ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > systemd tus thawj tswj hwm tso tawm 248

systemd tus thawj tswj hwm tso tawm 248

Tom qab plaub lub hlis ntawm txoj kev loj hlob, qhov kev tso tawm ntawm tus thawj tswj hwm systemd 248 tau nthuav tawm. Qhov kev tso tawm tshiab muab kev txhawb nqa rau cov duab nthuav dav cov kab ke, cov ntaub ntawv /etc/veritytab configuration, systemd-cryptenroll utility, qhib LUKS2 siv TPM2 chips thiab FIDO2. tokens, khiav units nyob rau hauv ib qho chaw IPC ID nkag mus, BATMAN raws tu qauv rau mesh tes hauj lwm, nftables backend rau systemd-nspawn. Systemd-oomd tau ruaj khov.

Cov kev hloov loj:

  • Lub tswv yim ntawm System Extension dluab tau raug muab coj los siv, uas tuaj yeem siv los txuas ntxiv cov hierarchy ntawm / usr / thiab / opt / directory, thiab ntxiv cov ntaub ntawv ntxiv ntawm lub sijhawm ua haujlwm, txawm tias cov ntawv teev npe tau teeb tsa nyeem nkaus xwb. Thaum cov duab txuas ntxiv txuas ntxiv, nws cov ntsiab lus tau muab tso rau ntawm /usr/ thiab /opt/ hierarchy siv OverlayFS.

    Ib qho txiaj ntsig tshiab, systemd-sysext, tau thov kom txuas, txiav tawm, saib thiab hloov kho cov duab ntawm cov kab ke txuas ntxiv. Txhawm rau txuas cov duab uas twb tau teeb tsa thaum lub sijhawm khau raj, qhov kev pabcuam systemd-sysext.service tau ntxiv. Ntxiv "SYSEXT_LEVEL=" parameter rau os-tso cov ntaub ntawv los txiav txim siab theem ntawm kev txhawb nqa kev txuas ntxiv.

  • Rau cov chav nyob, qhov ExtensionImages teeb tsa tau raug siv, uas tuaj yeem siv los txuas cov duab txuas ntxiv mus rau FS namespace hierarchy ntawm cov kev pabcuam cais tawm.
  • Ntxiv /etc/veritytab configuration file los teeb tsa cov ntaub ntawv pov thawj ntawm qib thaiv siv dm-verity module. Cov ntaub ntawv hom zoo ib yam li /etc/crypttab - "section_name device_for_data device_for_hashes check_hash_root xaiv." Ntxiv systemd.verity.root_options kernel hais kom ua kab xaiv los teeb tsa tus cwj pwm dm-verity rau lub hauv paus ntaus ntawv.
  • systemd-cryptsetup ntxiv lub peev xwm los rho tawm PKCS # 11 token URI thiab tus yuam sij encrypted los ntawm LUKS2 metadata header hauv JSON hom, tso cai rau cov ntaub ntawv hais txog qhib lub cuab yeej encrypted rau hauv lub cuab yeej nws tus kheej yam tsis muaj cov ntaub ntawv sab nraud.
  • systemd-cryptsetup muab kev txhawb nqa rau kev qhib LUKS2 encrypted partitions siv TPM2 chips thiab FIDO2 tokens, ntxiv rau yav tas los txhawb PKCS # 11 tokens. Loading libfido2 yog ua tiav ntawm dlopen(), i.e. Muaj yog kuaj ntawm ya, es tsis yog ib qho nyuaj-wired nyob.
  • Cov kev xaiv tshiab "tsis-sau-workqueue" thiab "tsis-nyeem-workqueue" tau ntxiv rau /etc/crypttab rau systemd-cryptsetup txhawm rau ua kom synchronous ua ntawm I / O cuam tshuam nrog encryption thiab decryption.
  • Cov khoom siv hluav taws xob systemd-repart tau ntxiv lub peev xwm los qhib qhov sib faib encrypted siv TPM2 chips, piv txwv li, los tsim qhov encrypted / var muab faib rau thawj khau raj.
  • Cov khoom siv hluav taws xob systemd-cryptenroll tau ntxiv rau khi TPM2, FIDO2 thiab PKCS # 11 tokens rau LUKS partitions, nrog rau tshem tawm thiab saib cov tokens, khi cov yuam sij seem thiab teeb tus password rau kev nkag.
  • Ntxiv rau PrivateIPC parameter, uas tso cai rau koj los teeb tsa cov ntaub ntawv hauv tsev kom khiav cov txheej txheem hauv qhov chaw IPC cais nrog lawv tus kheej cov cim cais thiab cov kab lus. Txhawm rau txuas ib chav mus rau qhov chaw IPC uas twb tau tsim lawm, qhov kev xaiv IPCNamespacePath tau thov.
  • Ntxiv ExecPaths thiab NoExecPaths teeb tsa kom tso cai rau tus chij noexec siv rau qee qhov ntawm cov ntaub ntawv kaw lus.
  • systemd-networkd ntxiv kev txhawb nqa rau BATMAN (Zoo Txoj Kev Rau Txawb Adhoc Networking) mesh raws tu qauv, uas tso cai rau kev tsim cov kev sib koom tes sib koom ua ke uas txhua qhov sib txuas los ntawm cov neeg nyob sib ze. Rau kev teeb tsa, ntu [BatmanAdvanced] hauv .netdev, BatmanAdvanced parameter hauv .network cov ntaub ntawv, thiab cov cuab yeej tshiab "batadv" tau thov.
  • Kev ua raws li cov lus teb thaum ntxov rau kev nco qis hauv qhov systemd-oomd system tau ruaj khov. Ntxiv qhov DefaultMemoryPressureDurationSec kev xaiv los teeb tsa lub sijhawm tos rau cov peev txheej yuav raug tso tawm ua ntej cuam tshuam rau chav tsev. Systemd-oomd siv PSI (Pressure Stall Information) kernel subsystem thiab tso cai rau koj los txheeb xyuas qhov pib ntawm kev ncua vim tsis muaj peev txheej thiab xaiv cov txheej txheem siv cov txheej txheem siv ntau nyob rau theem thaum lub kaw lus tseem tsis tau muaj qhov tseem ceeb thiab tsis ua. pib intensively luas lub cache thiab tshem tawm cov ntaub ntawv mus rau hauv swap muab faib.
  • Ntxiv kernel hais kom ua kab parameter "hauv paus = tmpfs", uas tso cai rau koj mus mount lub hauv paus muab faib nyob rau hauv ib ntus cia nyob rau hauv RAM siv Tmpfs.
  • Qhov /etc/crypttab parameter uas qhia txog cov ntaub ntawv tseem ceeb tam sim no tuaj yeem taw tes rau AF_UNIX thiab SOCK_STREAM socket hom. Hauv qhov no, tus yuam sij yuav tsum tau muab thaum txuas mus rau lub qhov (socket), uas, piv txwv li, tuaj yeem siv los tsim cov kev pabcuam uas dynamically teeb tsa cov yuam sij.
  • Lub fallback hostname rau siv los ntawm tus thawj tswj hwm thiab systemd-hostnamed tam sim no tuaj yeem teeb tsa hauv ob txoj hauv kev: los ntawm DEFAULT_HOSTNAME parameter hauv os-tso tawm thiab dhau ntawm $ SYSTEMD_DEFAULT_HOSTNAME ib puag ncig hloov pauv. systemd-hostnamed kuj tseem ua haujlwm "localhost" hauv lub npe hostname thiab ntxiv lub peev xwm los xa tawm lub hostname nrog rau "HardwareVendor" thiab "HardwareModel" cov khoom ntawm DBus.
  • Lub thaiv nrog cov kev hloov pauv ib puag ncig tam sim no tuaj yeem teeb tsa los ntawm kev xaiv ManagerEnvironment tshiab hauv system.conf lossis user.conf, thiab tsis yog los ntawm cov kab hais kom ua kab thiab chav tsev cov ntaub ntawv.
  • Thaum lub sijhawm sau ua ke, nws tuaj yeem siv fexecve() system hu los pib cov txheej txheem es tsis txhob execve() kom txo qhov ncua sij hawm ntawm kev tshuaj xyuas cov ntsiab lus kev nyab xeeb thiab siv nws.
  • Rau cov ntaub ntawv hauv chav tsev, kev ua haujlwm tshiab ConditionSecurity = tpm2 thiab ConditionCPUFeature tau ntxiv los kuaj xyuas qhov muaj TPM2 li thiab CPU muaj peev xwm ntawm tus kheej (piv txwv li, ConditionCPUFeature = rdrand tuaj yeem siv los xyuas seb lub processor puas txhawb kev ua haujlwm RDRAND).
  • Rau cov kernels muaj, tsis siv neeg tiam ntawm cov kab lus hu rau cov ntxaij lim dej seccomp tau siv.
  • Ntxiv lub peev xwm los hloov tshiab khi mounts rau hauv mount namespaces uas twb muaj lawm cov kev pab cuam, yam tsis tau restarting cov kev pab cuam. Kev hloov pauv yog ua nrog cov lus txib 'systemctl khi ...' thiab 'systemctl mount-image …'.
  • Ntxiv kev txhawb nqa rau kev qhia txog txoj hauv kev hauv StandardOutput thiab StandardError nqis hauv daim ntawv "truncate: Β» rau kev ntxuav ua ntej siv.
  • Ntxiv lub peev xwm los tsim kom muaj kev sib txuas rau tus neeg siv qhov kev sib tham hauv ib lub thawv hauv zos rau sd-bus. Piv txwv li "systemctl -user -M lennart@ pib quux".
  • Cov kev txwv hauv qab no yog siv rau hauv cov ntaub ntawv systemd.link hauv ntu [Txuas]:
    • Promiscuous - tso cai rau koj hloov lub cuab yeej mus rau "promiscuous" hom los ua txhua lub network packets, suav nrog cov uas tsis hais txog qhov system tam sim no;
    • TransmitQueues thiab ReceiveQueues rau kev teeb tsa tus naj npawb ntawm TX thiab RX queues;
    • TransmitQueueLength los teeb tsa TX queue loj; GenericSegmentOffloadMaxBytes thiab GenericSegmentOffloadMaxSegment rau kev teeb tsa kev txwv rau kev siv GRO (Generic Txais Offload) thev naus laus zis.
  • Cov chaw tshiab tau ntxiv rau systemd.network cov ntaub ntawv:
    • [Network] RouteTable xaiv ib lub rooj routing;
    • [RoutingPolicyRule] Hom rau hom routing ("blackhole, "unreachable", "prohibit");
    • [IPv6AcceptRA] RouteDenyList thiab RouteAllowList rau cov npe ntawm kev tso cai thiab tsis lees paub txoj kev tshaj tawm;
    • [DHCPv6] SivAddres tsis quav ntsej qhov chaw nyob uas muab los ntawm DHCP;
    • [DHCPv6PrefixDelegation] TswjTemporaryAddress;
    • ActivationPolicy los txhais txoj cai hais txog kev ua haujlwm cuam tshuam (ib txwm tuav UP lossis down lub xeev, lossis tso cai rau tus neeg siv hloov lub xeev nrog "ip txuas teeb tsa" cov lus txib).
  • Ntxiv [VLAN] Protocol, IngressQOSMaps, EgressQOSMaps, thiab [MACVLAN] BroadcastMulticastQueueLength xaiv rau systemd.netdev cov ntaub ntawv los teeb tsa VLAN pob ntawv tuav.
  • Nres mounting / dev / directory hauv noexec hom vim nws ua rau muaj kev tsis sib haum xeeb thaum siv tus chij executable nrog /dev/sgx cov ntaub ntawv. Txhawm rau rov qab tus cwj pwm qub, koj tuaj yeem siv NoExecPaths = / dev teeb.
  • Cov ntawv tso cai /dev/vsock tau raug hloov mus rau 0o666, thiab cov ntaub ntawv /dev/vhost-vsock thiab /dev/vhost-net tau tsiv mus rau pawg kvm.
  • Lub hardware ID database tau nthuav dav nrog USB ntiv tes nyeem ntawv uas txhawb nqa kev pw tsaug zog.
  • systemd- daws teeb meem ntxiv kev txhawb nqa rau kev tshaj tawm cov lus teb rau DNSSEC cov lus nug los ntawm tus kws daws teeb meem. Cov neeg siv hauv zos tuaj yeem ua qhov kev lees paub DNSSEC ntawm lawv tus kheej, thaum cov neeg siv khoom sab nraud tau hloov pauv mus rau niam txiv DNS server.
  • Ntxiv qhov CacheFromLocalhost kev xaiv rau daws.conf, thaum teeb tsa, systemd- daws teeb meem yuav siv caching txawm tias hu rau DNS server ntawm 127.0.0.1 (los ntawm lub neej ntawd, caching ntawm cov kev thov no raug kaw kom tsis txhob muab ob npaug rau caching).
  • systemd-resolved ntxiv kev txhawb nqa rau RFC-5001 NSIDs hauv DNS daws teeb meem hauv zos, tso cai rau cov neeg siv khoom sib txawv ntawm kev sib cuam tshuam nrog tus neeg daws teeb meem hauv zos thiab lwm tus DNS server.
  • Qhov kev pab cuam daws teeb meem siv lub peev xwm los tso saib cov ntaub ntawv hais txog qhov chaw ntawm cov ntaub ntawv (hauv zos cache, kev thov network, cov lus teb hauv zos) thiab kev siv encryption thaum xa cov ntaub ntawv. Cov kev xaiv --cache, --synthesize, --network, --zone, --trust-anchor, thiab --validate yog muab los tswj cov txheej txheem txiav txim lub npe.
  • systemd-nspawn ntxiv kev txhawb nqa rau kev teeb tsa firewall siv nftables ntxiv rau cov kev txhawb nqa iptables uas twb muaj lawm. IPMasquerade teeb hauv systemd-networkd tau ntxiv lub peev xwm los siv nftables-raws li backend.
  • systemd-localed ntxiv kev txhawb nqa rau hu rau locale-gen los tsim cov chaw uas ploj lawm.
  • Cov kev xaiv --pager/-no-pager/-json= tau ntxiv rau ntau yam khoom siv kom pab tau / lov tes taw paging hom thiab tso tawm hauv JSON hom. Ntxiv lub peev xwm los teeb tsa tus naj npawb ntawm cov xim siv hauv lub davhlau ya nyob twg ntawm SYSTEMD_COLORS ib puag ncig hloov pauv ("16" lossis "256").
  • Qhov tsim nrog cais cov npe hierarchies (sib cais / thiab / usr) thiab cgroup v1 kev txhawb nqa tau raug txiav tawm.
  • Tus tswv ceg hauv Git tau hloov npe los ntawm 'tus tswv' mus rau 'lub ntsiab'.

Tau qhov twg los: opennet.ru

Ntxiv ib saib