Ukukhishwa kokusatshalaliswa kwe-Linux i-Bottlerocket 1.2.0 kuyatholakala, ithuthukiswe ngokubamba iqhaza kwe-Amazon ukuze kwethulwe ngendlela ephumelelayo nevikelekile yeziqukathi ezingazodwa. Amathuluzi okusabalalisa kanye nezingxenye zokulawula zibhalwe nge-Rust futhi zisatshalaliswa ngaphansi kwamalayisensi e-MIT ne-Apache 2.0. Isekela ukusebenzisa i-Bottlerocket kumaqoqo e-Amazon ECS, i-VMware kanye ne-AWS EKS Kubernetes, kanye nokudala ukwakheka ngokwezifiso nezinhlelo ezivumela ukusetshenziswa kwe-orchestration ehlukahlukene kanye namathuluzi wesikhathi sokusebenza eziqukathi.
Ukusabalalisa kunikeza isithombe sesistimu esingahlukaniseki esibuyekezwa nge-athomu nesibuyekezwa ngokuzenzakalelayo esihlanganisa i-Linux kernel kanye nemvelo encane yesistimu ehlanganisa kuphela izingxenye ezidingekayo ukuze kusetshenziswe iziqukathi. Imvelo ifaka phakathi umphathi wesistimu ye-systemd, umtapo wezincwadi we-Glibc, ithuluzi lokwakha le-Buildroot, i-bootloader ye-GRUB, isihleli senethiwekhi esikhohlakele, isikhathi sokusebenza sesitsha esifakwe sodwa, inkundla ye-orchestration ye-Kubernetes, i-aws-iam-authenticator, kanye ne-ejenti ye-Amazon ECS. .
Amathuluzi e-orchestration yesiqukathi afika kusiqukathi sokuphatha esihlukile esinikwa amandla ngokuzenzakalela futhi siphathwe nge-API kanye ne-AWS SSM Agent. Isithombe esiyisisekelo asinalo igobolondo lomyalo, iseva ye-SSH, nezilimi ezihunyushiwe (ngokwesibonelo, ayikho i-Python noma i-Perl) - amathuluzi okuphatha nawokulungisa amaphutha athuthelwa esitsheni sesevisi esihlukile, esivalwa ngokuzenzakalelayo.
Umehluko oyinhloko osuka ekusabalaliseni okufanayo okufana ne-Fedora CoreOS, i-CentOS/Red Hat Atomic Host iwukugxila okuyinhloko ekuhlinzekeni ukuvikeleka okuphezulu kumongo wokuqinisa ukuvikelwa kwesistimu ezinsongweni ezingaba khona, okwenza kube nzima ukuxhashazwa kobungozi ezingxenyeni ze-OS nokwandisa ukuhlukaniswa kweziqukathi. Iziqukathi zenziwa kusetshenziswa izindlela ezijwayelekile ze-Linux kernel - amaqoqo, izikhala zamagama kanye ne-seccomp. Ukuze uthole ukuhlukaniswa okwengeziwe, ukusatshalaliswa kusebenzisa i-SELinux kumodi "yokuphoqelela".
Ukuhlukaniswa kwezimpande kufakwe kumodi yokufunda kuphela, futhi ukwahlukanisa ngezilungiselelo / njll kufakwe ku-tmpfs futhi kubuyiselwe esimweni saso sangempela ngemuva kokuqala kabusha. Ukuguqulwa okuqondile kwamafayela ku-directory /etc, njengokuthi /etc/resolv.conf kanye /etc/containerd/config.toml, akusekelwa - ukuze ulondoloze unomphela izilungiselelo, kufanele usebenzise i-API noma uhambise ukusebenza ukuze uhlukanise iziqukathi. Ukuze kuqinisekiswe i-cryptographic yobuqotho bokuhlukaniswa kwezimpande, imojuli ye-dm-verity iyasetshenziswa, futhi uma umzamo wokushintsha idatha kuzinga ledivayisi yokuvimba utholwa, isistimu iqala kabusha.
Izingxenye eziningi zesistimu zibhalwe nge-Rust, ehlinzeka ngamathuluzi avikela inkumbulo ukuze kugwenywe ubungozi obubangelwa ukubhekana nendawo yenkumbulo ngemva kokuba ikhululiwe, isuse ireferensi izikhombi ezingenalutho, kanye nokweqa kwebhafa. Lapho wakha, izindlela zokuhlanganisa "--vula-default-pie" kanye "--enable-default-ssp" zisetshenziswa ngokuzenzakalelayo ukuze kunikwe amandla i-executable address space randomization (PIE) kanye nokuvikelwa ekuchichimeni kwesitaki ngokufaka ilebula ye-canary. Kumaphakheji abhalwe nge-C/C++, amafulegi okuthi "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" kanye "-fstack-clash" angeziwe. kufakwe -ukuvikela.
Ekukhishweni okusha:
- Ukwesekwa okwengeziwe kwezibuko zokubhalisa isithombe sesitsha.
- Kwengezwe ikhono lokusebenzisa izitifiketi ezizisayinele.
- Inketho eyengeziwe yokumisa igama lomethuleli.
- Inguqulo ezenzakalelayo yesiqukathi sokuphatha ibuyekeziwe.
- I-topology engeziweUmphathi Inqubomgomo kanye ne-topologyIzilungiselelo ze-ManagerScope ze-kubelet.
- Kungezwe ukusekelwa kokuminyaniswa kwe-kernel kusetshenziswa i-algorithm ye-zstd.
- Ikhono lokulayisha imishini ebonakalayo ku-VMware ngefomethi ye-OVA (Open Virtualization Format) linikeziwe.
- Inguqulo yokusabalalisa ethi aws-k8s-1.21 ibuyekeziwe ngokusekelwa kwe-Kubernetes 1.21. Usekelo lwe-aws-k8s-1.16 lunqanyuliwe.
- Kubuyekezwe izinguqulo zephakheji nokuncika kolimi lwe-Rust.
Source: opennet.ru