ProHoster > Блог > ozi ịntanetị > Sistemụ njikwa sistemụ 248

Sistemụ njikwa sistemụ 248

Mgbe ọnwa anọ nke mmepe gasịrị, a na-ewepụta ntọhapụ nke usoro njikwa usoro 248. Ntọhapụ ọhụrụ ahụ na-enye nkwado maka ihe oyiyi maka ịgbasa akwụkwọ ndekọ aha usoro, faịlụ nhazi / wdg / veritytab, ngwa ọrụ systemd-cryptenroll, na-emeghe LUKS2 site na iji TPM2 ibe na FIDO2. tokens, nkeji na-agba ọsọ na oghere njirimara IPC dịpụrụ adịpụ, ụkpụrụ BATMAN maka netwọkụ mesh, nftables backend maka systemd-nspawn. Edozila sistemu-oomd.

Isi mgbanwe:

  • E mejuputawo echiche nke onyonyo ndọtị sistemu, nke enwere ike iji gbatịa ọkwa nke / usr/ na / opt/ directories, wee tinye faịlụ ndị ọzọ na oge ojiri gaa, ọbụlagodi na etinyere akwụkwọ ndekọ aha akọwapụtara naanị. Mgbe etinyere onyonyo ndọtị sistemu, a na-ekpuchi ọdịnaya ya na /usr/ na /opt/ hierarchy site na iji OverlayFS.

    Atụpụtala akụrụngwa ọhụrụ, systemd-sysext, iji jikọọ, kwupu, lelee na melite onyonyo ndọtị sistemu. Iji jikọọ onyonyo etinyegoro na-akpaghị aka n'oge buut, agbakwunyela ọrụ systemd-sysext.service. Agbakwunyere "SYSEXT_LEVEL=" parameter na faịlụ os-release iji chọpụta ọkwa ndọtị sistemu akwadoro.

  • Maka nkeji, emejuputala ntọala ExtensionImages, nke enwere ike iji jikọta onyonyo ndọtị sistemu na ọkwa aha FS nke ọrụ ndị dịpụrụ adịpụ.
  • Agbakwunyere /etc/veritytab nhazi faịlụ iji hazie nkwenye data na ọkwa ngọngọ site na iji dm-verity modul. Ụdị faịlụ ahụ yiri /etc/crypttab - "nhọrọ ngalaba_name device_for_data device_for_hashes check_hash_root nhọrọ." Agbakwunyere usoro ahịrị iwu systemd.verity.root_options kernel iji hazie omume dm-verity maka ngwaọrụ mgbọrọgwụ.
  • systemd-cryptsetup na-agbakwụnye ikike iwepụ PKCS#11 token URI na igodo ezoro ezo na LUKS2 metadata nkụnye eji isi mee na usoro JSON, na-enye ohere ozi gbasara imepe ngwaọrụ ezoro ezo ka ejikọta ya na ngwaọrụ n'onwe ya na-enweghị itinye faịlụ mpụga.
  • systemd-cryptsetup na-enye nkwado maka imeghe akụkụ ezoro ezo LUKS2 site na iji ibe TPM2 na akara FIDO2, na mgbakwunye na akara PKCS#11 akwadoburu. A na-eme nbudata libfido2 site na dlopen(), i.e. A na-enyocha nnweta na ijiji, kama ịbụ ndabere siri ike.
  • Nhọrọ ọhụrụ "enweghị-ede-ọrụ" na "enweghị-agụ-ọrụ" agbakwunyere na /etc/crypttab maka systemd-cryptsetup iji mee ka nhazi nke I/O na-emekọrịta ihe jikọtara ya na izo ya ezo na decryption.
  • Ngwa sistemu-repart agbakwunyela ikike iji ibe TPM2 rụọ ọrụ ezoro ezo, dịka ọmụmaatụ, imepụta nkebi ezoro ezo / var na buut mbụ.
  • Agbakwunyela akụrụngwa sistemu-cryptenroll iji kee akara TPM2, FIDO2 na PKCS#11 na akụkụ LUKS, yana ịtọpụ ma lelee token, kechie igodo mapụtara wee tọọ paswọọdụ maka ịnweta.
  • Agbakwunyere paramita PrivateIPC, nke na-enye gị ohere ịhazi faịlụ otu ka ọ na-eme usoro na oghere IPC dịpụrụ adịpụ yana ihe njirimara dị iche iche yana kwụ n'ahịrị ozi. Iji jikọọ otu nkeji na oghere njirimara IPC emeberela, a na-atụpụta nhọrọ IPCnamespacePath.
  • Agbakwunyere ExecPaths na ntọala NoExecPaths iji mee ka ọkọlọtọ noexec tinye n'akụkụ ụfọdụ nke sistemụ faịlụ ahụ.
  • systemd-networkd na-agbakwụnye nkwado maka BATMAN (Better Approach To Mobile Adhoc Networking) ntupu protocol, nke na-enye ohere ịmepụta netwọk ndị na-enweghị isi nke na-ejikọta ọnụ ọ bụla site na ọnụ ndị agbata obi. Maka nhazi, ngalaba [BatmanAdvanced] dị na .netdev, BatmanAdvanced parameter na faịlụ netwọkụ, yana ụdị ngwaọrụ ọhụrụ "batadv" ka atụpụtara.
  • Mmejuputa usoro nzaghachi mmalite maka ebe nchekwa dị ala na sistemụ sistemu-oomd ka edozila. Agbakwunyere nhọrọ DefaultMemoryPressureDurationSec iji hazie oge echere ka ewepụtara akụrụngwa tupu emetụta otu unit. Systemd-oomd na-eji PSI (Pressure Stall Information) kernel subsystem ma na-enye gị ohere ịchọpụta mmalite nke igbu oge n'ihi enweghị ihe onwunwe wee họrọ kwụsị ọrụ na-akpa ike n'oge usoro mgbe sistemụ ahụ erubeghị n'ọnọdụ dị oke egwu ma ọ dịghị. malite ibelata cache ahụ nke ukwuu wee tụba data n'ime nkebi swap.
  • agbakwunyere ahịrị ahịrị kernel “mgbọrọgwụ = tmpfs”, nke na-enye gị ohere ibulite nkebi mgbọrọgwụ na nchekwa nwa oge dị na RAM site na iji Tmpfs.
  • Oke /etc/crypttab nke na-akọwapụta faịlụ igodo nwere ike tụọ aka na ụdị oghere AF_UNIX na SOCK_STREAM. N'okwu a, a ga-enyerịrị igodo ahụ mgbe ị na-ejikọ na oghere, nke, dịka ọmụmaatụ, enwere ike iji mepụta ọrụ ndị na-enye igodo n'ike.
  • Aha nnabata ọdịda nke onye njikwa sistemu na sistemụ na-akpọ aha nwere ike ịtọzi ụzọ abụọ: site na paramita DEFAULT_HOSTNAME na os-release yana site na mgbanwe gburugburu $SYSTEMD_DEFAULT_HOSTNAME. systemd-hostnamed na-ejikwa “localhost” na aha nnabata wee gbakwunye ikike mbupụ aha nnabata yana akụrụngwa “HardwareVendor” na “HardwareModel” site na DBus.
  • Enwere ike ịhazi ngọngọ nwere mgbanwe gburugburu ebe ekpughere ugbu a site na nhọrọ ManagerEnvironment ọhụrụ na system.conf ma ọ bụ user.conf, ọ bụghị naanị site na ahịrị iwu kernel na ntọala faịlụ otu.
  • N'oge a na-achịkọta, ọ ga-ekwe omume iji fexecve () usoro oku ịmalite usoro kama execve () iji belata oge n'etiti ịlele ọnọdụ nchekwa na itinye ya n'ọrụ.
  • Maka faịlụ otu, arụrụ ọrụ ọnọdụ ọhụrụ ConditionSecurity=tpm2 na ConditionCPUFeature agbakwunyere iji lelee ọnụnọ nke ngwaọrụ TPM2 yana ike CPU nke ọ bụla (dịka ọmụmaatụ, ConditionCPUFeature=rdrand nwere ike iji lelee ma onye nrụpụta na-akwado ọrụ RDRAND).
  • Maka kernel dịnụ, emejuputala usoro ọgbọ oku sistemụ maka nzacha seccomp.
  • Agbakwunyere ike iji dochie mgbanaka ọhụrụ n'ime oghere aha ọrụ dị adị, na-enweghị ịmalitegharị ọrụ ndị ahụ. A na-eji iwu 'systemctl bind ...' na 'systemctl mount-image …'.
  • Nkwado agbakwunyere maka ịkọwapụta ụzọ na ntọala StandardOutput na StandardError n'ụdị “truncate: » maka ihicha tupu eji.
  • Agbakwunyere ike ịmepụta njikọ na nnọkọ onye ọrụ akọwapụtara n'ime akpa mpaghara na sd-bus. Dịka ọmụmaatụ "systemctl -user -M lennart@ start quux".
  • A na-emejuputa usoro ndị a na faịlụ systemd.link na ngalaba [njikọ]:
    • Mmekọ nwoke na nwanyị - na-enye gị ohere ịgbanwe ngwaọrụ ahụ gaa na ọnọdụ “promiscuous” iji hazie ngwugwu netwọkụ niile, gụnyere ndị a na-agwaghị na sistemụ dị ugbu a;
    • TransmitQueues na ReceiveQueues maka ịtọ ọnụọgụgụ TX na RX kwụ n'ahịrị;
    • NyefeeQueueLength iji tọọ nha kwụ n'ahịrị TX; GenericSegmentOffloadMaxBytes na GenericSegmentOffloadMaxSegment maka ịtọ oke maka iji teknụzụ GRO (Generic Receive Offload).
  • Agbakwunyela ntọala ọhụrụ na faịlụ systemd.network:
    • [Network] RouteTable ịhọrọ tebụl ntụgharị;
    • [RoutingPolicyRule] Pịnye maka ụdị ntụgharị ("blackhole, "enweghị ike iru", "machibidoro");
    • [IPv6AcceptRA] RouteDonyList na RouteAllowList maka ndepụta nke mgbasa ozi ụzọ ekwe na agọnarị;
    • [DHCPv6] JiriAdresị eleghara adreesị DHCP nyere;
    • [DHCPv6PrefixDelegation] Jikwaa Adreesị nwa oge;
    • Iwu Activation iji kọwapụta amụma gbasara ọrụ interface (na-edobe elu ma ọ bụ ala ala, ma ọ bụ kwe ka onye ọrụ gbanwee steeti site na iji iwu “IP link set dev”).
  • Agbakwunyere [VLAN] Protocol, IngressQOSMaps, EgressQOSMaps, na [MACVLAN] BroadcastMulticastQueueLength nhọrọ na faịlụ systemd.netdev iji hazie njikwa ngwugwu VLAN.
  • Kwụsị ịrịgo / dev/ ndekọ na ọnọdụ noexec ka ọ na-akpata esemokwu mgbe ị na-eji ọkọlọtọ executable nwere faịlụ / dev/sgx. Iji weghachite omume ochie, ị nwere ike iji NoExecPaths=/dev settings.
  • Agbanwela ikikere faịlụ / dev/vsock ka ọ bụrụ 0o666, na faịlụ /dev/vhost-vsock na /dev/vhost-net ebugharịla na otu kvm.
  • Ejiri ndị na-agụ mkpisiaka USB gbasaara nchekwa data ID ngwaike nke na-akwado ọnọdụ ụra nke ọma.
  • nkwado agbakwunyere sistemu maka ịnye azịza nye ajụjụ DNSSEC site na onye na-edozi isi ike. Ndị ahịa mpaghara nwere ike ịrụ nkwado DNSSEC n'onwe ha, ebe ndị ahịa mpụga na-agbanweghị agbanwe na sava DNS nne na nna.
  • Agbakwunyere nhọrọ CacheFromLocalhost ka resolved.conf, mgbe edobere, systemd-resolved ga-eji caching ọbụna maka oku na sava DNS na 127.0.0.1 (na ndabara, a na-enwe nkwarụ caching nke arịrịọ ndị dị otú ahụ iji zere caching ugboro abụọ).
  • systemd-resolved na-agbakwụnye nkwado maka RFC-5001 NSIDs na mpaghara DNS resolver, na-enye ndị ahịa ohere ịmata ọdịiche dị n'etiti mmekọrịta ya na onye na-edozi mpaghara na ihe nkesa DNS ọzọ.
  • Utility resolvectl na-emejuputa ikike igosipụta ozi gbasara isi iyi data (cache mpaghara, arịrịọ netwọkụ, nzaghachi nhazi mpaghara) yana iji nzuzo mgbe ị na-ebufe data. A na-enye nhọrọ --cache, --synthesize, --network, --zone, --trust-anchor, na --validate iji jikwaa usoro mkpebi aha.
  • systemd-nspawn na-agbakwụnye nkwado maka ịhazi firewall site na iji nftables na mgbakwunye na nkwado iptables dị ugbu a. Ntọlite ​​​​IPMasquerade na sistemu-netwọk agbakwunyela ikike iji ihe ndabere dabere nftables.
  • systemd-localed agbakwunyere nkwado maka ịkpọ locale-gen iji mepụta mpaghara na-efu efu.
  • Nhọrọ --pager/-no-pager/-json= agbakwunyere na ngwa dị iche iche iji mee ka/gbanyụọ ụdị ibé akwụkwọ na mmepụta n'ụdị JSON. Agbakwunyere ike ịtọ ọnụọgụ agba ejiri na njedebe site na mgbanwe gburugburu SYSTEMD_COLORS ("16" ma ọ bụ "256").
  • Akwụsịla iwu ụlọ ahụ nwere usoro ndekọ aha dị iche iche (nkewa / na / usr) yana nkwado cgroup v1.
  • Alaka nna ukwu dị na Git ka akpọgharịrị aha site na 'nna ukwu' ka ọ bụrụ 'isi'.

isi: opennet.ru

Tinye a comment