248 ãæã®éçºãçµãŠãã·ã¹ãã ãããŒãžã£ãŒ systemd 2 ã®ãªãªãŒã¹ãçºè¡šãããæ°ãããªãªãŒã¹ã§ã¯ãã·ã¹ãã ãã£ã¬ã¯ããªãæ¡åŒµããããã®ã€ã¡ãŒãžã/etc/veritytab æ§æãã¡ã€ã«ãsystemd-cryptenroll ãŠãŒãã£ãªãã£ãTPM2 ããããš FIDO2 ã䜿çšãã LUKSXNUMX ã®ããã¯è§£é€ã®ãµããŒããæäŸãããŸããããŒã¯ã³ãåé¢ããã IPC èå¥å空éã§ã®å®è¡ãŠããããB.A.T.M.A.N ãããã³ã«ã¡ãã·ã¥ãããã¯ãŒã¯ã®å Žåãsystemd-nspawn ã® nftables ããã¯ãšã³ãã Systemd-oomd ãå®å®ããŸããã
äž»ãªå€æŽç¹ïŒ
- ã·ã¹ãã æ¡åŒµã€ã¡ãŒãžã®æŠå¿µãå®è£
ãããŸãããããã䜿çšãããšã/usr/ ããã³ /opt/ ãã£ã¬ã¯ããªã®éå±€ãæ¡åŒµããæå®ããããã£ã¬ã¯ããªãèªã¿åãå°çšã§ããŠã³ããããŠããå Žåã§ããå®è¡æã«ãã¡ã€ã«ãè¿œå ã§ããŸããã·ã¹ãã æ¡åŒµã€ã¡ãŒãžãããŠã³ãããããšããã®å
容㯠OverlayFS ã䜿çšã㊠/usr/ ããã³ /opt/ éå±€ã«ãªãŒããŒã¬ã€ãããŸãã
ã·ã¹ãã æ¡åŒµã®ã€ã¡ãŒãžãæ¥ç¶ãåæã衚瀺ãæŽæ°ããããã®æ°ãããŠãŒãã£ãªã㣠systemd-sysext ãææ¡ãããŠããŸããèµ·åæã«ãã§ã«ã€ã³ã¹ããŒã«ãããŠããã€ã¡ãŒãžãèªåçã«æ¥ç¶ããããã«ãsystemd-sysext.service ãµãŒãã¹ãè¿œå ãããŸããããµããŒããããã·ã¹ãã æ¡åŒµæ©èœã®ã¬ãã«ã決å®ããããã«ãos-release ãã¡ã€ã«ã«ãSYSEXT_LEVEL=ããã©ã¡ãŒã¿ãè¿œå ãããŸããã
- ãŠãããã«ã€ããŠã¯ãExtensionImages èšå®ãå®è£ ãããŠãããã·ã¹ãã æ¡åŒµã€ã¡ãŒãžãåå¥ã®åé¢ããããµãŒãã¹ã® FS åå空ééå±€ã«ãªã³ã¯ããããã«äœ¿çšã§ããŸãã
- dm-verity ã¢ãžã¥ãŒã«ã䜿çšããŠããã㯠ã¬ãã«ã§ããŒã¿æ€èšŒãèšå®ããããã® /etc/veritytab èšå®ãã¡ã€ã«ãè¿œå ããŸããããã¡ã€ã«åœ¢åŒã¯ /etc/crypttab - ãsection_name device_for_data device_for_hashes check_hash_root optionsãã«äŒŒãŠããŸããã«ãŒãããã€ã¹ã® dm-verity åäœãèšå®ããããã® systemd.verity.root_options ã«ãŒãã« ã³ãã³ã ã©ã€ã³ ãªãã·ã§ã³ãè¿œå ããŸããã
- systemd-cryptsetup ã¯ãJSON 圢åŒã® LUKS11 ã¡ã¿ããŒã¿ ããããŒãã PKCS#2 ããŒã¯ã³ URI ãšæå·åããŒãæœåºããæ©èœãè¿œå ããæå·åãããããã€ã¹ãéãããšã«é¢ããæ å ±ããå€éšãã¡ã€ã«ãä»ããã«ããã€ã¹èªäœã«çµ±åã§ããããã«ããŸãã
- systemd-cryptsetup ã¯ã以åã«ãµããŒããããŠãã PKCS#2 ããŒã¯ã³ã«å ããŠãTPM2 ããããš FIDO2 ããŒã¯ã³ã䜿çšãã LUKS11 æå·åããŒãã£ã·ã§ã³ã®ããã¯è§£é€ã®ãµããŒããæäŸããŸãã lifido2 ã®ããŒã㯠dlopen() ãä»ããŠè¡ãããŸããå¯çšæ§ã¯ãåºå®çãªäŸåé¢ä¿ãšããŠã§ã¯ãªãããã®å Žã§ãã§ãã¯ãããŸãã
- æ°ãããªãã·ã§ã³ãno-write-workqueueãããã³ãno-read-workqueueãã systemd-cryptsetup ã® /etc/crypttab ã«è¿œå ãããæå·åããã³åŸ©å·åã«é¢é£ãã I/O ã®åæåŠçãå¯èœã«ãªããŸããã
- systemd-repart ãŠãŒãã£ãªãã£ã«ã¯ãTPM2 ãããã䜿çšããŠæå·åãããããŒãã£ã·ã§ã³ãã¢ã¯ãã£ãåããæ©èœãè¿œå ãããŸãããããšãã°ãååèµ·åæã«æå·åããã /var ããŒãã£ã·ã§ã³ãäœæããŸãã
- TPM2ãFIDO2ãPKCS#11 ããŒã¯ã³ã LUKS ããŒãã£ã·ã§ã³ã«ãã€ã³ãããã ãã§ãªããããŒã¯ã³ã®åºå®è§£é€ãšè¡šç€ºãã¹ã㢠ããŒã®ãã€ã³ããã¢ã¯ã»ã¹çšã®ãã¹ã¯ãŒãã®èšå®ãè¡ã systemd-cryptenroll ãŠãŒãã£ãªãã£ãè¿œå ãããŸããã
- PrivateIPC ãã©ã¡ãŒã¿ãŒãè¿œå ãããŸãããããã«ãããç¬èªã®åå¥ã®èå¥åãšã¡ãã»ãŒãž ãã¥ãŒã䜿çšããŠãåé¢ããã IPC ã¹ããŒã¹ã§ããã»ã¹ãå®è¡ããããã«ãŠããã ãã¡ã€ã«ãæ§æã§ããããã«ãªããŸãããã§ã«äœæãããŠãã IPC èå¥å空éã«ãŠããããæ¥ç¶ããã«ã¯ãIPCNamespacePath ãªãã·ã§ã³ãææ¡ãããŸãã
- ãã¡ã€ã« ã·ã¹ãã ã®ç¹å®ã®éšåã« noexec ãã©ã°ãé©çšã§ããããã«ãã ExecPaths ããã³ NoExecPaths èšå®ãè¿œå ãããŸããã
- systemd-networkd ã¯ãB.A.T.M.A.N ã¡ãã·ã¥ ãããã³ã«ã®ãµããŒããè¿œå ããŸãã (ãã¢ãã€ã« ã¢ããã㯠ãããã¯ãŒãã³ã°ãžã®ããè¯ãã¢ãããŒãã) ããã«ãããåããŒããé£æ¥ããããŒããä»ããŠæ¥ç¶ãããåæ£åãããã¯ãŒã¯ãäœæã§ããŸããæ§æã«ã€ããŠã¯ã.netdev ã® [BatmanAdvanced] ã»ã¯ã·ã§ã³ã.network ãã¡ã€ã«ã® BatmanAdvanced ãã©ã¡ãŒã¿ãŒãããã³æ°ããããã€ã¹ ã¿ã€ããmatadvããææ¡ãããŠããŸãã
- systemd-oomd ã·ã¹ãã ã«ãããã¡ã¢ãªäžè¶³ã«å¯Ÿããæ©æå¿çã¡ã«ããºã ã®å®è£ ãå®å®ããŸããããŠãããã«åœ±é¿ãäžããåã«ãªãœãŒã¹ã解æŸããããŸã§ã®åŸ ã¡æéãæ§æãã DefaultMemoryPressureDurationSec ãªãã·ã§ã³ãè¿œå ãããŸããã Systemd-oomd 㯠PSI (Pressure Stall Information) ã«ãŒãã« ãµãã·ã¹ãã ã䜿çšãããªãœãŒã¹äžè¶³ã«ããé 延ã®å§ãŸããæ€åºããã·ã¹ãã ããŸã å±æ©çãªç¶æ ã«ãªãããåé¡ãçºçããŠããªã段éã§ãªãœãŒã¹ã倧éã«æ¶è²»ããããã»ã¹ãéžæçã«çµäºããããšãã§ããŸãããã£ãã·ã¥ã®éäžçãªããªãã³ã°ãéå§ããããŒã¿ãã¹ã¯ãã ããŒãã£ã·ã§ã³ã«ç§»åããŸãã
- ã«ãŒãã« ã³ãã³ã ã©ã€ã³ ãã©ã¡ãŒã¿ãroot=tmpfsããè¿œå ããŸãããããã«ãããTmpfs ã䜿çšã㊠RAM ã«ããäžæã¹ãã¬ãŒãžã«ã«ãŒã ããŒãã£ã·ã§ã³ãããŠã³ãã§ããããã«ãªããŸãã
- ã㌠ãã¡ã€ã«ãæå®ãã /etc/crypttab ãã©ã¡ãŒã¿ã¯ãAF_UNIX ããã³ SOCK_STREAM ãœã±ãã ã¿ã€ããæãããšãã§ããããã«ãªããŸããããã®å Žåããœã±ããã«æ¥ç¶ãããšãã«ããŒãæå®ããå¿ èŠããããŸããããã¯ãããšãã°ãããŒãåçã«çºè¡ãããµãŒãã¹ã®äœæã«äœ¿çšã§ããŸãã
- ã·ã¹ãã ãããŒãžã£ãŒãš systemd-hostnamed ã䜿çšãããã©ãŒã«ãã㯠ãã¹ãåã¯ãos-release ã® DEFAULT_HOSTNAME ãã©ã¡ãŒã¿ãŒã䜿çšããæ¹æ³ãšã$SYSTEMD_DEFAULT_HOSTNAME ç°å¢å€æ°ã䜿çšããæ¹æ³ã® XNUMX ã€ã®æ¹æ³ã§èšå®ã§ããããã«ãªããŸããã systemd-hostnamed ã¯ããã¹ãåã®ãlocalhostããåŠçãããã¹ãåãšãHardwareVendorãããã³ãHardwareModelãããããã£ã DBus çµç±ã§ãšã¯ã¹ããŒãããæ©èœãè¿œå ããŸãã
- å ¬éç°å¢å€æ°ãæã€ãããã¯ã¯ãã«ãŒãã« ã³ãã³ã ã©ã€ã³ããŠããã ãã¡ã€ã«èšå®ã ãã§ãªããsystem.conf ãŸã㯠user.conf ã®æ°ãã ManagerEnvironment ãªãã·ã§ã³ãéããŠèšå®ã§ããããã«ãªããŸããã
- ã³ã³ãã€ã«æã«ãexecve() ã®ä»£ããã« fexecve() ã·ã¹ãã ã³ãŒã«ã䜿çšããŠããã»ã¹ãéå§ããã»ãã¥ãªã㣠ã³ã³ããã¹ãã®ãã§ãã¯ãšé©çšã®éã®é 延ãæžããããšãã§ããŸãã
- ãŠããã ãã¡ã€ã«ã«ã€ããŠã¯ãTPM2 ããã€ã¹ã®ååšãšåã ã® CPU æ©èœã確èªããããã«ãæ°ããæ¡ä»¶æäœ ConditionSecurity=tpm2 ããã³ ConditionCPUFeature ãè¿œå ãããŸãã (ããšãã°ãConditionCPUFeature=rdrand ã䜿çšããŠãããã»ããµã RDRAND æäœããµããŒãããŠãããã©ããã確èªã§ããŸã)ã
- å©çšå¯èœãªã«ãŒãã«ã«ã€ããŠã¯ãseccomp ãã£ã«ã¿ãŒçšã®ã·ã¹ãã ã³ãŒã« ããŒãã«ã®èªåçæãå®è£ ãããŠããŸãã
- ãµãŒãã¹ãåèµ·åããã«ãæ°ãããã€ã³ã ããŠã³ãããµãŒãã¹ã®æ¢åã®ããŠã³ãåå空éã«çœ®ãæããæ©èœãè¿œå ãããŸããã眮æã¯ããsystemctl binding âŠãããã³ãsystemctl mount-image âŠãã³ãã³ãã§å®è¡ãããŸãã
- 䜿çšåã«ã¯ãªã¢ãã StandardOutput ããã³ StandardError èšå®ã«ããtruncate:ãã®åœ¢åŒã§ãã¹ãæå®ããããã®ãµããŒããè¿œå ãããŸããã
- ããŒã«ã« ã³ã³ããå ã®æå®ããããŠãŒã¶ãŒã®ã»ãã·ã§ã³ãžã®æ¥ç¶ã SD-bus ã«ç¢ºç«ããæ©èœãè¿œå ãããŸãããããšãã°ããsystemctl -user -M lennart@ start quuxãã§ãã
- 次ã®ãã©ã¡ãŒã¿ã¯ãsystemd.link ãã¡ã€ã«ã® [Link] ã»ã¯ã·ã§ã³ã«å®è£
ãããŠããŸãã
- ãããã¹ãã£ã¹ - ããã€ã¹ãããããã¹ãã£ã¹ãã¢ãŒãã«åãæ¿ããŠãçŸåšã®ã·ã¹ãã å®ãŠã§ã¯ãªããã±ãããå«ããã¹ãŠã®ãããã¯ãŒã¯ ãã±ãããåŠçã§ããŸãã
- TransmitQueues ãš ReceiveQueues ã¯ãTX ãã¥ãŒãš RX ãã¥ãŒã®æ°ãèšå®ããŸãã
- TransmitQueueLength 㯠TX ãã¥ãŒã®ãµã€ãºãèšå®ããŸãã GRO (Generic Receive Offload) ãã¯ãããžãŒã®äœ¿çšå¶éãèšå®ããããã® GenericSegmentOffloadMaxBytes ããã³ GenericSegmentOffloadMaxSegmentã
- æ°ããèšå®ã systemd.network ãã¡ã€ã«ã«è¿œå ãããŸããã
- [ãããã¯ãŒã¯] RouteTable ã§ã«ãŒãã£ã³ã° ããŒãã«ãéžæããŸãã
- [RoutingPolicyRule] ã«ãŒãã£ã³ã° ã¿ã€ãã®ã¿ã€ã (ããã©ãã¯ããŒã«ãããå°éäžèœãããçŠæ¢ã)ã
- [IPv6AcceptRA] èš±å¯ããã³æåŠãããã«ãŒãåºåã®ãªã¹ãã® RouteDenyList ããã³ RouteAllowListã
- [DHCPv6] DHCP ã«ãã£ãŠçºè¡ãããã¢ãã¬ã¹ãç¡èŠããã«ã¯ãAddress ã䜿çšããŸãã
- [DHCPv6PrefixDelegation]äžæã¢ãã¬ã¹ã®ç®¡ç;
- ActivationPolicy ã¯ãã€ã³ã¿ãŒãã§ã€ã¹ã®ã¢ã¯ãã£ããã£ã«é¢ããããªã·ãŒãå®çŸ©ããŸã (åžžã« UP ãŸã㯠DOWN ç¶æ ãç¶æãããããŠãŒã¶ãŒããip link set devãã³ãã³ãã§ç¶æ ãå€æŽã§ããããã«ããŸã)ã
- VLAN ãã±ããåŠçãèšå®ããããã«ã[VLAN] ãããã³ã«ãIngressQOSMapsãEgressQOSMapsãããã³ [MACVLAN] BroadcastMulticastQueueLength ãªãã·ã§ã³ã systemd.netdev ãã¡ã€ã«ã«è¿œå ããŸããã
- /dev/sgx ãã¡ã€ã«ã§å®è¡å¯èœãã©ã°ã䜿çšãããšç«¶åãçºçãããããnoexec ã¢ãŒãã§ã® /dev/ ãã£ã¬ã¯ããªã®ããŠã³ããåæ¢ããŸããã以åã®åäœã«æ»ãã«ã¯ãNoExecPaths=/dev èšå®ã䜿çšã§ããŸãã
- /dev/vsock ãã¡ã€ã«ã®æš©é㯠0o666 ã«å€æŽããã/dev/vhost-vsock ããã³ /dev/vhost-net ãã¡ã€ã«ã¯ kvm ã°ã«ãŒãã«ç§»åãããŸããã
- ããŒããŠã§ã¢ ID ããŒã¿ããŒã¹ã¯ãã¹ãªãŒã ã¢ãŒããæ£ãããµããŒããã USB æçŽãªãŒããŒã§æ¡åŒµãããŸããã
- systemd-resolved ã¯ãã¹ã¿ããªãŸã«ããŒçµç±ã§ DNSSEC ã¯ãšãªã«å¯Ÿããå¿çãçºè¡ããããã®ãµããŒããè¿œå ããŸãããããŒã«ã« ã¯ã©ã€ã¢ã³ãã¯èªåèªèº«ã§ DNSSEC æ€èšŒãå®è¡ã§ããŸãããå€éšã¯ã©ã€ã¢ã³ãã¯å€æŽãããã«èŠª DNS ãµãŒããŒã«ãããã·ãããŸãã
- CacheFromLocalhost ãªãã·ã§ã³ãresolved.confã«è¿œå ããŸãããèšå®ãããšãsystemd-resolvedã¯127.0.0.1ã®DNSãµãŒããŒãžã®åŒã³åºãã«å¯ŸããŠããã£ãã·ã¥ã䜿çšããŸã(ããã©ã«ãã§ã¯ãäºéãã£ãã·ã¥ãé¿ããããã«ãã®ãããªãªã¯ãšã¹ãã®ãã£ãã·ã¥ã¯ç¡å¹ã«ãªã£ãŠããŸã)ã
- systemd-resolved ã¯ãããŒã«ã« DNS ãªãŸã«ããŒã« RFC-5001 NSID ã®ãµããŒããè¿œå ããã¯ã©ã€ã¢ã³ããããŒã«ã« ãªãŸã«ããŒãšå¥ã® DNS ãµãŒããŒãšã®å¯Ÿè©±ãåºå¥ã§ããããã«ããŸãã
- solvectl ãŠãŒãã£ãªãã£ã¯ãããŒã¿ã®ãœãŒã¹ (ããŒã«ã« ãã£ãã·ã¥ããããã¯ãŒã¯èŠæ±ãããŒã«ã« ããã»ããµã®å¿ç) ã«é¢ããæ å ±ãšãããŒã¿éä¿¡æã®æå·åã®äœ¿çšã«é¢ããæ å ±ã衚瀺ããæ©èœãå®è£ ããŸãããªãã·ã§ã³ --cacheã--synthesizeã--networkã-zoneã--trust-anchorãããã³ --validate ã¯ãåå決å®ããã»ã¹ãå¶åŸ¡ããããã«æäŸãããŸãã
- systemd-nspawn ã¯ãæ¢åã® iptables ãµããŒãã«å ããŠãnftables ã䜿çšãããã¡ã€ã¢ãŠã©ãŒã«æ§æã®ãµããŒããè¿œå ããŸãã systemd-networkd ã® IPMasquerade ã»ããã¢ããã«ã¯ãnftables ããŒã¹ã®ããã¯ãšã³ãã䜿çšããæ©èœãè¿œå ãããŸããã
- systemd-localed ã¯ãäžè¶³ããŠãããã±ãŒã«ãçæããããã« locale-gen ãåŒã³åºãããã®ãµããŒããè¿œå ããŸããã
- ããŒãžã³ã° ã¢ãŒããš JSON 圢åŒã§ã®åºåãæå¹/ç¡å¹ã«ãããªãã·ã§ã³ --pager/-no-pager/-json= ãããŸããŸãªãŠãŒãã£ãªãã£ã«è¿œå ãããŸããã SYSTEMD_COLORS ç°å¢å€æ° (ã16ããŸãã¯ã256ã) ãä»ããŠç«¯æ«ã§äœ¿çšãããè²ã®æ°ãèšå®ããæ©èœãè¿œå ãããŸããã
- åå¥ã®ãã£ã¬ã¯ããªéå±€ (åå² / ããã³ /usr) ãš cgroup v1 ãµããŒããå«ããã«ãã¯éæšå¥šã«ãªããŸããã
- Git ã®ãã¹ã¿ãŒ ãã©ã³ãã®ååããmasterããããmainãã«å€æŽãããŸããã
åºæïŒ ãªãŒãã³ããã.ru