Inkampani ye-Amazon udaba lokuqala olubalulekile lwe-specialized Linux-ukusatshalaliswa , eklanyelwe ukusebenzisa iziqukathi ezingazodwa kahle futhi ngokuvikelekile. Amathuluzi okusabalalisa kanye nezingxenye zokulawula zibhalwe ku-Rust kanye ngaphansi kwamalayisensi e-MIT kanye ne-Apache 2.0. Iphrojekthi iyathuthukiswa ku-GitHub futhi iyatholakala ukuze amalungu omphakathi abambe iqhaza. Isithombe sokuphakelwa kwesistimu sikhiqizelwa izakhiwo ze-x86_64 ne-Aarch64. I-OS iguqulelwe ukusebenza kumaqoqo e-Amazon ECS kanye ne-AWS EKS Kubernetes. amathuluzi okudala owakho ama-assemblies nama-edishini, angasebenzisa amanye amathuluzi e-orchestration, izikhwebu nesikhathi sokusebenza seziqukathi.
Ukusatshalaliswa kunikeza i-kernel Linux kanye nendawo encane yesistimu, okuhlanganisa kuphela izingxenye ezidingekayo ekusebenziseni izitsha. Amaphakheji asetshenziswe kule phrojekthi afaka umphathi wesistimu yesistimu, umtapo wolwazi we-Glibc, kanye namathuluzi okwakha.
I-Buildroot, i-GRUB bootloader, isilungisi senethiwekhi , isikhathi sokusebenza seziqukathi ezingazodwa , inkundla ye-orchestration yesiqukathi se-Kubernetes, i-aws-iam-authenticator, ne-ejenti ye-Amazon ECS.
Ukusatshalaliswa kubuyekezwa nge-athomu futhi kulethwa ngendlela yesithombe sesistimu esingenakuhlukaniswa. Ama-disk partitions amabili abelwe isistimu, eyodwa equkethe isistimu esebenzayo, futhi isibuyekezo sikopishelwe kwesibili. Ngemuva kokuthi isibuyekezo sisetshenzisiwe, ukwahlukanisa kwesibili kuyaqala ukusebenza, futhi okokuqala, kuze kufike isibuyekezo esilandelayo, inguqulo yangaphambilini yesistimu igcinwa, ongabuyela kuyo uma kuphakama izinkinga. Izibuyekezo zifakwa ngokuzenzakalelayo ngaphandle kokungenelela komlawuli.
Umehluko oyinhloko ekusakazweni okufanayo njengeFedora CoreOS ngukuthi CentOS/I-Red Hat Atomic Host igxile kakhulu ekuhlinzekeni ngomongo wokuqinisa ukuvikelwa kohlelo ezinsongweni ezingaba khona, okwenza kube nzima ukuxhashazwa kobuthakathaka ezingxenyeni ze-OS, kanye nokwandisa ukuhlukaniswa kweziqukathi. Iziqukathi zakhiwa kusetshenziswa izindlela ezijwayelekile ze-kernel. Linux — amaqembu e-c, izikhala zamagama, kanye ne-seccomp. Ukuze uthole ukwahlukaniswa okwengeziwe, ukusatshalaliswa kusebenzisa i-SELinux kumodi "yokuphoqelela", futhi imodyuli isetshenziselwa ukuqinisekisa ubuqotho be-root partition . Uma umzamo wokushintsha idatha kuzinga ledivayisi yokuvimba utholwa, isistimu iqala kabusha.
I-root partition ifakwe ukufunda kuphela, futhi ukwahlukanisa kwezilungiselelo /etc kufakwe ku-tmpfs futhi kubuyiselwe esimweni saso sangempela ngemuva kokuqala kabusha. Ukuguqulwa okuqondile kwamafayela ku-directory /etc, njenge /etc/resolv.conf kanye /etc/containerd/config.toml, akusekelwa - ukuze ulondoloze unomphela izilungiselelo, kufanele usebenzise i-API noma uhambise ukusebenza ezitsheni ezihlukene.
Izingxenye eziningi zesistimu zibhalwe nge-Rust, ehlinzeka ngezici ezivikela inkumbulo ukuze kugwenywe ubungozi obubangelwa ukufinyelela kwememori yangemuva kwamahhala, izinkomba ezingenalutho, kanye nokudlulela kwebhafa. Lapho wakha ngokuzenzakalelayo, izindlela zokuhlanganisa ze-“--enable-default-pie” kanye ne-“-enable-default-ssp” zisetshenziswa ukuze kunikwe amandla ukwenza ngokungahleliwe kwesikhala sekheli samafayela asebenzisekayo () kanye nokuvikela ukuchichima kwesitaki ngokufaka esikhundleni se-canary.
Kumaphakheji abhalwe nge-C/C++, amafulegi engeziwe afakiwe
"-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" kanye "-fstack-clash-protection".
Amathuluzi omculo weziqukathi ahlinzekwa ngokuhlukene , enikwa amandla ngokuzenzakalela futhi elawulwa nge kanye ne-AWS SSM Agent. Isithombe esiyisisekelo asinalo igobolondo lomyalo, iseva ye-SSH nezilimi ezihunyushiwe (ngokwesibonelo, ayikho iPython noma i-Perl) - amathuluzi okuphatha namathuluzi okulungisa atholakala ku- , evimbelwe ngokuzenzakalelayo.
Source: opennet.ru
