Ukukhishwa kokusatshalaliswa kwe-Bottlerocket 1.3.0 Linux kushicilelwe, kwathuthukiswa ngokubamba iqhaza kwe-Amazon ukuze kuqhutshekwe ngempumelelo nangokuphephile iziqukathi ezingazodwa. Ikhithi yamathuluzi nezingxenye zokulawula zokusabalalisa zibhalwa nge-Rust futhi zisatshalaliswa ngaphansi kwamalayisensi e-MIT ne-Apache 2.0. Isekela ukusebenzisa i-Bottlerocket ku-Amazon ECS, VMware, kanye namaqoqo e-AWS EKS Kubernetes, kanye nokudala ukwakheka ngokwezifiso nama-edishini avumela ukucula okuhlukile namathuluzi wesikhathi sokusebenza eziqukathi.
Ukusabalalisa kunikeza isithombe sesistimu esingahlukaniseki esibuyekezwa nge-athomu nesibuyekezwa ngokuzenzakalelayo esihlanganisa i-Linux kernel kanye nemvelo encane yesistimu ehlanganisa kuphela izingxenye ezidingekayo ukuze kusetshenziswe iziqukathi. Imvelo ifaka phakathi umphathi wesistimu ye-systemd, umtapo wezincwadi we-Glibc, ithuluzi lokwakha le-Buildroot, i-bootloader ye-GRUB, isihleli senethiwekhi esikhohlakele, isikhathi sokusebenza sesitsha esifakwe sodwa, inkundla ye-orchestration ye-Kubernetes, i-aws-iam-authenticator, kanye ne-ejenti ye-Amazon ECS. .
Amathuluzi e-orchestration yesiqukathi afika kusiqukathi sokuphatha esihlukile esinikwa amandla ngokuzenzakalela futhi siphathwe nge-API kanye ne-AWS SSM Agent. Isithombe esiyisisekelo asinalo igobolondo lomyalo, iseva ye-SSH, nezilimi ezihunyushiwe (ngokwesibonelo, ayikho i-Python noma i-Perl) - amathuluzi okuphatha nawokulungisa amaphutha athuthelwa esitsheni sesevisi esihlukile, esivalwa ngokuzenzakalelayo.
Umehluko oyinhloko osuka ekusabalaliseni okufanayo okufana ne-Fedora CoreOS, i-CentOS/Red Hat Atomic Host iwukugxila okuyinhloko ekuhlinzekeni ukuvikeleka okuphezulu kumongo wokuqinisa ukuvikelwa kwesistimu ezinsongweni ezingaba khona, okwenza kube nzima ukuxhashazwa kobungozi ezingxenyeni ze-OS nokwandisa ukuhlukaniswa kweziqukathi. Iziqukathi zenziwa kusetshenziswa izindlela ezijwayelekile ze-Linux kernel - amaqoqo, izikhala zamagama kanye ne-seccomp. Ukuze uthole ukuhlukaniswa okwengeziwe, ukusatshalaliswa kusebenzisa i-SELinux kumodi "yokuphoqelela".
Ukuhlukaniswa kwezimpande kufakwe kumodi yokufunda kuphela, futhi ukwahlukanisa ngezilungiselelo / njll kufakwe ku-tmpfs futhi kubuyiselwe esimweni saso sangempela ngemuva kokuqala kabusha. Ukuguqulwa okuqondile kwamafayela ku-directory /etc, njengokuthi /etc/resolv.conf kanye /etc/containerd/config.toml, akusekelwa - ukuze ulondoloze unomphela izilungiselelo, kufanele usebenzise i-API noma uhambise ukusebenza ukuze uhlukanise iziqukathi. Ukuze kuqinisekiswe i-cryptographic yobuqotho bokuhlukaniswa kwezimpande, imojuli ye-dm-verity iyasetshenziswa, futhi uma umzamo wokushintsha idatha kuzinga ledivayisi yokuvimba utholwa, isistimu iqala kabusha.
Izingxenye eziningi zesistimu zibhalwe nge-Rust, ehlinzeka ngamathuluzi avikela inkumbulo ukuze kugwenywe ubungozi obubangelwa ukubhekana nendawo yenkumbulo ngemva kokuba ikhululiwe, isuse ireferensi izikhombi ezingenalutho, kanye nokweqa kwebhafa. Lapho wakha, izindlela zokuhlanganisa "--vula-default-pie" kanye "--enable-default-ssp" zisetshenziswa ngokuzenzakalelayo ukuze kunikwe amandla i-executable address space randomization (PIE) kanye nokuvikelwa ekuchichimeni kwesitaki ngokufaka ilebula ye-canary. Kumaphakheji abhalwe nge-C/C++, amafulegi okuthi "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" kanye "-fstack-clash" angeziwe. kufakwe -ukuvikela.
Ekukhishweni okusha:
- Ubungozi obungaguquki ku-docker kanye namathuluzi afakwe ngesikhathi sokusebenza (CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, CVE-2021-41103) okuhlobene nokusetha okungalungile kwamalungelo okufinyelela, okuvumele abasebenzisi abangenamalungelo ukuthi badlulele ngale kwesisekelo. lwemibhalo bese ukhiphe izinhlelo zangaphandle.
- Ukusekelwa kwe-IPv6 kwengezwe ku-kubelet ne-pluto.
- Kungenzeka ukuqalisa kabusha isiqukathi ngemva kokushintsha izilungiselelo zaso.
- Usekelo lwezimo ze-Amazon EC2 M6i lwengeziwe kuphakheji ye-eni-max-pods.
- I-Open-vm-tools yengeze ukusekela kwezihlungi zedivayisi, ngokusekelwe kukhithi yamathuluzi ye-Cilium.
- Kuplathifomu ye-x86_64, imodi yokuqalisa eyingxube iyasetshenziswa (ngokusekelwa kwe-EFI ne-BIOS).
- Kubuyekezwe izinguqulo zephakheji nokuncika kolimi lwe-Rust.
- Ukusekela okuhlukile kokusabalalisa okuthi aws-k8s-1.17 okusekelwe ku-Kubernetes 1.17 kunqanyuliwe. Kunconywa ukusebenzisa inguqulo ye-aws-k8s-1.21 ngokusekelwa kwe-Kubernetes 1.21. Okuhlukile kwe-k8s kusebenzisa i-cgroup runtime.slice nezilungiselelo ze-system.slice.
Source: opennet.ru