Ukukhishwa kokusatshalaliswa kwe-Linux i-Bottlerocket 1.1.0 kuyatholakala, ithuthukiswe ngokubamba iqhaza kwe-Amazon ukuze kwethulwe kahle neziphephile iziqukathi ezingazodwa. Amathuluzi okusabalalisa kanye nezingxenye zokulawula zibhalwe nge-Rust futhi zisatshalaliswa ngaphansi kwamalayisensi e-MIT ne-Apache 2.0. Isekela ukusebenzisa i-Bottlerocket kumaqoqo e-Amazon ECS kanye ne-AWS EKS Kubernetes, kanye nokudala ukwakheka ngokwezifiso nezinhlelo ezivumela ukusetshenziswa kwe-orchestration ehlukahlukene kanye namathuluzi wesikhathi sokusebenza eziqukathi.
Ukusabalalisa kunikeza isithombe sesistimu esingahlukaniseki esibuyekezwa nge-athomu nesibuyekezwa ngokuzenzakalelayo esihlanganisa i-Linux kernel kanye nemvelo encane yesistimu ehlanganisa kuphela izingxenye ezidingekayo ukuze kusetshenziswe iziqukathi. Imvelo ifaka phakathi umphathi wesistimu ye-systemd, umtapo wezincwadi we-Glibc, ithuluzi lokwakha le-Buildroot, i-bootloader ye-GRUB, isihleli senethiwekhi esikhohlakele, isikhathi sokusebenza sesitsha esifakwe sodwa, inkundla ye-orchestration ye-Kubernetes, i-aws-iam-authenticator, kanye ne-ejenti ye-Amazon ECS. .
Amathuluzi e-orchestration yesiqukathi afika kusiqukathi sokuphatha esihlukile esinikwa amandla ngokuzenzakalela futhi siphathwe nge-API kanye ne-AWS SSM Agent. Isithombe esiyisisekelo asinalo igobolondo lomyalo, iseva ye-SSH, nezilimi ezihunyushiwe (ngokwesibonelo, ayikho i-Python noma i-Perl) - amathuluzi okuphatha nawokulungisa amaphutha athuthelwa esitsheni sesevisi esihlukile, esivalwa ngokuzenzakalelayo.
Umehluko oyinhloko osuka ekusabalaliseni okufanayo okufana ne-Fedora CoreOS, i-CentOS/Red Hat Atomic Host iwukugxila okuyinhloko ekuhlinzekeni ukuvikeleka okuphezulu kumongo wokuqinisa ukuvikelwa kwesistimu ezinsongweni ezingaba khona, okwenza kube nzima ukuxhashazwa kobungozi ezingxenyeni ze-OS nokwandisa ukuhlukaniswa kweziqukathi. Iziqukathi zenziwa kusetshenziswa izindlela ezijwayelekile ze-Linux kernel - amaqoqo, izikhala zamagama kanye ne-seccomp. Ukuze uthole ukuhlukaniswa okwengeziwe, ukusatshalaliswa kusebenzisa i-SELinux kumodi "yokuphoqelela".
Ukuhlukaniswa kwezimpande kufakwe kumodi yokufunda kuphela, futhi ukwahlukanisa ngezilungiselelo / njll kufakwe ku-tmpfs futhi kubuyiselwe esimweni saso sangempela ngemuva kokuqala kabusha. Ukuguqulwa okuqondile kwamafayela ku-directory /etc, njengokuthi /etc/resolv.conf kanye /etc/containerd/config.toml, akusekelwa - ukuze ulondoloze unomphela izilungiselelo, kufanele usebenzise i-API noma uhambise ukusebenza ukuze uhlukanise iziqukathi. Ukuze kuqinisekiswe i-cryptographic yobuqotho bokuhlukaniswa kwezimpande, imojuli ye-dm-verity iyasetshenziswa, futhi uma umzamo wokushintsha idatha kuzinga ledivayisi yokuvimba utholwa, isistimu iqala kabusha.
Izingxenye eziningi zesistimu zibhalwe nge-Rust, ehlinzeka ngamathuluzi avikela inkumbulo ukuze kugwenywe ubungozi obubangelwa ukubhekana nendawo yenkumbulo ngemva kokuba ikhululiwe, isuse ireferensi izikhombi ezingenalutho, kanye nokweqa kwebhafa. Lapho wakha, izindlela zokuhlanganisa "--vula-default-pie" kanye "--enable-default-ssp" zisetshenziswa ngokuzenzakalelayo ukuze kunikwe amandla i-executable address space randomization (PIE) kanye nokuvikelwa ekuchichimeni kwesitaki ngokufaka ilebula ye-canary. Kumaphakheji abhalwe nge-C/C++, amafulegi okuthi "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" kanye "-fstack-clash" angeziwe. kufakwe -ukuvikela.
Ekukhishweni okusha:
- Izinketho ezimbili ezintsha zokusabalalisa i-aws-k8s-1.20 kanye ne-vmware-k8s-1.20 ngokusekelwa kwe-Kubernetes 1.20 kuhlongoziwe. Lezi zinhlobonhlobo, kanye nenguqulo ebuyekeziwe ye-aws-ecs-1, zisebenzisa ukukhishwa kwe-Linux kernel 5.10 entsha. Imodi yokuvala isethelwe βkubuqothoβ ngokuzenzakalelayo (amakhono avumela ukuthi izinguquko zenziwe ku-kernel egijima esikhaleni somsebenzisi avinjelwe). Ukusekela okuhlukile kwe-aws-k8s-1.15 okusekelwe ku-Kubernetes 1.15 kunqanyuliwe.
- I-Amazon ECS isekela imodi yenethiwekhi ye-awsvpc, ekuvumela ukuthi unikeze izixhumanisi ezihlukene zenethiwekhi namakheli e-IP angaphakathi emsebenzini ngamunye.
- Izilungiselelo ezingeziwe zokulawula amapharamitha e-Kubernetes ahlukahlukene, afaka i-QPS, imikhawulo yokubhukuda, kanye nekhono lokuxhuma kubahlinzeki bamafu ngaphandle kwe-AWS.
- Isiqukathi se-bootstrap sinikeza umkhawulo wokufinyelela kudatha yomsebenzisi usebenzisa i-SELinux.
- Kwengezwe insiza ye-resize2fs.
Source: opennet.ru