Inkampani ye-Amazon
I-Bottlerocket (ngendlela, igama elinikezwe amarokhethi amnyama enziwe ekhaya) akuyona i-OS yokuqala yeziqukathi, kodwa kungenzeka ukuthi izosabalele ngenxa yokuhlanganiswa okuzenzakalelayo nezinsizakalo ze-AWS. Nakuba uhlelo lugxile efwini lase-Amazon, ikhodi yomthombo ovulekile ivumela ukuthi lwakhiwe noma yikuphi: endaweni yangakini kuseva, ku-Raspberry Pi, kunoma yiliphi ifu eliqhudelanayo, ngisho nasendaweni engenazitsha.
Lokhu ukumiselela okufanele ngokuphelele kokusatshalaliswa kweCoreOS okwangcwatshwa iRed Hat.
Eqinisweni, ingxenye ye-Amazon Web Services isivele ine-Amazon Linux, esanda kuphuma enguqulweni yayo yesibili: ukusatshalaliswa okujwayelekile okungaqhutshwa esitsheni se-Docker noma nge-Linux KVM, Microsoft Hyper-V, kanye ne-VMware. Ama-hypervisors we-ESXi. Ilungiselelwe ukuthi isebenze efwini le-AWS, kodwa ngokukhishwa kwe-Bottlerocket, wonke umuntu ukhuthazwa ukuthi athuthukele ohlelweni olusha oluvikeleke kakhulu, lwesimanjemanje, futhi olusebenzisa izinsiza ezimbalwa.
I-AWS imemezele i-Bottlerocket
I-minimalism enkulu kakhulu
I-Linux iphucwe yonke into engadingeki ukusebenzisa iziqukathi. Lo mklamo, ngokusho kwenkampani, unciphisa indawo yokuhlasela.
Lokhu kusho ukuthi amaphakheji ambalwa afakiwe ohlelweni oluyisisekelo, okwenza kube lula ukugcina nokuvuselela i-OS, futhi kunciphisa amathuba okuba nezinkinga ngenxa yokuncika, ukunciphisa ukusetshenziswa kwezinsiza. Ngokuyisisekelo, yonke into lapha isebenza ngaphakathi kweziqukathi ezihlukene, futhi isistimu engaphansi ayinalutho.
I-Amazon iphinde yasusa wonke amagobolondo nabahumushi, isusa ubungozi bokusetshenziswa noma abasebenzisi bakhulisa amalungelo ngephutha. Ngenxa ye-minimalism nokuphepha, isithombe esiyisisekelo asifaki igobolondo lomyalo, iseva ye-SSH, noma izilimi ezihunyushwe njengePython. Amathuluzi omlawuli abekwe esitsheni sesevisi esihlukile, esivalwa ngokuzenzakalelayo.
Uhlelo luphathwa ngezindlela ezimbili: nge-API kanye ne-orchestration.
Esikhundleni somphathi wephakheji obuyekeza izingcezu zesofthiwe ngayinye, i-Bottlerocket ilanda isithombe esiphelele sesistimu yefayela bese iqala kabusha kuso. Uma umthwalo wehluleka, uhlehla ngokuzenzakalelayo, futhi ukwehluleka komthwalo womsebenzi kungase kubangele ukuhlehliswa ngesandla (umyalo nge-API).
Uhlaka /etc
ifakwe nesistimu yefayela ku-RAM /etc
ayisekelwe: ukuze ulondoloze izilungiselelo kufanele usebenzise i-API noma uhambise ukusebenza kuziqukathi ezihlukene.
Isikimu sokubuyekeza i-API
Ukuphepha
Iziqukathi zidalwe izindlela ezijwayelekile ze-Linux kernel - amaqoqo, izindawo zamagama kanye ne-seccomp, futhi asetshenziswa njengohlelo lokulawula ukufinyelela okuphoqelekile, okungukuthi, ukuhlukaniswa okwengeziwe.
Ngokuzenzakalelayo, izinqubomgomo zinikwe amandla ukwabelana ngezinsiza phakathi kweziqukathi kanye ne-kernel. Ombambambili bavikelwe ngamafulegi ukuvimbela abasebenzisi noma izinhlelo ukuthi bawasebenzise. Futhi uma umuntu efika ohlelweni lwefayela, i-Bottlerocket inikeza ithuluzi lokuhlola nokulandelela noma yiziphi izinguquko ezenziwe.
Imodi "eqinisekisiwe yokuqalisa" isetshenziswa ngomsebenzi we-device-mapper-verity (
Kukhona nesihlungi ohlelweni
Imodeli Yokwenza
Kuchaziwe umsebenzisi
Ukuhlanganiswa
Ukuphepha
Imodi yokwehluleka
Ukufinyelela izinsiza
Umsebenzisi
umsebenzi
yebo
noma
amalungelo omsebenzisi
phazamisa ukwenza
ikholi yesistimu, iphutha
Isibindi
umsebenzi
akukho
i-static
akukho
ukwethuka kwe-kernel
qondisa
I-BPF
umcimbi
yebo
I-JIT, CO-RE
ukuqinisekiswa, i-JIT
umlayezo wephutha
abasizi abalinganiselwe
Ihluke kanjani i-BPF kumsebenzisi ojwayelekile noma ikhodi yeleveli ye-kernel
I-AWS ithe i-Bottlerocket "isebenzisa imodeli yokusebenza ethuthukisa ukuvikeleka ngokuqhubekayo ngokuvimbela ukuxhumeka kumaseva okukhiqiza anamalungelo okuphatha" futhi "ifanele izinhlelo ezinkulu ezisabalalisiwe lapho ukulawula umsingathi ngamunye kunqunyelwe."
Isiqukathi somlawuli sihlinzekelwe abalawuli besistimu. Kodwa i-AWS ayicabangi ukuthi umphathi ngokuvamile uzodinga ukusebenza ngaphakathi kwe-Bottlerocket: "Isenzo sokungena endaweni ehlukile ye-Bottlerocket senzelwe imisebenzi engavamile: ukulungisa amaphutha okuthuthukisiwe nokuxazulula izinkinga,"
Ulimi lokugqwala
Izinsimbi ze-OS ngaphezulu kwe-kernel zibhalwe kakhulu ku-Rust. Lolu limi ngokwemvelo yalo
Amafulegi asetshenziswa ngokuzenzakalelayo lapho akha --enable-default-pie
ΠΈ --enable-default-ssp
ukunika amandla i-randomization yesikhala sekheli samafayela asebenzisekayo (
Kumaphakheji e-C/C++, amafulegi engeziwe afakiwe -Wall
, -Werror=format-security
, -Wp,-D_FORTIFY_SOURCE=2
, -Wp,-D_GLIBCXX_ASSERTIONS
ΠΈ -fstack-clash-protection
.
Ngaphandle kweRust ne-C/C++, amanye amaphakheji abhalwe kokuthi Go.
Ukuhlanganiswa nezinsiza ze-AWS
Umehluko ezinhlelweni ezisebenzayo zeziqukathi ukuthi i-Amazon ithuthukise i-Bottlerocket ukuthi isebenze ku-AWS futhi ihlanganiswe nezinye izinsiza ze-AWS.
I-orchestrator yeziqukathi edume kakhulu i-Kubernetes, ngakho i-AWS yethule ukuhlanganiswa ne-Enterprise Kubernetes Service yayo (EKS). Amathuluzi e-orchestration afika esitsheni sokulawula esihlukile
Kuzokujabulisa ukubona ukuthi i-Bottlerocket iyaqala yini, uma kubhekwa ukwehluleka kwezinye izinhlelo ezifanayo esikhathini esidlule. Isibonelo, i-PhotonOS evela ku-Vmware ivele ingafunwanga, futhi i-RedHat yathenga i-CoreOS kanye
Ukuhlanganiswa kwe-Bottlerocket kumasevisi e-AWS kwenza lolu hlelo luhluke ngendlela yalo. Lesi mhlawumbe isizathu esiyinhloko esenza abanye abasebenzisi bathande i-Bottlerocket ngaphezu kwamanye ama-distros afana ne-CoreOS noma i-Alpine. Isistimu ekuqaleni yakhelwe ukusebenza ne-EKS ne-ECS, kodwa siyaphinda ukuthi lokhu akudingekile. Okokuqala, i-Bottlerocket can
Ikhodi yomthombo we-Bottlerocket ishicilelwe ku-GitHub ngaphansi kwelayisensi ye-Apache 2.0. Onjiniyela sebevele sebenayo
Emalungelo Wokukhangisa
VDSina okunikezwayo
Source: www.habr.com