Kwa-Google, sikholwa ukuthi ikusasa le-cloud computing lizodlulela kumasevisi ayimfihlo, abethelwe anikeza abasebenzisi ukuzethemba okuphelele kubumfihlo bedatha yabo.
I-Google Cloud isivele ibethela idatha yekhasimende ekuthuthweni nasekuphumuleni, kodwa kusadingeka isuswe ukubethela ukuze icutshungulwe. Ikhompyutha eyimfihlo ubuchwepheshe obushintshashintshayo obusetshenziswa ukubethela idatha phakathi nokucubungula. Izimo eziyimfihlo zokwenza ikhompuyutha zikuvumela ukuthi ugcine idatha ebethelwe ku-RAM nakwezinye izindawo ezingaphandle kwe-processor (CPU).
Ama-VM ayimfihlo okwamanje asekuhlolweni kwe-beta futhi angumkhiqizo wokuqala kulayini we-Google Cloud Confidential Computing. Sesivele sisebenzisa amasu ahlukahlukene wokuzihlukanisa kanye ne-sandboxing kungqalasizinda yethu yamafu ukuze siqinisekise ukuphepha kwesakhiwo esinabaqashi abaningi. Ama-VM ayimfihlo ayisa ukuvikeleka ezingeni elilandelayo ngokunikeza ukubethela kwenkumbulo ukuze kuqhutshekwe nokuhlukanisa imithwalo yawo yokusebenza emafini, esiza amakhasimende ethu ukuvikela idatha ebucayi. Sicabanga ukuthi lokhu kuzoba nentshisekelo ethile kulabo abasebenza ezimbonini ezilawulwayo (mhlawumbe mayelana ne-GDPR nezinye izinto ezihlobene, cishe. umhumushi).
Ukuvula amathuba amasha
Sesivele sine-Asylo, inkundla yomthombo ovulekile yokwenza ikhompuyutha eyimfihlo, sigxile ekwenzeni izindawo zekhompuyutha eziyimfihlo ukuthi zibe lula ukuzisebenzisa nokuzisebenzisa, sinikeza ukusebenza okuphezulu kanye nesicelo sanoma yimuphi umthwalo okhetha ukuwusebenzisa emafini. Sikholelwa ukuthi akudingekile ukuba ungenele ekusebenziseni, ukuguquguquka, ukusebenza nokuphepha.
Ngama-VM ayimfihlo angena ku-beta, singabahlinzeki bokuqala befu abakhulu ukunikeza leli zinga lokuvikeleka nokuzihlukanisa—futhi sinikeze amakhasimende inketho elula, esebenziseka kalula yazo zombili izinhlelo zokusebenza ezintsha kanye “nalezo ezifakiwe” (mhlawumbe mayelana nezinhlelo zokusebenza ingaqhutshwa efwini ngaphandle kwezinguquko ezibalulekile, cishe. umhumushi). Sihlinzeka:
-
Ubumfihlo obungenakuqhathaniswa: Amakhasimende angavikela ubumfihlo bedatha yawo ebucayi emafini, ngisho noma isacutshungulwa. Ama-VM ayimfihlo asebenzisa isici Secure Encrypted Virtualization (SEV) sesizukulwane sesibili se-AMD EPYC processors. Idatha yakho ihlala ibethelwe ngesikhathi sokusetshenziswa, ukukhonjwa, ukubuza, nokuqeqeshwa. Okhiye bokubethela badalwa ku-hardware ngokuhlukene kumshini ngamunye obonakalayo futhi abalokothi bashiye ihadiwe.
-
Ukuqamba Okusha Okuthuthukisiwe: Ukusebenzisa ikhompyutha okuyimfihlo kungavula izimo zokucubungula ebezingenzeki ngaphambilini. Izinkampani manje zingabelana ngamasethi edatha ahlukanisiwe futhi zihlanganyele ocwaningweni lwamafu kuyilapho zigcina ubumfihlo.
-
Ubumfihlo Bemithwalo Yemisebenzi Ethunyelwayo: Umgomo wethu uwukwenza kube lula ukusebenzisa ikhompuyutha okuyimfihlo. Ukushintshela kuma-VM ayimfihlo akulula - yonke imithwalo yomsebenzi ku-GCP esebenza emishinini ebonakalayo ingathuthela kuma-VM ayimfihlo. Kulula - vele uhlole ibhokisi elilodwa.
-
Ukuvikelwa Okuthuthukisiwe Kosongo: Ukwenza ikhompuyutha okuyimfihlo kwakhela ekuvikelweni kwama-VM Avikelekile kuma-rootkits nama-bootkits, okusiza ukuqinisekisa ubuqotho besistimu yokusebenza ekhethelwe ukusebenza ku-Confidential VM.
Izisekelo zama-VM ayimfihlo
Ama-VM ayimfihlo asebenza emishinini ebonakalayo ye-N2D esebenza kuma-processor we-AMD EPYC esizukulwane sesibili. Isici se-SEV se-AMD siletha ukusebenza okuphezulu kumthwalo onzima wekhompiyutha odingeka kakhulu kuyilapho igcina i-RAM yomshini obonakalayo ibethelwe ngokhiye we-VM ngayinye okhiqizwe futhi ophethwe iphrosesa ye-EPYC. Okhiye badalwa yi-AMD Secure Processor coprocessor lapho umshini obonakalayo udalwa futhi utholakala kuwo kuphela, okubenza bangafinyeleleki kukho kokubili i-Google neminye imishini ebonakalayo esebenza endaweni efanayo.
Ngokungeziwe ekubetheleni kwe-RAM eyakhelwe ngaphakathi, sakha ama-VM ayimfihlo phezu kwama-VM avikelekile ukuze sinikeze izithombe zesistimu yokusebenza engathinteki, ukuhlolwa kobuqotho be-firmware, i-kernel binaries, nezishayeli. Izithombe ezihlinzekwa yi-Google zifaka Ubuntu 18.04, Ubuntu 20.04, Container Optimized OS (COS v81) kanye ne-RHEL 8.2. Sisebenzela i-Centos, i-Debian nezinye ukuze sinikeze ezinye izithombe zesistimu yokusebenza.
Siphinde sisebenze eduze nethimba lonjiniyela le-AMD Cloud Solution ukuze siqinisekise ukuthi ukubethela kwememori yomshini okubonakalayo akuthinti ukusebenza. Sengeze usekelo lwabashayeli abasha be-OSS (i-nvme ne-gvnic) ukuze baphathe izicelo zesitoreji kanye nethrafikhi yenethiwekhi ngokusebenza okuphezulu kunezimiso eziyisisekelo ezindala. Lokhu kwenze kwaba nokwenzeka ukuqinisekisa ukuthi izinkomba zokusebenza ze-Confidential VM ziseduze nalezo zemishini evamile.
I-Virtualization Efihliwe Evikelekile, eyakhelwe esizukulwaneni sesibili se-AMD EPYC processors, ihlinzeka ngesici esisha sokuphepha sezingxenyekazi zekhompuyutha esiza ukuvikela idatha endaweni ebonakalayo. Ukuze sisekele i-GCE Confidential VMs N2D entsha, sisebenze ne-Google ukuze sisize amakhasimende avikele idatha yawo futhi aqinisekise ukusebenza komsebenzi wawo. Sijabula kakhulu ukubona ukuthi ama-VM ayimfihlo aletha izinga elifanayo lokusebenza okuphezulu kuwo wonke umthwalo wokusebenza njengama-VM ajwayelekile e-N2D.
Raghu Nambiar, Vice President, Data Center Ecosystem, AMD
Umdlalo Ukushintsha Ubuchwepheshe
Ukwenza ikhompuyutha okuyimfihlo kungasiza ekuguquleni indlela amabhizinisi acubungula ngayo idatha emafini kuyilapho egcina ubumfihlo nokuvikeleka. Futhi, phakathi kwezinye izinzuzo, izinkampani zizokwazi ukusebenzisana ngaphandle kokuphazamisa ubumfihlo bedatha. Ukusebenzisana okunjalo, nakho, kungaholela ekuthuthukisweni kobuchwepheshe obushintshayo nakakhulu nemibono, njengokukwazi ukudala ngokushesha imithi yokugoma nokwelapha izifo ngenxa yokubambisana okuphephile okunjalo.
Asikwazi ukulinda ukubona amathuba lobu buchwepheshe obuvulela inkampani yakho. Bheka ukuthola okwengeziwe.
PS Hhayi okokuqala, futhi ngethemba ukuthi hhayi okokugcina, i-Google izokhipha ubuchwepheshe obushintsha umhlaba. Njengoba kwenzeka kuKubernetes muva nje. Sisekela futhi sisabalalisa ubuchwepheshe be-Goggle ngokusemandleni ethu futhi siqeqesha ochwepheshe be-IT e-Russia. Inkampani yethu ingenye yezi-3 Umhlinzeki Wesevisi Oqinisekisiwe we-Kubernetes futhi eyodwa kuphela Kubernetes Training Partner eRussia. Kungakho senza izikhathi zokuqeqesha ezijulile ze-Kubernetes njalo entwasahlobo nasekwindla. Izifundo ezilandelayo ezijulile zizobanjwa ngoSepthemba 28-30 kanye no-Okthoba 14-16 .
Source: www.habr.com