Inkampani ye-Amazon ukukhishwa kokuqala okubalulekile kokusatshalaliswa kwe-Linux okuzinikele , eklanyelwe ukusebenzisa iziqukathi ezingazodwa kahle futhi ngokuvikelekile. Amathuluzi okusabalalisa kanye nezingxenye zokulawula zibhalwe ku-Rust kanye ngaphansi kwamalayisensi e-MIT kanye ne-Apache 2.0. Iphrojekthi iyathuthukiswa ku-GitHub futhi iyatholakala ukuze amalungu omphakathi abambe iqhaza. Isithombe sokuphakelwa kwesistimu sikhiqizelwa izakhiwo ze-x86_64 ne-Aarch64. I-OS iguqulelwe ukusebenza kumaqoqo e-Amazon ECS kanye ne-AWS EKS Kubernetes. amathuluzi okudala owakho ama-assemblies nama-edishini, angasebenzisa amanye amathuluzi e-orchestration, izikhwebu nesikhathi sokusebenza seziqukathi.
Ukusabalalisa kunikeza i-Linux kernel kanye nemvelo yesistimu encane, okuhlanganisa kuphela izingxenye ezidingekayo ukuze kusetshenziswe iziqukathi. Phakathi kwamaphakheji abandakanyekayo kuphrojekthi i-systemd manager, umtapo wezincwadi we-Glibc, namathuluzi omhlangano
I-Buildroot, i-GRUB bootloader, isilungisi senethiwekhi , isikhathi sokusebenza seziqukathi ezingazodwa , inkundla ye-orchestration yesiqukathi se-Kubernetes, i-aws-iam-authenticator, ne-ejenti ye-Amazon ECS.
Ukusatshalaliswa kubuyekezwa nge-athomu futhi kulethwa ngendlela yesithombe sesistimu esingenakuhlukaniswa. Ama-disk partitions amabili abelwe isistimu, eyodwa equkethe isistimu esebenzayo, futhi isibuyekezo sikopishelwe kwesibili. Ngemuva kokuthi isibuyekezo sisetshenzisiwe, ukwahlukanisa kwesibili kuyaqala ukusebenza, futhi okokuqala, kuze kufike isibuyekezo esilandelayo, inguqulo yangaphambilini yesistimu igcinwa, ongabuyela kuyo uma kuphakama izinkinga. Izibuyekezo zifakwa ngokuzenzakalelayo ngaphandle kokungenelela komlawuli.
Umehluko oyinhloko ekusatshalalisweni okufanayo okufana ne-Fedora CoreOS, i-CentOS/I-Red Hat Atomic Host yiyona ndlela okugxilwe ngayo ekuhlinzekeni. kumongo wokuqinisa ukuvikeleka kwesistimu ezinsongweni ezingaba khona, okwenza kube nzima kakhulu ukuxhaphaza ubungozi ezingxenyeni ze-OS nokwandisa ukuhlukaniswa kweziqukathi. Iziqukathi zenziwa kusetshenziswa izindlela ezijwayelekile ze-Linux kernel - amaqoqo, izindawo zamagama kanye ne-seccomp. Ukuze uthole ukuhlukaniswa okwengeziwe, ukusatshalaliswa kusebenzisa i-SELinux kumodi "yokuphoqelela", futhi imojula isetshenziselwa ukuqinisekiswa kwe-cryptographic ubuqotho bokuhlukaniswa kwezimpande. . Uma umzamo wokushintsha idatha kuzinga ledivayisi yokuvimba utholwa, isistimu iqala kabusha.
I-root partition ifakwe ukufunda kuphela, futhi ukwahlukanisa kwezilungiselelo /etc kufakwe ku-tmpfs futhi kubuyiselwe esimweni saso sangempela ngemuva kokuqala kabusha. Ukuguqulwa okuqondile kwamafayela ku-directory /etc, njenge /etc/resolv.conf kanye /etc/containerd/config.toml, akusekelwa - ukuze ulondoloze unomphela izilungiselelo, kufanele usebenzise i-API noma uhambise ukusebenza ezitsheni ezihlukene.
Izingxenye eziningi zesistimu zibhalwe nge-Rust, ehlinzeka ngezici ezivikela inkumbulo ukuze kugwenywe ubungozi obubangelwa ukufinyelela kwememori yangemuva kwamahhala, izinkomba ezingenalutho, kanye nokudlulela kwebhafa. Lapho wakha ngokuzenzakalelayo, izindlela zokuhlanganisa ze-β--enable-default-pieβ kanye ne-β-enable-default-sspβ zisetshenziswa ukuze kunikwe amandla ukwenza ngokungahleliwe kwesikhala sekheli samafayela asebenzisekayo () kanye nokuvikela ukuchichima kwesitaki ngokufaka esikhundleni se-canary.
Kumaphakheji abhalwe nge-C/C++, amafulegi engeziwe afakiwe
"-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" kanye "-fstack-clash-protection".
Amathuluzi omculo weziqukathi ahlinzekwa ngokuhlukene , enikwa amandla ngokuzenzakalela futhi elawulwa nge kanye ne-AWS SSM Agent. Isithombe esiyisisekelo asinalo igobolondo lomyalo, iseva ye-SSH nezilimi ezihunyushiwe (ngokwesibonelo, ayikho iPython noma i-Perl) - amathuluzi okuphatha namathuluzi okulungisa atholakala ku- , evimbelwe ngokuzenzakalelayo.
Source: opennet.ru