Muva nje kwethulwa kwamenyezelwa yenguqulo entsha yokusabalalisa kwe-Linux "I-Bottlerocket 1.7.0", ethuthukiswe ngokubamba iqhaza kwe-Amazon, ukuze iqhube iziqukathi ezingazodwa kahle nangokuvikelekile.
Kulabo abasha ku-Bottlerocket, kufanele wazi ukuthi lokhu ukusatshalaliswa okunikeza isithombe sesistimu esingahlukaniseki esenziwe ngokuzenzakalela esihlanganisa i-Linux kernel kanye nemvelo encane yesistimu ehlanganisa kuphela izingxenye ezidingekayo ukuze kusetshenziswe iziqukathi.
Mayelana neBottlerocket
Imvelo isebenzisa isiphathi sesistimu ye-systemd, umtapo wezincwadi we-Glibc, ithuluzi lokwakha le-Buildroot, isilayishi sebhuthi se-GRUB, isikhathi sokusebenza sebhokisi lesihlabathi sesitsha, inkundla ye-orchestration yesiqukathi se-Kubernetes, isiqinisekisi se-aws-iam, kanye ne-ejenti ye-Amazon ECS.
Amathuluzi e-orchestration yesiqukathi afika kusiqukathi sokuphatha esihlukile esinikwa amandla ngokuzenzakalela futhi siphathwe ngomenzeli we-AWS SSM kanye ne-API. Isithombe esiyisisekelo asinalo igobolondo lomyalo, iseva ye-SSH, nezilimi ezihunyushiwe (isibonelo, i-Python noma i-Perl): amathuluzi okuphatha nawokulungisa amaphutha athuthelwa esitsheni sesevisi esihlukile, esivalwa ngokuzenzakalelayo.
Umehluko oyinhloko kusukela ekusabalaliseni okufanayo njengeFedora CoreOS, CentOS / Red Hat Atomic Host ukugxila okuyinhloko ekuhlinzekeni ukuvikeleka okuphezulu kumongo wokuqinisa ukuvikelwa kwesistimu ngokumelene nezinsongo ezingase zibe khona, okwenza kube nzima ukuxhashazwa kobungozi ezingxenyeni zesistimu yokusebenza futhi kwandise ukuhlukaniswa kwesiqukathi.
Iziqukathi zenziwa kusetshenziswa izindlela ezijwayelekile ze-Linux kernel: amaqoqo, izikhala zamagama, kanye ne-seccomp. Ukuze uthole ukuzihlukanisa okwengeziwe, ukusatshalaliswa kusebenzisa i-SELinux kumodi "yohlelo lokusebenza".
I-root partition ifakwe ngokufunda kuphela futhi ukwahlukanisa ngokucushwa /etc kufakwe ku-tmpfs futhi kubuyiselwe esimweni saso sangempela ngemuva kokuqalisa kabusha. Ukuguqulwa okuqondile kwamafayela ku-directory /etc, njenge /etc/resolv.conf kanye /etc/containerd/config.toml, akusekelwa; ukuze ulondoloze ukucushwa unaphakade, kufanele usebenzise i-API noma uhambise ukusebenza ukuze uhlukanise iziqukathi.
Ukuze kuqinisekiswe i-cryptographic ubuqotho bokuhlukaniswa kwezimpande, imojuli ye-dm-verity iyasetshenziswa, futhi uma umzamo wokushintsha idatha kuzinga ledivayisi yokuvimba utholwa, isistimu iqalwa kabusha.
Izingxenye eziningi zesistimu zibhalwe ku-Rust, ehlinzeka ngamathuluzi avikela inkumbulo ukuvimbela ubungozi obubangelwa ukubhekana nendawo yenkumbulo ngemva kokuba ikhululiwe, izikhombi eziyinull zokususa ireferensi, kanye nokuchichima kwebhafa.
Lapho kuhlanganiswa, amamodi okuhlanganisa okuthi "-enable-default-pie" kanye "-enable-default-ssp" asetshenziswa ngokuzenzakalelayo ukuze kunikwe amandla isikhala sekheli esisebenzisekayo ( PIE ) ukwenza ngokungahleliwe nokuvikela ukuchichima kwesitaki ngokufaka esikhundleni somaka we-canary.
Yini entsha ku-Bottlerocket 1.7.0?
Kulolu hlobo olusha lokusatshalaliswa kwethulwa, olunye lwezinguquko olugqamayo ukuthi lapho ufaka amaphakheji e-RPM, inikezwa ukuze kukhiqizwe uhlu lwezinhlelo ngefomethi ye-JSON futhi uyikhweze kusiqukathi sokusingatha njengefayela /var/lib/bottlerocket/inventory/application.json ukuze uthole ulwazi mayelana namaphakheji atholakalayo.
Okuphinde kuvezwe ku-Bottlerocket 1.7.0 yi- ibuyekeza iziqukathi "zomlawuli" kanye "nokulawula"., kanye nezinguqulo zephakheji nokuncika kwe-Go and Rust.
Ngakolunye uhlangothi, amaphuzu avelele izinguqulo ezibuyekeziwe zamaphakheji anezinhlelo zezinkampani zangaphandle, iphinde yalungisa nezindaba zokucushwa kwe-tmpfilesd ze-kmod-5.10-nvidia futhi lapho kufakwa izinguqulo zokuncika kwe-tuftool ziyaxhunywa.
Ekugcineni kulabo abakhona Unentshisekelo yokufunda okwengeziwe ngayo mayelana nalokhu kusatshalaliswa, kufanele wazi ukuthi ikhithi yamathuluzi nezinto zokulawula ukusatshalaliswa zibhalwe nge-Rust futhi zisatshalaliswa ngaphansi kwamalayisensi e-MIT ne-Apache 2.0.
I-Bottlerocket isekela ukusebenzisa amaqoqo e-Amazon ECS, VMware, kanye ne-AWS EKS Kubernetes, kanye nokudala ukwakheka ngokwezifiso nama-edishini anika amandla ama-orchestra ahlukene namathuluzi wesikhathi sokusebenza eziqukathi.
Ungabheka imininingwane, Kulesi sixhumanisi esilandelayo.