Ukukhutshwa kwe-Linux yokuhanjiswa kwe-Bottlerocket 1.3.0 ishicilelwe, iphuhliswe ngokuthatha inxaxheba kwe-Amazon ukwenzela ukuqaliswa okusebenzayo nokukhuselekileyo kwezikhongozeli ezizimeleyo. Izixhobo zokusasaza kunye namacandelo olawulo abhalwe kwi-Rust kwaye isasazwe phantsi kwe-MIT kunye neelayisensi ze-Apache 2.0. Ixhasa ukuqhuba i-Bottlerocket kwi-Amazon ECS, i-VMware kunye ne-AWS EKS Kubernetes amaqela, kunye nokudala ukwakhiwa kwesiko kunye nokuhlelwa okuvumela ukusetyenziswa kwe-orchestration eyahlukeneyo kunye nezixhobo zexesha lokugijima kwizikhongozeli.
Unikezelo lubonelela ngomfanekiso wenkqubo engahlukaniyo ne-athom ehlaziywa ngokuzenzekelayo equka i-Linux kernel kunye nemekobume yenkqubo encinci, kuquka kuphela amacandelo ayimfuneko okuqhuba izikhongozeli. Imo engqongileyo ibandakanya umphathi wenkqubo yenkqubo, ithala leencwadi leGlibc, isixhobo sokwakha i-Buildroot, i-GRUB bootloader, umqwalaseli womnatha okhohlakeleyo, ixesha lokuqhuba eliqulathiweyo kwizikhongozeli ezizimeleyo, iqonga le-orchestration ye-Kubernetes, i-aws-iam-authenticator, kunye neAmazon. Ummeli we-ECS.
Izixhobo ze-orchestration ze-Container ziza kwi-container yolawulo eyahlukileyo eyenziwa ngokungagqibekanga kwaye ilawulwa nge-API kunye ne-AWS SSM Agent. Umfanekiso wesiseko awunalo iqokobhe lomyalelo, iseva ye-SSH kunye neelwimi ezitolikwayo (umzekelo, akukho Python okanye iPerl) - izixhobo zolawulo kunye nezixhobo zokucoca zibekwe kwisitya senkonzo esahlukileyo, esikhutshaziwe ngokungagqibekanga.
Umahluko ophambili ukusuka kwizabelo ezifanayo ezifana ne-Fedora CoreOS, i-CentOS / i-Red Hat Atomic Host yeyona nto igxininisekile ekuboneleleni ukhuseleko oluphezulu kumxholo wokuqinisa ukhuseleko lwenkqubo kwizisongelo ezinokwenzeka, okwenza kube nzima ngakumbi ukuxhaphaza ubuthathaka kumacandelo e-OS kunye nokwandisa ukwahlukaniswa kwesikhongozeli. . Izikhongozeli zenziwe kusetyenziswa iindlela eziqhelekileyo ze-Linux kernel - amaqela, izithuba zamagama kunye ne-seccomp. Ukongezwa okongeziweyo, ukuhanjiswa kusebenzisa i-SELinux kwimodi "yokunyanzeliswa".
Ulwahlulo lweengcambu lunyuswe ukufunda-kuphela, kwaye i/etc izahlulelo zeseto zifakwe kwi-tmpfs kwaye zibuyiselwe kwimeko yayo yokuqala emva kokuphinda kuqalwe. Ukuguqulwa ngokuthe ngqo kweefayile kwi-directory / etc, njenge /etc/resolv.conf kunye /etc/containerd/config.toml, ayixhaswanga - ukugcina ngokusisigxina izicwangciso, kufuneka usebenzise i-API okanye uhambise ukusebenza kwiibhokisi ezahlukeneyo. Imodyuli ye-dm yokuqinisekisa isetyenziselwa ukungqinisisa ngokufihlakeleyo ingqibelelo yolwahlulo lweengcambu, kwaye ukuba umzamo wokuguqula idata kwinqanaba lesixhobo sokubhloka ichongiwe, inkqubo iphinda iqalise.
Uninzi lwamalungu enkqubo abhalwe kwiRust, ebonelela ngeempawu ezikhuselekileyo kwimemori ukunqanda ubuthathaka obubangelwa kukufikelela kwimemori yasemva kwasimahla, ukuchaswa kwesalathi esingenanto, kunye nokugqithiswa kwe-buffer. Xa ukwakhiwa ngokungagqibekanga, iindlela zokuhlanganisa "-enable-default-pie" kunye ne "-enable-default-ssp" zisetyenziselwa ukwenza i-randomization yendawo yedilesi yefayile ephunyeziweyo (PIE) kunye nokukhuselwa kwi-stack ephuphumayo ngokutshintshwa kwe-canary. Kwiipakethe ezibhalwe ngeC/C++, iiflegi “-Wall”, “-Werror=format-security”, “-Wp,-D_FORTIFY_SOURCE=2”, “-Wp,-D_GLIBCXX_ASSERTIONS” kunye “-fstack-clash” nazo zongezwa yenziwe -ukhuseleko".
Kukhupho olutsha:
- Ubuthathaka obulungisiweyo kwi-docker kunye nezixhobo ezifakwe ngexesha lokubaleka (CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, CVE-2021-41103) ezinxulumene nokusetwa okungachanekanga kwamalungelo okufikelela, okuvumele abasebenzisi abangenalungelo ukuba badlulele ngaphaya kwesiseko. ulawulo kwaye uphumeze iinkqubo zangaphandle.
- Inkxaso ye-IPv6 yongezwe kwi-kubelet kunye ne-pluto.
- Kuyenzeka ukuba uqale kabusha isikhongozeli emva kokutshintsha izicwangciso zayo.
- Inkxaso yemizekelo ye-Amazon EC2 M6i yongezwe kwiphakheji ye-eni-max-pods.
- I-Open-vm-izixhobo zongeze inkxaso kwiifilitha zesixhobo, ngokusekelwe kwi-toolkit ye-Cilium.
- Kwiqonga le-x86_64, imowudi ye-hybrid boot iphunyeziwe (ngenkxaso ye-EFI kunye ne-BIOS).
- Iinguqulelo zepakethe ezihlaziyiweyo kunye nezixhomekeke kulwimi lweRust.
- Inkxaso yokwahluka kokusabalalisa i-aws-k8s-1.17 esekelwe kwi-Kubernetes 1.17 iyekile. Kucetyiswa ukuba usebenzise inguqulo ye-aws-k8s-1.21 ngenkxaso ye-Kubernetes 1.21. Ukwahluka kwe-k8s kusebenzisa i-cgroup runtime.slice kunye ne-system.slice useto.
umthombo: opennet.ru