Ukukhishwa kokusatshalaliswa kwe-Bottlerocket 1.8.0 Linux kushicilelwe, kwathuthukiswa ngokubamba iqhaza kwe-Amazon ukuze kuqhutshekwe ngempumelelo nangokuphephile iziqukathi ezingazodwa. Ikhithi yamathuluzi nezingxenye zokulawula zokusabalalisa zibhalwa nge-Rust futhi zisatshalaliswa ngaphansi kwamalayisensi e-MIT ne-Apache 2.0. Isekela ukusebenzisa i-Bottlerocket ku-Amazon ECS, VMware, kanye namaqoqo e-AWS EKS Kubernetes, kanye nokudala ukwakheka ngokwezifiso nama-edishini avumela ukucula okuhlukile namathuluzi wesikhathi sokusebenza eziqukathi.
Ukusabalalisa kunikeza isithombe sesistimu esingahlukaniseki esibuyekezwa nge-athomu nesibuyekezwa ngokuzenzakalelayo esihlanganisa i-Linux kernel kanye nemvelo encane yesistimu ehlanganisa kuphela izingxenye ezidingekayo ukuze kusetshenziswe iziqukathi. Imvelo ifaka phakathi umphathi wesistimu ye-systemd, umtapo wezincwadi we-Glibc, ithuluzi lokwakha le-Buildroot, i-bootloader ye-GRUB, isihleli senethiwekhi esikhohlakele, isikhathi sokusebenza sesitsha esifakwe sodwa, inkundla ye-orchestration ye-Kubernetes, i-aws-iam-authenticator, kanye ne-ejenti ye-Amazon ECS. .
Amathuluzi e-orchestration yesiqukathi afika kusiqukathi sokuphatha esihlukile esinikwa amandla ngokuzenzakalela futhi siphathwe nge-API kanye ne-AWS SSM Agent. Isithombe esiyisisekelo asinalo igobolondo lomyalo, iseva ye-SSH, nezilimi ezihunyushiwe (ngokwesibonelo, ayikho i-Python noma i-Perl) - amathuluzi okuphatha nawokulungisa amaphutha athuthelwa esitsheni sesevisi esihlukile, esivalwa ngokuzenzakalelayo.
Umehluko oyinhloko osuka ekusabalaliseni okufanayo okufana ne-Fedora CoreOS, i-CentOS/Red Hat Atomic Host iwukugxila okuyinhloko ekuhlinzekeni ukuvikeleka okuphezulu kumongo wokuqinisa ukuvikelwa kwesistimu ezinsongweni ezingaba khona, okwenza kube nzima ukuxhashazwa kobungozi ezingxenyeni ze-OS nokwandisa ukuhlukaniswa kweziqukathi. Iziqukathi zenziwa kusetshenziswa izindlela ezijwayelekile ze-Linux kernel - amaqoqo, izikhala zamagama kanye ne-seccomp. Ukuze uthole ukuhlukaniswa okwengeziwe, ukusatshalaliswa kusebenzisa i-SELinux kumodi "yokuphoqelela".
Ukuhlukaniswa kwezimpande kufakwe kumodi yokufunda kuphela, futhi ukwahlukanisa ngezilungiselelo / njll kufakwe ku-tmpfs futhi kubuyiselwe esimweni saso sangempela ngemuva kokuqala kabusha. Ukuguqulwa okuqondile kwamafayela ku-directory /etc, njengokuthi /etc/resolv.conf kanye /etc/containerd/config.toml, akusekelwa - ukuze ulondoloze unomphela izilungiselelo, kufanele usebenzise i-API noma uhambise ukusebenza ukuze uhlukanise iziqukathi. Ukuze kuqinisekiswe i-cryptographic yobuqotho bokuhlukaniswa kwezimpande, imojuli ye-dm-verity iyasetshenziswa, futhi uma umzamo wokushintsha idatha kuzinga ledivayisi yokuvimba utholwa, isistimu iqala kabusha.
Izingxenye eziningi zesistimu zibhalwe nge-Rust, ehlinzeka ngamathuluzi avikela inkumbulo ukuze kugwenywe ubungozi obubangelwa ukubhekana nendawo yenkumbulo ngemva kokuba ikhululiwe, isuse ireferensi izikhombi ezingenalutho, kanye nokweqa kwebhafa. Lapho wakha, izindlela zokuhlanganisa "--vula-default-pie" kanye "--enable-default-ssp" zisetshenziswa ngokuzenzakalelayo ukuze kunikwe amandla i-executable address space randomization (PIE) kanye nokuvikelwa ekuchichimeni kwesitaki ngokufaka ilebula ye-canary. Kumaphakheji abhalwe nge-C/C++, amafulegi okuthi "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" kanye "-fstack-clash" angeziwe. kufakwe -ukuvikela.
Ekukhishweni okusha:
- Okuqukethwe kweziqukathi zokuphatha nezokulawula kubuyekeziwe.
- Isikhathi sokusebenza seziqukathi ezihlukanisiwe sibuyekezwe egatsheni elifakwe 1.6.x.
- Ukuqaliswa kabusha kwezinqubo zasemuva zokuxhumanisa umsebenzi weziqukathi kuqinisekiswa ngemva kwezinguquko esitolo sesitifiketi.
- Ikhono lokusetha imingcele yokuqalisa ye-kernel ngokusebenzisa isigaba sokucushwa kwe-Boot linikeziwe.
- Kunikwe amandla ukuziba amabhulokhi angenalutho lapho ihlola ubuqotho bengxenye yempande isebenzisa i-dm-verity.
- Kunikezwe amandla okuhlanganisa ngokwezibalo amagama omethuleli ku-/etc/hosts.
- Ikhono lokukhiqiza ukucushwa kwenethiwekhi usebenzisa insiza ye-netdog linikeziwe (umyalo we-generate-net-config wengeziwe).
- Izinketho ezintsha zokusabalalisa ezinokusekelwa kwe-Kubernetes 1.23 ziyaphakanyiswa. Isikhathi esincishisiwe sokuqalisa sama-pod ku-Kubernetes ngokukhubaza imodi ye-configMapAndSecretChangeDetectionStrategy. Kwengezwe izilungiselelo ezintsha ze-kubelet: i-id yomhlinzeki kanye ne-podPidsLimit.
- Kuphakanyiswe ukusatshalaliswa okusha kwe-'aws-ecs-1-nvidia' kwe-Amazon Elastic Container Service (Amazon ECS) futhi kuza nabashayeli be-NVIDIA.
- Ukwesekwa okwengeziwe kwe-Microchip Smart Storage kanye namadivayisi wokugcina we-MegaRAID SAS. Ukusekelwa okunwetshiwe kwamakhadi e-Ethernet asuselwe kuma-chip we-Broadcom.
- Izinguqulo ezibuyekeziwe zamaphakheji nokuncika kwezilimi ze-Go and Rust, kanye nezinguqulo zamaphakheji anezinhlelo zezinkampani zangaphandle. I-Bottlerocket SDK ibuyekezelwe enguqulweni engu-0.26.0.
Source: opennet.ru