ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > systemd tus thawj tswj hwm tso tawm 243

systemd tus thawj tswj hwm tso tawm 243

Tom qab tsib lub hlis ntawm kev loj hlob hais tawm system manager tso tawm systemd 243. Ntawm cov kev tsim kho tshiab, peb tuaj yeem nco ntsoov qhov kev koom ua ke rau hauv PID 1 ntawm tus neeg tuav pov hwm rau kev nco qis hauv lub cev, kev txhawb nqa rau kev txuas koj tus kheej BPF cov kev pab cuam rau kev lim dej hauv tsev, ntau txoj kev xaiv tshiab rau systemd-networkd, hom kev soj ntsuam bandwidth ntawm network. kev cuam tshuam, ua rau lub neej ntawd ntawm 64-ntsis tshuab 22-ntsis PID tus lej hloov 16-ntsis, hloov mus rau kev sib koom ua ke cgroups hierarchy, suav nrog hauv systemd-network-generator.

Cov kev hloov loj:

  • Kev lees paub ntawm cov cim tsim cov cim qhia txog kev tawm ntawm lub cim xeeb (Tawm-Ntawm-Nco, OOM) tau ntxiv rau PID 1 tus tuav kom hloov cov chav uas tau mus txog qhov txwv kev nco mus rau hauv lub xeev tshwj xeeb nrog lub peev xwm xaiv tau los yuam kom lawv txiav. los yog nres;
  • Rau chav tsev cov ntaub ntawv, tshiab tsis IPIngressFilterPath thiab
    IPEgressFilterPath, uas tso cai rau koj los txuas BPF cov kev pab cuam nrog cov neeg ua haujlwm tsis txaus ntseeg los lim cov ntawv IP nkag thiab tawm uas tsim los ntawm cov txheej txheem cuam tshuam nrog chav tsev no. Cov lus pom zoo tso cai rau koj los tsim ib hom firewall rau cov kev pabcuam systemd. Sau piv txwv ib qho yooj yim network lim raws li BPF;

  • Cov lus txib "huv" tau ntxiv rau qhov systemctl kev siv hluav taws xob tshem tawm cov cache, cov ntaub ntawv runtime, cov ntaub ntawv xwm txheej thiab cov ntawv teev npe;
  • systemd-networkd ntxiv kev txhawb nqa rau MACsec, nlmon, IPVTAP thiab Xfrm network interfaces;
  • systemd-networkd siv cais kev teeb tsa ntawm DHCPv4 thiab DHCPv6 pawg los ntawm "[DHCPv4]" thiab "[DHCPv6]" ntu hauv cov ntaub ntawv teeb tsa. Ntxiv cov kev xaiv RoutesToDNS ntxiv ib txoj kev cais rau DNS neeg rau zaub mov teev nyob rau hauv qhov tsis tau txais los ntawm DHCP neeg rau zaub mov (kom cov tsheb khiav mus rau DNS yog xa los ntawm tib qhov txuas raws li txoj kev tseem ceeb tau txais los ntawm DHCP). Cov kev xaiv tshiab tau ntxiv rau DHCPv4: MaxAttempts - ntau qhov kev thov kom tau txais qhov chaw nyob, BlackList - cov npe dub ntawm DHCP servers, SendRelease - pab kom xa DHCP RELEASE cov lus thaum qhov kev sib tham xaus;
  • Cov lus txib tshiab tau ntxiv rau qhov systemd-analyze utility:
    • "systemd-analyze timestamp" - lub sij hawm parsing thiab hloov dua siab tshiab;
    • "systemd-analyze timespan" - tsom xam thiab hloov pauv ntawm lub sijhawm;
    • "systemd-analyze condition" - parsing thiab testing ConditionXYZ expressions;
    • "systemd-analyze exit-status" - txheeb xyuas thiab hloov cov lej tawm ntawm cov lej mus rau npe thiab rov ua dua;
    • "systemd-analyze unit-files" - Sau tag nrho cov ntaub ntawv txoj hauv kev rau units thiab cov npe npe.
  • Options SuccessExitStatus, RestartPreventExitStatus thiab
    RestartForceExitStatus tam sim no txhawb nqa tsis tsuas yog cov lej xa rov qab, tab sis kuj tseem muaj lawv cov ntawv cim (piv txwv li, "DATAERR"). Koj tuaj yeem saib cov npe ntawm cov lej muab rau cov neeg txheeb xyuas siv "sytemd-analyze exit-status" hais kom ua;

  • Cov lus txib "rho tawm" tau ntxiv rau lub networkctl qhov hluav taws xob kom tshem tawm cov khoom siv hauv lub network, nrog rau "-stats" kev xaiv los tso saib cov ntaub ntawv txheeb cais;
  • SpeedMeter thiab SpeedMeterIntervalSec nqis tau ntxiv rau networkd.conf rau ib ntus ntsuas qhov kev nkag mus ntawm network interfaces. Cov txheeb cais tau los ntawm kev ntsuas cov txiaj ntsig tuaj yeem pom hauv cov zis ntawm 'networkctl raws li txoj cai' hais kom ua;
  • Ntxiv cov nqi hluav taws xob tshiab systemd-network-generator rau tsim cov ntaub ntawv
    .network, .netdev thiab .link raws li IP chaw dhau los thaum pib ntawm Linux ntsiav kab hais kom ua hauv Dracut nqis hom;

  • sysctl "kernel.pid_max" tus nqi ntawm 64-ntsis tshuab tam sim no tau teeb tsa los ntawm lub neej ntawd rau 4194304 (22-ntsis PIDs tsis yog 16-ntsis), uas txo qhov yuav tshwm sim ntawm kev sib tsoo thaum muab PIDs, nce qhov txwv ntawm tus lej ntawm ib txhij. khiav cov txheej txheem, thiab muaj kev cuam tshuam zoo rau kev ruaj ntseg. Qhov kev hloov pauv tuaj yeem ua rau muaj teeb meem sib raug zoo, tab sis cov teeb meem no tseem tsis tau tshaj tawm hauv kev xyaum;
  • Los ntawm lub neej ntawd, qhov tsim theem hloov mus rau qhov sib koom ua ke hierarchy cgroups-v2 ("-Ddefault-hierarchy = unified"). Yav dhau los, lub neej ntawd yog hom hybrid ("-Ddefault-hierarchy = hybrid");
  • Tus cwj pwm ntawm lub kaw lus hu rau lim (SystemCallFilter) tau hloov pauv, uas, nyob rau hauv rooj plaub ntawm kev txwv tsis pub hu xov tooj, tam sim no xaus tag nrho cov txheej txheem, tsis yog cov xov ntawm tus kheej, txij li kev txiav cov xov ntawm tus kheej tuaj yeem ua rau muaj teeb meem tsis tuaj yeem. Cov kev hloov pauv tsuas yog siv yog tias koj muaj Linux ntsiav 4.14+ thiab libseccomp 2.4.0+;
  • Unprivileged cov kev pab cuam tau muab lub peev xwm xa ICMP Echo (ping) pob ntawv los ntawm kev teeb tsa sysctl "net.ipv4.ping_group_range" rau tag nrho cov pab pawg (rau txhua tus txheej txheem);
  • Txhawm rau ua kom cov txheej txheem tsim, tiam neeg phau ntawv tau raug tso tseg los ntawm lub neej ntawd (kom tsim cov ntaub ntawv tag nrho, koj yuav tsum siv qhov kev xaiv "-Dman=true" lossis "-Dhtml=true" rau phau ntawv hauv html hom). Txhawm rau kom yooj yim saib cov ntaub ntawv, ob daim ntawv suav nrog: tsim / txiv neej / txiv neej thiab tsim / txiv neej / html rau tsim thiab saib ua ntej phau ntawv nyiam;
  • Txhawm rau ua cov npe sau nrog cov cim los ntawm cov tsiaj ntawv hauv tebchaws, lub tsev qiv ntawv libidn2 yog siv los ntawm lub neej ntawd (kom rov qab libidn, siv qhov "-Dlibidn = tseeb" kev xaiv);
  • Kev them nyiaj yug rau /usr/sbin/halt.local executable cov ntaub ntawv, uas muab functionality uas tsis tau dav faib nyob rau hauv distributions, twb txiav lawm. Txhawm rau teeb tsa cov lus txib thaum kaw, nws raug nquahu kom siv cov ntawv sau hauv /usr/lib/systemd/system-shutdown/ lossis txhais ib chav tshiab uas nyob ntawm final.target;
  • Nyob rau theem kawg ntawm kev kaw, systemd tam sim no cia li nce lub cav theem hauv sysctl "kernel.printk", uas daws qhov teeb meem nrog kev nthuav tawm hauv cov xwm txheej cav uas tshwm sim hauv cov theem tom qab ntawm kev kaw, thaum cov kev nkag mus tsis tu ncua daemons tau ua tiav. ;
  • Nyob rau hauv phau ntawv journalctl thiab lwm yam khoom siv uas qhia cov cav, cov lus ceeb toom tseem ceeb hauv cov xim daj, thiab cov ntaub ntawv tshawb xyuas tau raug tsom rau xiav kom pom pom lawv los ntawm cov neeg coob coob;
  • Hauv $PATH ib puag ncig hloov pauv, txoj hauv kev mus rau hauv / tam sim no los ua ntej txoj kev mus rau sbin /, i.e. yog tias muaj cov npe zoo ib yam ntawm cov ntaub ntawv ua tiav hauv ob lub npe, cov ntaub ntawv los ntawm bin / yuav raug tua;
  • systemd-logind muab lub SetBrightness() hu kom nyab xeeb hloov qhov ci ci ntawm lub vijtsam hauv ib ntu;
  • Tus chij "--tos-for-initialization" tau ntxiv rau "udevadm info" hais kom tos rau lub cuab yeej pib;
  • Thaum lub caij khau raj, PID 1 handler tam sim no qhia cov npe ntawm cov chav nyob es tsis txhob muaj kab nrog lawv cov lus piav qhia. Txhawm rau rov qab mus rau tus cwj pwm yav dhau los, koj tuaj yeem siv qhov kev xaiv StatusUnitFormat hauv /etc/systemd/system.conf lossis systemd.status_unit_format kernel xaiv;
  • Ntxiv KExecWatchdogSec kev xaiv rau /etc/systemd/system.conf rau watchdog PID 1, uas qhia txog lub sijhawm rau rov pib siv kexec. Kev teeb tsa qub
    ShutdownWatchdogSec tau hloov npe rau RebootWatchdogSec thiab txhais lub sijhawm rau cov haujlwm thaum kaw lossis rov pib dua qub;

  • Ib qho kev xaiv tshiab tau ntxiv rau cov kev pabcuam ExecCondition, uas tso cai rau koj los qhia cov lus txib uas yuav raug tua ua ntej ExecStartPre. Raws li qhov yuam kev code xa rov qab los ntawm cov lus txib, kev txiav txim siab yog ua rau kev ua tiav ntawm chav tsev ntxiv - yog tias code 0 raug xa rov qab, lub tsev tso tawm txuas ntxiv, yog tias los ntawm 1 txog 254 nws ntsiag to xaus yam tsis muaj tus chij tsis ua haujlwm, yog tias 255 nws xaus nrog. chij tsis ua hauj lwm;
  • Ntxiv qhov kev pabcuam tshiab systemd-pstore.service kom rho tawm cov ntaub ntawv los ntawm sys/fs/pstore/ thiab los ntawm kev txuag rau /var/lib/pstore rau kev tshuaj xyuas ntxiv;
  • Cov lus txib tshiab tau ntxiv rau timedatectl kev siv hluav taws xob rau kev teeb tsa NTP tsis ua haujlwm rau systemd-timesyncd cuam tshuam rau kev sib txuas hauv network;
  • Cov lus txib "localectl list-locales" tsis qhia cov chaw hauv zos uas tsis yog UTF-8 lawm;
  • Xyuas kom meej tias qhov kev ua haujlwm tsis sib xws hauv sysctl.d/ cov ntaub ntawv raug tsis quav ntsej yog tias lub npe sib txawv pib nrog tus cim "-";
  • kev pab cuam systemd-random-seed.service tam sim no tag nrho lub luag haujlwm rau kev pib lub pas dej ua ke ntawm lub Linux ntsiav pseudorandom tooj generator. Cov kev pabcuam uas yuav tsum tau pib ua kom raug /dev/urandom yuav tsum tau pib tom qab systemd-random-seed.service;
  • Lub systemd-boot khau raj loader muab lub peev xwm xaiv tau los txhawb noob file nrog random ib ntus hauv EFI System Partition (ESP);
  • Cov lus txib tshiab tau ntxiv rau bootctl qhov hluav taws xob: "bootctl random-noob" los tsim cov ntaub ntawv cov noob hauv ESP thiab "bootctl yog-ntsia" txhawm rau txheeb xyuas qhov kev teeb tsa ntawm systemd-boot khau raj loader. bootctl kuj tau hloov kho kom pom cov lus ceeb toom txog kev teeb tsa tsis raug ntawm kev nkag hauv khau raj (piv txwv li, thaum cov duab kernel raug tshem tawm, tab sis nkag mus rau kev thauj khoom nws yog sab laug);
  • Muab kev xaiv tsis siv neeg ntawm kev sib pauv muab faib thaum lub kaw lus nkag mus rau hauv hom pw tsaug zog. Qhov muab faib yog xaiv nyob ntawm seb qhov tseem ceeb tau teeb tsa rau nws, thiab nyob rau hauv rooj plaub ntawm qhov tseem ceeb zoo ib yam, tus nqi ntawm qhov chaw dawb;
  • Ntxiv qhov kev xaiv keyfile-timeout rau /etc/crypttab kom teem sijhawm ntev npaum li cas lub cuab yeej nrog tus yuam sij encryption yuav tos ua ntej kev tshoov siab rau tus password kom nkag mus rau qhov muab faib encrypted;
  • Ntxiv IOWeight kev xaiv los teeb tsa qhov hnyav I / O rau BFQ teem sijhawm;
  • systemd-resolved ntxiv ' nruj' hom rau DNS-tshaj-TLS thiab siv lub peev xwm los cache tsuas yog cov lus teb zoo DNS ("Cache tsis-negative" hauv solved.conf);
  • Rau VXLAN, systemd-networkd tau ntxiv qhov kev xaiv GenericProtocolExtension kom pab tau VXLAN raws tu qauv txuas ntxiv. Rau VXLAN thiab GENEVE, qhov kev xaiv IPDoNotFragment tau ntxiv los teeb tsa fragmentation txwv tsis pub tus chij rau cov pob ntawv tawm;
  • Hauv systemd-networkd, nyob rau hauv seem "[Route]", qhov kev xaiv FastOpenNoCookie tau tshwm sim los ua kom cov txheej txheem qhib TCP kev sib txuas sai sai (TFO - TCP Fast Open, RFC 7413) cuam tshuam rau tus kheej txoj kev, nrog rau TTLPropagate kev xaiv txhawm rau teeb tsa TTL LSP (Label Hloov Path ). Qhov "Type" kev xaiv muab kev txhawb nqa rau hauv zos, tshaj tawm hauv xov tooj cua, anycast, multicast, ib qho thiab xresolve routing hom;
  • Systemd-networkd muaj qhov kev xaiv DefaultRouteOnDevice nyob rau hauv seem "[Network]" kom tau txais kev teeb tsa lub neej ntawd rau ib qho khoom siv network;
  • Systemd-networkd tau ntxiv ProxyARP thiab
    ProxyARPWifi rau kev teeb tsa tus neeg sawv cev ARP tus cwj pwm, MulticastRouter rau kev teeb tsa kev tsis sib haum xeeb hauv hom multicast, MulticastIGMPVersion rau kev hloov IGMP (Internet Group Management Protocol) version rau multicast;

  • Systemd-networkd tau ntxiv Local, Peer thiab PeerPort kev xaiv rau FooOverUDP tunnels los teeb tsa cov chaw nyob hauv zos thiab thaj chaw deb IP, nrog rau tus lej chaw nres nkoj network. Rau TUN qhov, qhov kev xaiv VnetHeader tau ntxiv los txhim kho GSO (Generic Segment Offload) kev txhawb nqa;
  • Hauv systemd-networkd, hauv .network thiab .link cov ntaub ntawv hauv ntu [Match], qhov kev xaiv vaj tse tau tshwm sim, uas tso cai rau koj txheeb xyuas cov khoom siv los ntawm lawv cov khoom tshwj xeeb hauv udev;
  • Hauv systemd-networkd, ib qho kev xaiv AssignToLoopback tau ntxiv rau qhov tunnels, uas tswj xyuas seb qhov kawg ntawm lub qhov yog muab rau lub loopback ntaus ntawv "lo";
  • systemd-networkd cia li qhib lub IPv6 pawg yog tias nws raug thaiv los ntawm sysctl disable_ipv6 - IPv6 tau qhib yog tias IPv6 chaw (zoo li qub lossis DHCPv6) tau txhais rau lub network interface, txwv tsis pub tus nqi sysctl twb tsis hloov;
  • Hauv .network cov ntaub ntawv, qhov teeb tsa CriticalConnection tau hloov pauv los ntawm KeepConfiguration xaiv, uas muab ntau txoj hauv kev rau kev txhais cov xwm txheej ("yog", "static", "dhcp-on-stop", "dhcp") uas systemd-networkd yuav tsum. tsis txhob kov cov kev sib txuas uas twb muaj lawm thaum pib;
  • Vulnerability kho CVE-2019-15718, tshwm sim los ntawm kev tsis muaj kev tswj xyuas rau D-Bus interface systemd- daws teeb meem. Qhov teeb meem tso cai rau tus neeg siv tsis tau txais txiaj ntsig los ua cov haujlwm uas tsuas yog muaj rau cov thawj coj, xws li hloov DNS chaw thiab coj cov lus nug DNS mus rau lub server tsis zoo;
  • Vulnerability kho CVE-2019-9619cuam ​​tshuam rau kev tsis ua pam_systemd rau cov kev sib tham tsis sib tham, uas tso cai rau spoofing ntawm qhov kev sib tham nquag.

Tau qhov twg los: opennet.ru

Ntxiv ib saib