Kwanan nan an sanar da kaddamar da na sabon sigar rarraba Linux "Kwalba ta 1.7.0", wanda aka haɓaka tare da haɗin gwiwar Amazon, don gudanar da kwantena masu keɓe da inganci da aminci.
Ga waɗancan sababbi zuwa Bottlerocket, ya kamata ku sani cewa wannan rarrabawa ce da ke ba da hoto ta atomatik na zamani wanda ba za a iya raba shi ba wanda ya haɗa da Linux kernel da ƙaramin tsarin yanayin da ya haɗa da abubuwan da ake buƙata don gudanar da kwantena.
Game da Bottlerocket
Yanayin yana amfani da tsarin sarrafa tsarin, ɗakin karatu na Glibc, Kayan aikin ginawa na Buildroot, mai ɗaukar kaya na GRUB, lokacin gudu na akwatin sandbox, dandali na kwantena na Kubernetes, aws-iam authenticator, da wakilin Amazon ECS.
Kayan aikin kaɗe-kaɗe na kwantena sun zo a cikin wani akwati dabam na gudanarwa wanda aka kunna ta tsohuwa kuma ana sarrafa shi ta hanyar wakilin AWS SSM da API. Hoton tushe ba shi da harsashi na umarni, uwar garken SSH, da harsunan da aka fassara (misali, Python ko Perl): gudanarwa da kayan aikin gyara ana tura su zuwa wani kwandon sabis na daban, wanda aka kashe ta tsohuwa.
Bambanci mai mahimmanci daga rabawa iri ɗaya kamar su Fedora CoreOS, CentOS / Red Hat Atomic Host shi ne babban mayar da hankali ga samar da iyakar tsaro a cikin mahallin ƙarfafa kariyar tsarin daga yiwuwar barazanar, wanda ke damun amfani da raunin da ya faru a cikin sassan tsarin aiki kuma yana ƙara warewar akwati.
Ana ƙirƙira kwantena ta amfani da hanyoyin kernel Linux na yau da kullun: ƙungiyoyi, wuraren suna, da seccomp. Don ƙarin keɓewa, rarrabawa yana amfani da SELinux a cikin yanayin "aikace-aikacen".
An ɗora tushen ɓangaren karantawa kawai kuma an ɗora ɓangaren tare da daidaitawar / sauransu a cikin tmpfs kuma an mayar da shi zuwa asalin sa bayan sake yi. Gyara kai tsaye na fayiloli a cikin /etc directory, kamar /etc/resolv.conf da /etc/containerd/config.toml, ba a samun tallafi; don adana sanyi na dindindin, dole ne ko dai amfani da API ko matsar da aikin don raba kwantena.
Don tabbatar da bayanan sirri na amincin tushen ɓangaren, ana amfani da tsarin dm-verity, kuma idan an gano ƙoƙarin gyara bayanai a matakin toshewar na'urar, ana sake kunna tsarin.
Yawancin sassan tsarin an rubuta su cikin Rust, wanda ke ba da kayan aikin aminci-ƙwaƙwalwa don hana raunin da ya haifar ta hanyar magance yankin ƙwaƙwalwar ajiya bayan an 'yantar da shi, maƙasudin ɓarna mara amfani, da buffer ambaliya.
Lokacin da ake hadawa, "–enable-default-pie" da "-enable-default-ssp" masu haɗawa ana amfani da su ta tsohuwa don ba da damar sararin adireshi da za a iya aiwatarwa (PIE) bazuwar kariyar tari ta hanyar maye gurbin alamar canary.
Menene sabo a cikin Bottlerocket 1.7.0?
A cikin wannan sabon juzu'in rabon da aka gabatar, ɗayan sauye-sauyen da suka yi fice shine lokacin shigar da fakitin RPM, ana ba da shi don samar da jerin shirye-shirye a tsarin JSON da kuma dora shi zuwa ga babban akwati azaman fayil /var/lib/bottlerocket/inventory/application.json don samun bayani game da fakitin da ake da su.
Hakanan wanda aka nuna a cikin Bottlerocket 1.7.0 shine sabunta kwantena "admin" da "control"., da kuma nau'ikan fakiti da abubuwan dogaro na Go and Rust.
A daya hannun, highlights sabbin nau'ikan fakiti tare da shirye-shiryen ɓangare na uku, Hakanan an daidaita batutuwan daidaitawar tmpfilesd don kmod-5.10-nvidia da lokacin shigar da sigogin dogaro na tuftool.
Daga karshe ga wadanda suke Ina sha'awar ƙarin koyo game da shi game da wannan rarraba, ya kamata ku sani cewa kayan aikin kayan aiki da abubuwan sarrafawa na rarraba an rubuta su a cikin Rust kuma ana rarraba su a ƙarƙashin lasisin MIT da Apache 2.0.
Kwallan kwalba yana goyan bayan Gudun Amazon ECS, VMware, da AWS EKS Kubernetes gungu, da kuma ƙirƙirar gine-gine na al'ada da bugu waɗanda ke ba da damar ƙungiyoyi daban-daban da kayan aikin lokaci don kwantena.
Kuna iya duba cikakkun bayanai, A cikin mahaɗin mai zuwa.