ProHoster > Блог > labaran intanet > Sakin tsarin sarrafa tsarin 252 tare da goyon bayan UKI (Unified Kernel Image).

Sakin tsarin sarrafa tsarin 252 tare da goyon bayan UKI (Unified Kernel Image).

Bayan watanni biyar na ci gaba, an gabatar da sakin tsarin mai sarrafa tsarin 252. Babban canji a cikin sabon sigar shine haɗin haɗin tallafi don tsarin taya na zamani, wanda ke ba ku damar tabbatar da ba kawai kernel da bootloader ba, har ma da abubuwan haɗin gwiwa. na asali tsarin muhalli ta amfani da dijital sa hannu.

Hanyar da aka tsara ta ƙunshi yin amfani da haɗe-haɗen hoton kwaya (Unified Kernel Image) lokacin lodawa, wanda ya haɗu da mai sarrafa kwaya don loda kwaya daga UEFI (UEFI boot stub), hoton kernel na Linux da yanayin tsarin initrd wanda aka loda cikin ƙwaƙwalwar ajiya, ana amfani da shi. don farawa na farko a mataki kafin hawan tushen FS . Hoton UKI yana kunshe ne a matsayin fayil guda ɗaya wanda za'a iya aiwatarwa a cikin tsarin PE, wanda za'a iya lodawa ta amfani da bootloaders na gargajiya ko kuma ana kiransa kai tsaye daga firmware na UEFI. Lokacin da ake kira daga UEFI, yana yiwuwa a tabbatar da mutunci da amincin sa hannun dijital ba kawai kernel ba, har ma da abubuwan da ke cikin initrd.

Don ƙididdige ma'auni na TPM PCR (Trusted Platform Module Platform Configuration Register) da aka yi amfani da shi don saka idanu kan mutunci da samar da sa hannun dijital na hoton UCI, an haɗa sabon tsarin tsarin mai amfani. Maɓallin jama'a da bayanan PCR masu rakiyar da aka yi amfani da su a cikin sa hannu za a iya shigar da su kai tsaye cikin hoton taya na UKI (ana ajiye maɓalli da sa hannu a cikin fayil ɗin PE a cikin filayen '.pcrsig' da '.pcrkey') kuma an fitar da su daga waje ta waje. ko na ciki utilities.

Musamman, tsarin systemd-cryptsetup, systemd-cryptenroll da systemd-creds utilities an daidaita su don amfani da wannan bayanin, wanda zaku iya tabbatar da cewa ɓoyayyen ɓoyayyun ɓangarorin faifai suna ɗaure zuwa kernel na dijital da aka sanya hannu (a wannan yanayin, samun dama ga ɓoyayyen ɓoyayyen ɓangaren. Ana bayar da shi kawai idan hoton UKI ya wuce tabbaci ta sa hannun dijital bisa sigogi da ke cikin TPM).

Bugu da ƙari, an haɗa kayan aikin systemd-pcrphase, wanda ke ba ku damar sarrafa ɗaurin matakai daban-daban na taya zuwa sigogi waɗanda ke cikin ƙwaƙwalwar ajiyar cryptoprocessors waɗanda ke goyan bayan ƙayyadaddun TPM 2.0 (misali, zaku iya sanya maɓallin ɓoye ɓoyayyen ɓangaren LUKS2 kawai a ciki. Hoton initrd kuma toshe damar zuwa gare shi a zazzagewar mataki na gaba).

Wasu wasu canje-canje:

  • Yana tabbatar da cewa tsohuwar wurin shine C.UTF-8 sai dai idan an ƙayyade wani wuri daban a cikin saitunan.
  • Yanzu yana yiwuwa a yi cikakken aikin saiti na sabis ("systemctl preset") yayin taya ta farko. Kunna saitattun saiti a lokacin taya yana buƙatar ginawa tare da zaɓin "-Dfirst-boot-full-preset", amma ana shirin kunna ta ta tsohuwa a cikin fitowar gaba.
  • Ƙungiyoyin gudanarwa na mai amfani sun haɗa da mai sarrafa albarkatun CPU, wanda ya ba da damar tabbatar da cewa an yi amfani da saitunan CPUWeight zuwa duk sassan yanki da ake amfani da su don raba tsarin zuwa sassa (app.slice, background.slice, session.slice) don ware albarkatun tsakanin. daban-daban sabis na masu amfani, gasa don albarkatun CPU. CPUWeight kuma yana goyan bayan ƙimar "rago" don kunna yanayin samar da albarkatu da ya dace.
  • A cikin raka'a na wucin gadi ("mai wucewa") kuma a cikin tsarin mai amfani-repart, ana ba da izinin ƙetare saitunan ta hanyar ƙirƙirar fayilolin da aka sauke a cikin /etc/systemd/system/name.d/ directory.
  • Don hotunan tsarin, an saita tutar da ta ƙare, tana ƙayyade wannan gaskiyar dangane da ƙimar sabon siga "SUPPORT_END=" a cikin fayil ɗin /etc/os-release.
  • Ƙara “ConditionCredential=” da “AssertCredential=” saituna, waɗanda za a iya amfani da su don yin watsi da raka’a ko faɗuwa idan wasu takaddun shaida ba su kasance a cikin tsarin ba.
  • Ƙara "DefaultSmackProcessLabel=" da "DefaultDeviceTimeoutSec=" saituna zuwa tsarin.conf da user.conf don ayyana matakin tsaro na SMACK na tsoho da lokacin kunna naúrar.
  • A cikin saitunan "ConditionFirmware =" da "AssertFirmware =", an ƙara ikon tantance filayen SMBIOS guda ɗaya, alal misali, don ƙaddamar da naúrar kawai idan filin /sys/class/dmi/id/board_name ya ƙunshi darajar "Custom Board", za ka iya saka "ConditionFirmware = smbios" -field(board_name = "Hukumar Custom").
  • A lokacin aiwatar da farawa (PID 1), ikon shigo da takaddun shaida daga filayen SMBIOS (Nau'in 11, "Kirtani mai siyarwa na OEM") an ƙara ƙari ga ma'anar su ta hanyar qemu_fwcfg, wanda ke sauƙaƙe samar da takaddun shaida ga injunan kama-da-wane kuma yana kawar da buƙatar kayan aikin ɓangare na uku kamar girgije-init da kunnawa.
  • Yayin rufewa, an canza dabarun buɗe tsarin fayil ɗin kama-da-wane (proc, sys) kuma an adana bayanai game da matakan toshe cirewar tsarin fayil a cikin log ɗin.
  • Tacewar tsarin kiran tsarin (SystemCallFilter) yana ba da damar yin amfani da tsarin tsarin riscv_flush_icache ta tsohuwa.
  • Sd-boot bootloader yana ƙara ikon yin taya a yanayin gauraye, wanda 64-bit Linux kernel ke gudana daga firmware 32-bit UEFI. Ƙara ikon gwaji don amfani da maɓallin SecureBoot ta atomatik daga fayilolin da aka samo a cikin ESP (bangaren tsarin EFI).
  • An ƙara sababbin zaɓuɓɓuka zuwa mai amfani na bootctl: "-all-architectures" don shigar da binaries don duk gine-ginen EFI da aka goyan baya, "- tushen =" da "-image =" don aiki tare da kundin adireshi ko hoton diski, "--install-source. =" don ayyana tushen don shigarwa, "-efi-boot-option-description = "don sarrafa sunayen shigarwar taya.
  • An ƙara umarnin 'list-automounts' zuwa tsarin amfani na systemctl don nuna jerin kundayen adireshi ta atomatik da kuma "--image=" zaɓi don aiwatar da umarni dangane da ƙayyadadden hoton diski. An ƙara "--state=" da" --type =" zaɓuɓɓuka zuwa 'show' da 'halaye' umarni.
  • systemd-networkd kara zaɓuɓɓukan "TCPCongestionControlAlgorithm =" don zaɓar TCP cunkoso sarrafa algorithm, "KeepFileDescriptor =" don ajiye bayanin fayil na TUN/TAP musaya, "NetLabel =" don saita NetLabels, "RapidCommit =" don hanzarta daidaitawa ta hanyar DHCPv6 (RFC 3315). Ma'auni na "RouteTable=" yana ba da damar tantance sunayen allunan kwatance.
  • systemd-nspawn yana ba da damar amfani da hanyoyin fayil ɗin dangi a cikin "--bind=" da" --overlay =" zaɓuɓɓukan. Ƙara goyon baya ga ma'aunin 'rootidmap' zuwa "--bind=" zaɓi don ɗaure tushen tushen mai amfani a cikin akwati ga mai gidan da aka ɗora a gefen mai masaukin baki.
  • systemd-resolved yana amfani da OpenSSL azaman ɓoye bayanan sa ta tsohuwa (ana riƙe tallafin gnutls azaman zaɓi). Algorithms na DNSSEC mara tallafi yanzu ana ɗaukar su azaman mara lafiya maimakon dawo da kuskure (SERVFAIL).
  • systemd-sysusers, systemd-tmpfiles da systemd-sysctl suna aiwatar da ikon canja wurin saituna ta hanyar ma'aunin ajiya na ainihi.
  • Ƙara umarnin 'compare-versions' zuwa tsarin-bincike don kwatanta kirtani tare da lambobin sigar (mai kama da 'rpmdev-vercmp' da 'dpkg --compare-versions'). Ƙara ikon tace raka'a ta hanyar abin rufe fuska zuwa umarnin 'systemd-analyze dump'.
  • Lokacin zabar yanayin barci mai matakai da yawa (dakatarta-sannan-hibernate), lokacin da aka kashe a yanayin jiran aiki yanzu an zaɓi shi bisa hasashen sauran rayuwar baturi. Canzawa kai tsaye zuwa yanayin barci yana faruwa lokacin da ya rage ƙasa da 5% cajin baturi.
  • An ƙara sabon yanayin fitarwa "-o short-delta" zuwa 'journalctl', yana nuna bambancin lokaci tsakanin saƙonni daban-daban a cikin log ɗin.
  • systemd-repart yana ƙara tallafi don ƙirƙirar ɓangarori tare da tsarin fayil ɗin Squashfs da ɓangarori don dm-verity, gami da sa hannun dijital.
  • Ƙara "StopIdleSessionSec=" saitin zuwa systemd-logind don ƙare zaman mara aiki bayan ƙayyadadden lokaci.
  • Systemd-cryptenroll ya kara "--unlock-key-file=" zaɓi don cire maɓallin ɓoyewa daga fayil maimakon sa mai amfani.
  • Yanzu yana yiwuwa a gudanar da tsarin amfani na systemd-growfs a cikin mahalli ba tare da udev ba.
  • systemd-backlight ya inganta tallafi don tsarin tare da katunan zane da yawa.
  • An canza lasisin misalan lambar da aka bayar a cikin takaddun daga CC0 zuwa MIT-0.

Canje-canjen da ke karya daidaituwa:

  • Lokacin duba lambar sigar kwaya ta amfani da umarnin ConditionKernelVersion, yanzu ana amfani da kwatancen kirtani mai sauƙi a cikin '=' da'!=' masu aiki, kuma idan ba'a bayyana ma'aikacin kwatance ba kwata-kwata, ana iya amfani da matching-glob-mask ta amfani da haruffa '*', '?' Kuma '[',']'. Don kwatanta nau'ikan salon stverscmp(), yi amfani da '<', '>', '<=' da '>=' masu aiki.
  • Alamar SELinux da ake amfani da ita don bincika shiga daga fayil ɗin raka'a yanzu ana karantawa a lokacin da aka ɗora fayil ɗin, maimakon a lokacin bincika shiga.
  • Yanayin "ConditionFirstBoot" yanzu an kunna shi a farkon taya na tsarin kai tsaye a matakin taya kuma ya dawo "karya" lokacin kiran raka'a bayan an gama taya.
  • A cikin 2024, systemd yana shirin dakatar da tallafawa tsarin iyakance albarkatu na cgroup v1, wanda aka yanke shi a cikin sakin tsarin 248. An shawarci masu gudanarwa da su kula kafin ƙaura ayyukan tushen cgroup v2 zuwa rukuni v1. Babban bambanci tsakanin ƙungiyoyin v2 da v1 shine amfani da tsarin ƙungiyoyin gama gari don kowane nau'in albarkatu, maimakon matsayi daban-daban don rarraba albarkatun CPU, don daidaita yawan ƙwaƙwalwar ajiya, da na I/O. Matsayi daban-daban yana haifar da matsaloli a cikin tsara hulɗa tsakanin masu gudanarwa da ƙarin farashin albarkatun kwaya lokacin amfani da ƙa'idodi don tsarin da aka ambata a cikin manyan mukamai daban-daban.
  • A cikin rabin na biyu na 2023, muna shirin kawo ƙarshen goyon baya don tsaga tsarin shugabanci, inda / usr ke hawa daban daga tushen, ko / bin da / usr / bin, / lib da / usr / lib sun rabu.

source: budenet.ru

Add a comment