Ukukhishwa kokusatshalaliswa kwe-Bottlerocket 1.7.0 Linux kushicilelwe, kwathuthukiswa ngokubamba iqhaza kwe-Amazon ukuze kuqhutshekwe ngempumelelo nangokuphephile iziqukathi ezingazodwa. Ikhithi yamathuluzi nezingxenye zokulawula zokusabalalisa zibhalwa nge-Rust futhi zisatshalaliswa ngaphansi kwamalayisensi e-MIT ne-Apache 2.0. Isekela ukusebenzisa i-Bottlerocket ku-Amazon ECS, VMware, kanye namaqoqo e-AWS EKS Kubernetes, kanye nokudala ukwakheka ngokwezifiso nama-edishini avumela ukucula okuhlukile namathuluzi wesikhathi sokusebenza eziqukathi.
Ukusabalalisa kunikeza isithombe sesistimu esingahlukaniseki esibuyekezwa nge-athomu nesibuyekezwa ngokuzenzakalelayo esihlanganisa i-Linux kernel kanye nemvelo encane yesistimu ehlanganisa kuphela izingxenye ezidingekayo ukuze kusetshenziswe iziqukathi. Imvelo ifaka phakathi umphathi wesistimu ye-systemd, umtapo wezincwadi we-Glibc, ithuluzi lokwakha le-Buildroot, i-bootloader ye-GRUB, isihleli senethiwekhi esikhohlakele, isikhathi sokusebenza sesitsha esifakwe sodwa, inkundla ye-orchestration ye-Kubernetes, i-aws-iam-authenticator, kanye ne-ejenti ye-Amazon ECS. .
Amathuluzi e-orchestration yesiqukathi afika kusiqukathi sokuphatha esihlukile esinikwa amandla ngokuzenzakalela futhi siphathwe nge-API kanye ne-AWS SSM Agent. Isithombe esiyisisekelo asinalo igobolondo lomyalo, iseva ye-SSH, nezilimi ezihunyushiwe (ngokwesibonelo, ayikho i-Python noma i-Perl) - amathuluzi okuphatha nawokulungisa amaphutha athuthelwa esitsheni sesevisi esihlukile, esivalwa ngokuzenzakalelayo.
Umehluko oyinhloko osuka ekusabalaliseni okufanayo okufana ne-Fedora CoreOS, i-CentOS/Red Hat Atomic Host iwukugxila okuyinhloko ekuhlinzekeni ukuvikeleka okuphezulu kumongo wokuqinisa ukuvikelwa kwesistimu ezinsongweni ezingaba khona, okwenza kube nzima ukuxhashazwa kobungozi ezingxenyeni ze-OS nokwandisa ukuhlukaniswa kweziqukathi. Iziqukathi zenziwa kusetshenziswa izindlela ezijwayelekile ze-Linux kernel - amaqoqo, izikhala zamagama kanye ne-seccomp. Ukuze uthole ukuhlukaniswa okwengeziwe, ukusatshalaliswa kusebenzisa i-SELinux kumodi "yokuphoqelela".
Ukuhlukaniswa kwezimpande kufakwe kumodi yokufunda kuphela, futhi ukwahlukanisa ngezilungiselelo / njll kufakwe ku-tmpfs futhi kubuyiselwe esimweni saso sangempela ngemuva kokuqala kabusha. Ukuguqulwa okuqondile kwamafayela ku-directory /etc, njengokuthi /etc/resolv.conf kanye /etc/containerd/config.toml, akusekelwa - ukuze ulondoloze unomphela izilungiselelo, kufanele usebenzise i-API noma uhambise ukusebenza ukuze uhlukanise iziqukathi. Ukuze kuqinisekiswe i-cryptographic yobuqotho bokuhlukaniswa kwezimpande, imojuli ye-dm-verity iyasetshenziswa, futhi uma umzamo wokushintsha idatha kuzinga ledivayisi yokuvimba utholwa, isistimu iqala kabusha.
Izingxenye eziningi zesistimu zibhalwe nge-Rust, ehlinzeka ngamathuluzi avikela inkumbulo ukuze kugwenywe ubungozi obubangelwa ukubhekana nendawo yenkumbulo ngemva kokuba ikhululiwe, isuse ireferensi izikhombi ezingenalutho, kanye nokweqa kwebhafa. Lapho wakha, izindlela zokuhlanganisa "--vula-default-pie" kanye "--enable-default-ssp" zisetshenziswa ngokuzenzakalelayo ukuze kunikwe amandla i-executable address space randomization (PIE) kanye nokuvikelwa ekuchichimeni kwesitaki ngokufaka ilebula ye-canary. Kumaphakheji abhalwe nge-C/C++, amafulegi okuthi "-Wall", "-Werror=format-security", "-Wp,-D_FORTIFY_SOURCE=2", "-Wp,-D_GLIBCXX_ASSERTIONS" kanye "-fstack-clash" angeziwe. kufakwe -ukuvikela.
Ekukhishweni okusha:
- Lapho ufaka amaphakheji e-RPM, kuyenzeka ukhiqize uhlu lwezinhlelo ngefomethi ye-JSON futhi ulikhweze esitsheni sokusingatha njengefayela /var/lib/bottlerocket/inventory/application.json ukuze uthole ulwazi mayelana namaphakheji atholakalayo.
- Iziqukathi ezithi “admin” kanye “nokulawula” zibuyekeziwe.
- Kubuyekezwe izinguqulo zephakheji nokuncika kwezilimi ze-Go and Rust.
- Izinguqulo ezibuyekeziwe zamaphakheji anezinhlelo zezinkampani zangaphandle.
- Kuxazululwe izinkinga zokucushwa kwe-tmpfilesd ku-kmod-5.10-nvidia.
- Lapho ufaka i-tuftool, izinguqulo zokuncika ziyaxhunywa.
Source: opennet.ru