Inkampani ye-Amazon mayelana nokukhululwa kokugcina - ukusatshalaliswa okukhethekile kweziqukathi ezigijima nokuyiphatha ngempumelelo.
I-Bottlerocket (ngendlela, igama elinikezwe amarokhethi amnyama enziwe ekhaya) akuyona i-OS yokuqala yeziqukathi, kodwa kungenzeka ukuthi izosabalele ngenxa yokuhlanganiswa okuzenzakalelayo nezinsizakalo ze-AWS. Nakuba uhlelo lugxile efwini lase-Amazon, ikhodi yomthombo ovulekile ivumela ukuthi lwakhiwe noma yikuphi: endaweni yangakini kuseva, ku-Raspberry Pi, kunoma yiliphi ifu eliqhudelanayo, ngisho nasendaweni engenazitsha.
Lokhu ukumiselela okufanele ngokuphelele kokusatshalaliswa kweCoreOS okwangcwatshwa iRed Hat.
Eqinisweni, ingxenye ye-Amazon Web Services isivele ine-Amazon Linux, esanda kuphuma enguqulweni yayo yesibili: ukusatshalaliswa okujwayelekile okungaqhutshwa esitsheni se-Docker noma nge-Linux KVM, Microsoft Hyper-V, kanye ne-VMware. Ama-hypervisors we-ESXi. Ilungiselelwe ukuthi isebenze efwini le-AWS, kodwa ngokukhishwa kwe-Bottlerocket, wonke umuntu ukhuthazwa ukuthi athuthukele ohlelweni olusha oluvikeleke kakhulu, lwesimanjemanje, futhi olusebenzisa izinsiza ezimbalwa.
I-AWS imemezele i-Bottlerocket . Ngokushesha wavuma ukuthi lena akuyona βi-Linux yokuqala yeziqukathi,β ecaphuna i-CoreOS, i-Rancher OS ne-Project Atomic njengemithombo yogqozi. Abathuthukisi babhale ukuthi uhlelo lokusebenza "luwumphumela wezifundo esizifundile ekusebenziseni izinsizakalo zokukhiqiza esikalini sase-Amazon isikhathi eside, kanye nolwazi esilutholile eminyakeni eyisithupha edlule mayelana nendlela yokusebenzisa iziqukathi."
I-minimalism enkulu kakhulu
I-Linux iphucwe yonke into engadingeki ukusebenzisa iziqukathi. Lo mklamo, ngokusho kwenkampani, unciphisa indawo yokuhlasela.
Lokhu kusho ukuthi amaphakheji ambalwa afakiwe ohlelweni oluyisisekelo, okwenza kube lula ukugcina nokuvuselela i-OS, futhi kunciphisa amathuba okuba nezinkinga ngenxa yokuncika, ukunciphisa ukusetshenziswa kwezinsiza. Ngokuyisisekelo, yonke into lapha isebenza ngaphakathi kweziqukathi ezihlukene, futhi isistimu engaphansi ayinalutho.
I-Amazon iphinde yasusa wonke amagobolondo nabahumushi, isusa ubungozi bokusetshenziswa noma abasebenzisi bakhulisa amalungelo ngephutha. Ngenxa ye-minimalism nokuphepha, isithombe esiyisisekelo asifaki igobolondo lomyalo, iseva ye-SSH, noma izilimi ezihunyushwe njengePython. Amathuluzi omlawuli abekwe esitsheni sesevisi esihlukile, esivalwa ngokuzenzakalelayo.
Uhlelo luphathwa ngezindlela ezimbili: nge-API kanye ne-orchestration.
Esikhundleni somphathi wephakheji obuyekeza izingcezu zesofthiwe ngayinye, i-Bottlerocket ilanda isithombe esiphelele sesistimu yefayela bese iqala kabusha kuso. Uma umthwalo wehluleka, uhlehla ngokuzenzakalelayo, futhi ukwehluleka komthwalo womsebenzi kungase kubangele ukuhlehliswa ngesandla (umyalo nge-API).
Uhlaka (Uhlaka Lokubuyekeza) ludawuniloda izibuyekezo ezisekelwe ezithombeni ukuze zishintshe noma "ezingehlisiwe" izingxenye. Ama-disk partitions amabili abelwe isistimu, eyodwa equkethe isistimu esebenzayo, futhi isibuyekezo sikopishelwe kwesibili. Kulesi simo, ukuhlukaniswa kwezimpande kufakwe kumodi yokufunda kuphela, kanye nokuhlukanisa /etc ifakwe nesistimu yefayela ku-RAM futhi ibuyisela isimo sangempela ngemva kokuqalisa kabusha. Ukuguqulwa okuqondile kwamafayela okumisa ku /etc ayisekelwe: ukuze ulondoloze izilungiselelo kufanele usebenzise i-API noma uhambise ukusebenza kuziqukathi ezihlukene.
Isikimu sokubuyekeza i-API
Ukuphepha
Iziqukathi zidalwe izindlela ezijwayelekile ze-Linux kernel - amaqoqo, izindawo zamagama kanye ne-seccomp, futhi asetshenziswa njengohlelo lokulawula ukufinyelela okuphoqelekile, okungukuthi, ukuhlukaniswa okwengeziwe. kumodi "yokuphoqelela".
Ngokuzenzakalelayo, izinqubomgomo zinikwe amandla ukwabelana ngezinsiza phakathi kweziqukathi kanye ne-kernel. Ombambambili bavikelwe ngamafulegi ukuvimbela abasebenzisi noma izinhlelo ukuthi bawasebenzise. Futhi uma umuntu efika ohlelweni lwefayela, i-Bottlerocket inikeza ithuluzi lokuhlola nokulandelela noma yiziphi izinguquko ezenziwe.
Imodi "eqinisekisiwe yokuqalisa" isetshenziswa ngomsebenzi we-device-mapper-verity (), ehlola ubuqotho bokuhlukaniswa kwezimpande ngesikhathi sokuqalisa. I-AWS ichaza i-dm-verity βnjengesici se-Linux kernel esihlinzeka ngokuhlolwa kobuqotho ukuvimbela uhlelo olungayilungele ikhompuyutha ukuthi lusebenze ku-OS, njengokubhala phezu kwesofthiwe yesistimu ewumgogodla.β
Kukhona nesihlungi ohlelweni (i-BPF enwetshiwe, ), okuvumela amamojula e-kernel ukuthi athathelwe indawo ngezinhlelo ze-BPF ezivikeleke kakhulu zokusebenza kwesistimu yezinga eliphansi.
Imodeli Yokwenza
Kuchaziwe umsebenzisi
Ukuhlanganiswa
Ukuphepha
Imodi yokwehluleka
Ukufinyelela izinsiza
Umsebenzisi
umsebenzi
yebo
noma
amalungelo omsebenzisi
phazamisa ukwenza
ikholi yesistimu, iphutha
Isibindi
umsebenzi
akukho
i-static
akukho
ukwethuka kwe-kernel
qondisa
I-BPF
umcimbi
yebo
I-JIT, CO-RE
ukuqinisekiswa, i-JIT
umlayezo wephutha
abasizi abalinganiselwe
Ihluke kanjani i-BPF kumsebenzisi ojwayelekile noma ikhodi yeleveli ye-kernel
I-AWS ithe i-Bottlerocket "isebenzisa imodeli yokusebenza ethuthukisa ukuvikeleka ngokuqhubekayo ngokuvimbela ukuxhumeka kumaseva okukhiqiza anamalungelo okuphatha" futhi "ifanele izinhlelo ezinkulu ezisabalalisiwe lapho ukulawula umsingathi ngamunye kunqunyelwe."
Isiqukathi somlawuli sihlinzekelwe abalawuli besistimu. Kodwa i-AWS ayicabangi ukuthi umphathi ngokuvamile uzodinga ukusebenza ngaphakathi kwe-Bottlerocket: "Isenzo sokungena endaweni ehlukile ye-Bottlerocket senzelwe imisebenzi engavamile: ukulungisa amaphutha okuthuthukisiwe nokuxazulula izinkinga," abathuthukisi.
Ulimi lokugqwala
Izinsimbi ze-OS ngaphezulu kwe-kernel zibhalwe kakhulu ku-Rust. Lolu limi ngokwemvelo yalo Futhi .
Amafulegi asetshenziswa ngokuzenzakalelayo lapho akha --enable-default-pie ΠΈ --enable-default-ssp ukunika amandla i-randomization yesikhala sekheli samafayela asebenzisekayo (, PIE) nokuvikela ukuchichima kwesitaki.
Kumaphakheji e-C/C++, amafulegi engeziwe afakiwe -Wall, -Werror=format-security, -Wp,-D_FORTIFY_SOURCE=2, -Wp,-D_GLIBCXX_ASSERTIONS ΠΈ -fstack-clash-protection.
Ngaphandle kweRust ne-C/C++, amanye amaphakheji abhalwe kokuthi Go.
Ukuhlanganiswa nezinsiza ze-AWS
Umehluko ezinhlelweni ezisebenzayo zeziqukathi ukuthi i-Amazon ithuthukise i-Bottlerocket ukuthi isebenze ku-AWS futhi ihlanganiswe nezinye izinsiza ze-AWS.
I-orchestrator yeziqukathi edume kakhulu i-Kubernetes, ngakho i-AWS yethule ukuhlanganiswa ne-Enterprise Kubernetes Service yayo (EKS). Amathuluzi e-orchestration afika esitsheni sokulawula esihlukile , enikwa amandla ngokuzenzakalela futhi ephethwe nge-API kanye ne-AWS SSM Agent.
Kuzokujabulisa ukubona ukuthi i-Bottlerocket iyaqala yini, uma kubhekwa ukwehluleka kwezinye izinhlelo ezifanayo esikhathini esidlule. Isibonelo, i-PhotonOS evela ku-Vmware ivele ingafunwanga, futhi i-RedHat yathenga i-CoreOS kanye , owayebhekwa njengephayona ensimini.
Ukuhlanganiswa kwe-Bottlerocket kumasevisi e-AWS kwenza lolu hlelo luhluke ngendlela yalo. Lesi mhlawumbe isizathu esiyinhloko esenza abanye abasebenzisi bathande i-Bottlerocket ngaphezu kwamanye ama-distros afana ne-CoreOS noma i-Alpine. Isistimu ekuqaleni yakhelwe ukusebenza ne-EKS ne-ECS, kodwa siyaphinda ukuthi lokhu akudingekile. Okokuqala, i-Bottlerocket can futhi uyisebenzise, ββisibonelo, njengesixazululo esisingathiwe. Okwesibili, abasebenzisi be-EKS ne-ECS basazoba nekhono lokukhetha i-OS yabo.
Ikhodi yomthombo we-Bottlerocket ishicilelwe ku-GitHub ngaphansi kwelayisensi ye-Apache 2.0. Onjiniyela sebevele sebenayo .
Emalungelo Wokukhangisa
VDSina okunikezwayo . Kungenzeka ukufaka noma iyiphi isistimu yokusebenza, kuhlanganise nesithombe sakho siqu. Iseva ngayinye ixhunywe kusiteshi se-inthanethi samaMegabhithi angu-500 futhi ivikelwe ekuhlaselweni kwe-DDoS mahhala!
Source: www.habr.com