwiqonga le-x86_64, imowudi ye-hybrid boot iphunyeziwe (ngenkxaso ye-EFI kunye ne-BIOS).
- Iinguqulelo zepakethe ezihlaziyiweyo kunye nezixhomekeke kulwimi lweRust.
- Inkxaso yokwahluka kokusabalalisa i-aws-k8s-1.17 esekelwe kwi-Kubernetes 1.17 iyekile. Kucetyiswa ukuba usebenzise inguqulo ye-aws-k8s-1.21 ngenkxaso ye-Kubernetes 1.21. Ukwahluka kwe-k8s kusebenzisa i-cgroup runtime.slice kunye ne-system.slice useto.
umthombo: opennet.ru
