Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > systemd system manager kumasulidwa 243

systemd system manager kumasulidwa 243

Pambuyo pa miyezi isanu ya chitukuko zoperekedwa kutulutsidwa kwa system manager systemd 243. Zina mwazatsopano, titha kuzindikira kuphatikizika kwa PID 1 ya chothandizira kukumbukira pang'ono mudongosolo, kuthandizira kuyika mapulogalamu anu a BPF pakusefa magalimoto amtundu, zosankha zambiri za systemd-networkd, njira yowunikira bandwidth ya netiweki. ma interfaces, omwe amawathandiza mwachisawawa pamakina a 64-bit 22-bit PID manambala m'malo mwa 16-bit, kusintha kupita ku gulu logwirizana lamagulu, kuphatikiza mu systemd-network-generator.

Zosintha zazikulu:

  • Kuzindikirika kwa ma siginecha opangidwa ndi kernel okhudzana ndi kukumbukira (Out-Of-Memory, OOM) kwawonjezedwa kwa chogwirizira PID 1 kuti asamutsire mayunitsi omwe afikira malire ogwiritsira ntchito kukumbukira kukhala mdera lapadera ndi kuthekera kosankha kuwakakamiza kuti athetse. kapena kusiya;
  • Kwa mafayilo amtundu, magawo atsopano a IPIngressFilterPath ndi
    IPEgressFilterPath, yomwe imakulolani kuti mugwirizane ndi mapulogalamu a BPF ndi ogwira ntchito mopondereza kuti musefa mapaketi a IP omwe akubwera ndi otuluka opangidwa ndi njira zomwe zimagwirizana ndi chipangizochi. Zomwe zaperekedwa zimakulolani kuti mupange mtundu wa firewall wa ntchito za systemd. Chitsanzo cholemba fyuluta yosavuta yamaneti yotengera BPF;

  • Lamulo la "oyera" lawonjezedwa ku systemctl utility kuchotsa cache, mafayilo othamanga, zidziwitso zamakhalidwe ndi zolemba;
  • systemd-networkd imawonjezera chithandizo cha mawonekedwe a netiweki a MACsec, nlmon, IPVTAP ndi Xfrm;
  • systemd-networkd imagwiritsa ntchito masinthidwe osiyana a DHCPv4 ndi DHCPv6 stacks kudzera mugawo la "[DHCPv4]" ndi "[DHCPv6]" mufayilo yosinthira. Anawonjezera njira ya RoutesToDNS kuti muwonjezere njira yosiyana ku seva ya DNS yotchulidwa mu magawo omwe alandilidwa kuchokera ku seva ya DHCP (kotero kuti magalimoto opita ku DNS atumizidwa kudzera mu ulalo womwewo monga njira yayikulu yolandirira kuchokera ku DHCP). Zosankha zatsopano zawonjezeredwa ku DHCPv4: MaxAttempts - kuchuluka kwa zopempha kuti mupeze adilesi, BlackList - mndandanda wakuda wa ma seva a DHCP, SendRelease - athe kutumiza mauthenga a DHCP RELEASE gawo likatha;
  • Malamulo atsopano awonjezedwa ku systemd-analyze utility:
    • "systemd-analyze timestamp" - kugawa nthawi ndi kutembenuka;
    • "systemd-analyze nthawi" - kusanthula ndi kutembenuka kwa nthawi;
    • "systemd-analyze condition" - kusanthula ndi kuyesa mawu a ConditionXYZ;
    • "systemd-analyze exit-status" - kugawa ndikusintha ma code otuluka kuchokera ku manambala kupita ku mayina ndi mosemphanitsa;
    • "systemd-analyze unit-files" - Imalemba njira zonse zamafayilo zamayunitsi ndi zilembo zamayunitsi.
  • Zosankha SuccessExitStatus, RestartPreventExitStatus ndi
    RestartForceExitStatus tsopano imathandizira osati manambala obwereza okha, komanso zozindikiritsa zolemba zawo (mwachitsanzo, "DATAERR"). Mutha kuwona mndandanda wamakhodi omwe aperekedwa kuzizindikiritso pogwiritsa ntchito lamulo la "sytemd-analyze exit-status";

  • Lamulo la "delete" lawonjezedwa ku networkctl utility kuchotsa zida zenizeni zapaintaneti, komanso "-stats" njira yowonetsera ziwerengero za chipangizocho;
  • Zokonda za SpeedMeter ndi SpeedMeterIntervalSec zawonjezedwa ku networkd.conf poyesa nthawi ndi nthawi kutulutsa kwa netiweki. Ziwerengero zomwe zapezedwa kuchokera pazotsatira zoyezera zitha kuwonedwa pakutulutsa kwa lamulo la 'networkctl status';
  • Anawonjezera zida zatsopano za systemd-network-generator kupanga mafayilo
    .network, .netdev ndi .link yochokera ku zoikamo za IP zomwe zidadutsa pamene zinayambitsidwa kudzera mu mzere wa lamulo la Linux kernel mu mawonekedwe a Dracut settings;

  • Mtengo wa sysctl "kernel.pid_max" pamakina a 64-bit tsopano wakhazikitsidwa mwachisawawa kukhala 4194304 (22-bit PIDs m'malo mwa 16-bits), zomwe zimachepetsa mwayi wogundana popereka ma PID, kumawonjezera malire pa kuchuluka kwa nthawi imodzi. kuyendetsa njira, ndipo imakhala ndi zotsatira zabwino pachitetezo. Kusinthaku kungapangitse kuti pakhale zovuta zogwirizana, koma nkhani zotere sizinafotokozedwe mwatsatanetsatane;
  • Mwachikhazikitso, gawo lomangali limasinthira kumagulu olumikizana-v2 ("-Ddefault-hierarchy=umodzi"). M'mbuyomu, zosasinthika zinali zosakanizidwa ("-Ddefault-hierarchy=hybrid");
  • Khalidwe la fyuluta yoyitana dongosolo (SystemCallFilter) yasinthidwa, yomwe, ngati kuyitana kwadongosolo koletsedwa, tsopano kumathetsa ndondomeko yonse, osati ulusi umodzi, popeza kuthetsa ulusi uliwonse kungayambitse mavuto osayembekezereka. Zosinthazo zimagwira ntchito ngati muli ndi Linux kernel 4.14+ ndi libseccomp 2.4.0+;
  • Mapulogalamu opanda pake amapatsidwa mwayi wotumiza mapaketi a ICMP Echo (ping) mwa kukhazikitsa sysctl "net.ipv4.ping_group_range" pamagulu onse amagulu (pazochitika zonse);
  • Kuti mufulumizitse ntchito yomanga, kupanga zolemba za anthu zayimitsidwa mwachisawawa (kuti mupange zolemba zonse, muyenera kugwiritsa ntchito njira "-Dman=true" kapena "-Dhtml=true" ya zolemba mu html format). Kuti zikhale zosavuta kuwona zolembazo, zolemba ziwiri zikuphatikizidwa: build/man/man and build/man/html popanga ndi kuwoneratu zolemba zachidwi;
  • Kukonza mayina a mayina okhala ndi zilembo zochokera ku zilembo za dziko, laibulale ya libidn2 imagwiritsidwa ntchito mwachisawawa (kubwezeretsa libidn, gwiritsani ntchito "-Dlibidn = zoona");
  • Thandizo la fayilo /usr/sbin/halt.local lothandizira, lomwe linapereka ntchito zomwe sizinagawidwe kwambiri pogawira, zatha. Kukonzekera kukhazikitsidwa kwa malamulo potseka, tikulimbikitsidwa kugwiritsa ntchito malemba mu /usr/lib/systemd/system-shutdown/ kapena kutanthauzira gawo latsopano lomwe limadalira final.target;
  • Pa gawo lomaliza la kutseka, systemd tsopano imangowonjezera mulingo wa chipika mu sysctl "kernel.printk", yomwe imathetsa vuto ndikuwonetsa muzolemba zomwe zidachitika pambuyo pake kuzimitsa, pomwe ma daemoni odula mitengo amaliza kale. ;
  • Mu journalctl ndi zida zina zowonetsera zipika, machenjezo amawonetsedwa mwachikasu, ndipo zolemba zowunikira zimawonetsedwa mubuluu kuti ziwonekere kuchokera pagulu;
  • Mu $PATH chilengedwe chosinthika, njira yopita ku bin/ tsopano imabwera patsogolo pa njira yopita ku sbin/, i.e. ngati pali mayina ofanana a mafayilo omwe angathe kuchitidwa muzolemba zonse ziwiri, fayilo yochokera ku bin/ idzachitidwa;
  • systemd-logind imapereka foni ya SetBrightness() kuti musinthe kuwala kwa chinsalu pagawo lililonse;
  • Mbendera ya "-wait-for-initialization" yawonjezeredwa ku lamulo la "udevadm info" kudikirira kuti chipangizocho chiyambe;
  • Pa boot system, PID 1 handler tsopano ikuwonetsa mayina a mayunitsi m'malo mwa mzere ndi kufotokozera kwawo. Kuti mubwerere ku khalidwe lakale, mungagwiritse ntchito njira ya StatusUnitFormat mu /etc/systemd/system.conf kapena njira ya systemd.status_unit_format kernel;
  • Njira yowonjezera ya KExecWatchdogSec ku /etc/systemd/system.conf ya watchdog PID 1, yomwe imatchula nthawi yoti muyambenso kugwiritsa ntchito kexec. Zokonda zakale
    ShutdownWatchdogSec yasinthidwa kukhala RebootWatchdogSec ndipo imatanthawuza kutha kwa ntchito panthawi yotseka kapena kuyambiranso mwachizolowezi;

  • Njira yatsopano yawonjezedwa pazantchito ExecCondition, zomwe zimakulolani kuti mutchule malamulo omwe adzaperekedwa pamaso pa ExecStartPre. Kutengera nambala yolakwika yomwe idabwezedwa ndi lamulo, chigamulo chimapangidwa pakupititsa patsogolo gawolo - ngati nambala 0 ibwezeredwa, kukhazikitsidwa kwa unit kumapitilira, ngati kuchokera ku 1 mpaka 254 kumatha mwakachetechete popanda mbendera yolephera, ngati 255 imatha mbendera yolephera;
  • Anawonjezera ntchito yatsopano systemd-pstore.service kuchotsa deta kuchokera ku sys/fs/pstore/ ndi kuchoka ku /var/lib/pstore kuti muwunikenso;
  • Malamulo atsopano awonjezedwa ku timedatectl utility pakukonza magawo a NTP a systemd-timesyncd pokhudzana ndi ma network;
  • Lamulo la "localectl list-locales" silimawonetsanso madera ena kupatula UTF-8;
  • Imawonetsetsa kuti zolakwika zosinthika mu mafayilo a sysctl.d/ zinyalanyazidwa ngati dzina losinthika liyamba ndi zilembo "-";
  • utumiki systemd-random-seed.service tsopano ali ndi udindo woyambitsa dziwe la entropy la Linux kernel pseudorandom number jenereta. Ntchito zomwe zimafuna kukhazikitsidwa bwino /dev/urandom ziyenera kuyambika pambuyo pa systemd-random-seed.service;
  • The systemd-boot boot loader imapereka mwayi wosankha kuthandizira seed file motsatana mwachisawawa mu EFI System Partition (ESP);
  • Malamulo atsopano awonjezedwa ku bootctl utility: "bootctl random-seed" kuti apange fayilo yambewu mu ESP ndi "bootctl is-installed" kuti muwone kuyika kwa systemd-boot boot loader. bootctl yasinthidwanso kuti iwonetse machenjezo okhudza kusanjidwa kolakwika kwa zolemba za boot (mwachitsanzo, chithunzi cha kernel chikachotsedwa, koma cholowera chochiyika chatsalira);
  • Amapereka kusankha kwachisawawa kwa magawo osinthira pomwe makinawo alowa m'malo ogona. Gawoli limasankhidwa kutengera zomwe zidakonzedweratu, ndipo ngati zili zofunika kwambiri, kuchuluka kwa malo aulere;
  • Njira yowonjezera yowonjezera-makiyi ku /etc/crypttab kuti muyike nthawi yomwe chipangizocho chili ndi kiyi yobisa chidzadikirira chisanadze mawu achinsinsi kuti mulowe nawo gawo losungidwa;
  • Njira yowonjezera ya IOWeight kuti muyike kulemera kwa I/O kwa BFQ scheduler;
  • systemd-resolved anawonjezera 'strict' mode ya DNS-over-TLS ndikugwiritsa ntchito kuthekera kosunga mayankho abwino a DNS ("Cache no-negative" mu resolution.conf);
  • Kwa VXLAN, systemd-networkd yawonjezera njira ya GenericProtocolExtension kuti athe kuwonjezera VXLAN protocol. Kwa VXLAN ndi GENEVE, njira ya IPDoNotFragment yawonjezedwa kuti ikhazikitse mbendera yoletsa kugawikana kwa mapaketi otuluka;
  • Mu systemd-networkd, mu gawo la "[Njira]", njira ya FastOpenNoCookie yawonekera kuti ipangitse njira yotsegula maulumikizidwe a TCP (TFO - TCP Fast Open, RFC 7413) mogwirizana ndi mayendedwe apawokha, komanso njira ya TTLPropagate. kukonza TTL LSP (Label Switched Path). Njira ya "Mtundu" imapereka chithandizo chamtundu wamba, kuwulutsa, anycast, multicast, iliyonse ndi xresolve mayendedwe;
  • Systemd-networkd imapereka njira ya DefaultRouteOnDevice mugawo la "[Network]" kuti mukonzeretu njira yokhazikika pa chipangizo chopatsidwa;
  • Systemd-networkd yawonjezera ProxyARP ndi
    ProxyARPWifi yokhazikitsa machitidwe a proxy ARP, MulticastRouter pokhazikitsa magawo amayendedwe mu multicast mode, MulticastIGMPVersion posintha mtundu wa IGMP (Internet Group Management Protocol) wa multicast;

  • Systemd-networkd yawonjezera zosankha za Local, Peer ndi PeerPort zamachulukidwe a FooOverUDP kuti akonze ma adilesi a IP am'deralo ndi akutali, komanso nambala ya doko la netiweki. Kwa tunnel za TUN, njira ya VnetHeader yawonjezedwa kuti ikonze thandizo la GSO (Generic Segment Offload);
  • Mu systemd-networkd, mu .network ndi .link mafayilo mu [Match] gawo, njira ya Property yawonekera, yomwe imakulolani kuti muzindikire zipangizo ndi katundu wawo wapadera mu udev;
  • Mu systemd-networkd, njira ya AssignToLoopback yawonjezedwa pamachubu, omwe amawongolera ngati mapeto a ngalandeyo aperekedwa ku chipangizo cha loopback "lo";
  • systemd-networkd imangoyambitsa stack ya IPv6 ngati yatsekedwa kudzera pa sysctl disable_ipv6 - IPv6 imatsegulidwa ngati makonzedwe a IPv6 (static kapena DHCPv6) akufotokozedwa pa intaneti, apo ayi mtengo wa sysctl womwe wakhazikitsidwa kale susintha;
  • Mumafayilo a .network, zoikamo za CriticalConnection zasinthidwa ndi njira ya KeepConfiguration, yomwe imapereka njira zambiri zofotokozera zochitika ("inde", "static", "dhcp-on-stop", "dhcp") momwe systemd-networkd iyenera osakhudza zolumikizira zomwe zilipo poyambira;
  • Chiwopsezo chakhazikika CVE-2019-15718, chifukwa cha kusowa kolowera ku mawonekedwe a D-Bus okonzedwa ndi systemd. Nkhaniyi imalola wogwiritsa ntchito wopanda mwayi kuti achite ntchito zomwe zimapezeka kwa olamulira okha, monga kusintha makonda a DNS ndikuwongolera mafunso a DNS ku seva yoyipa;
  • Chiwopsezo chakhazikika CVE-2019-9619zokhudzana ndi kusapatsa pam_systemd magawo osagwiritsa ntchito, zomwe zimalola kusokoneza gawoli.

Source: opennet.ru

Kuwonjezera ndemanga