Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kwa systemd system manager 252 ndi thandizo la UKI (Unified Kernel Image).

Kutulutsidwa kwa systemd system manager 252 ndi thandizo la UKI (Unified Kernel Image).

Pambuyo pa miyezi isanu yachitukuko, kumasulidwa kwa woyang'anira dongosolo systemd 252. Kusintha kwakukulu kwa mtundu watsopano kunali kusakanikirana kwa chithandizo cha ndondomeko yamakono ya boot, yomwe imakulolani kuti mutsimikizire osati kernel ndi bootloader, komanso zigawo zikuluzikulu. za dongosolo loyambira chilengedwe pogwiritsa ntchito siginecha ya digito.

Njira yomwe ikugwiritsidwira ntchito ikuphatikiza kugwiritsa ntchito chithunzi chogwirizana cha kernel UKI (Unified Kernel Image) potsitsa, chomwe chimaphatikiza chothandizira kutsitsa kernel kuchokera ku UEFI (UEFI boot stub), chithunzi cha Linux kernel ndi initrd system chilengedwe chosungidwa kukumbukira, chogwiritsidwa ntchito. kwa kukhazikitsidwa koyamba pa siteji isanakhazikitse muzu FS . Chithunzi cha UKI chimayikidwa ngati fayilo imodzi yomwe ingathe kuchitidwa mumtundu wa PE, yomwe imatha kuyikidwa pogwiritsa ntchito ma bootloaders achikhalidwe kapena kuyitanidwa mwachindunji kuchokera ku UEFI firmware. Mukaitanidwa kuchokera ku UEFI, ndizotheka kutsimikizira kukhulupirika ndi kudalirika kwa siginecha ya digito osati kernel yokha, komanso zomwe zili mu initrd.

Kuti muwerenge magawo a zolembera za TPM PCR (Trusted Platform Module Configuration Register) zomwe zimagwiritsidwa ntchito poyang'anira kukhulupirika ndikupanga siginecha ya digito ya chithunzi cha UKI, njira yatsopano yogwiritsira ntchito systemd-measure ikuphatikizidwa. Makiyi a anthu onse ndi chidziwitso cha PCR chogwiritsidwa ntchito posayina chikhoza kuikidwa mwachindunji mu chithunzi cha UKI (kiyi ndi siginecha zimasungidwa mu fayilo ya PE mu '.pcrsig' ndi '.pcrkey' minda) ndi kuchotsedwamo ndi kunja. kapena zofunikira zamkati.

Makamaka, zida za systemd-cryptsetup, systemd-cryptenroll ndi systemd-creds zidasinthidwa kuti zigwiritse ntchito chidziwitsochi, chomwe mungatsimikizire kuti magawo osungidwa a disk amangika ku kernel yosainidwa ndi digito (panthawiyi, mwayi wofikira magawo obisika. zimaperekedwa pokhapokha ngati chithunzi cha UKI chadutsa kutsimikiziridwa ndi siginecha ya digito kutengera magawo omwe ali mu TPM).

Kuphatikiza apo, zida za systemd-pcrphase zikuphatikizidwa, zomwe zimakupatsani mwayi wowongolera kumangika kwa magawo osiyanasiyana a boot ku magawo omwe ali mu kukumbukira kwa cryptoprocessors omwe amathandizira mafotokozedwe a TPM 2.0 (mwachitsanzo, mutha kupanga kiyi ya LUKS2 decryption kupezeka kokha chithunzi cha initrd ndikutsekereza kuyipeza pambuyo pake kutsitsa).

Zosintha zina:

  • Imawonetsetsa kuti malo osakhazikika ndi C.UTF-8 pokhapokha ngati chigawo china chafotokozedwa pazokonda.
  • Tsopano ndizotheka kuchita ntchito yokonzekeratu ("systemctl preset") pa boot yoyamba. Kuyang'anira ma preset pa nthawi yoyambira kumafuna kumanga ndi "-Dfirst-boot-full-preset", koma ikukonzekera kuti iyambitsidwe mwachisawawa pazotulutsa zamtsogolo.
  • Magawo oyang'anira ogwiritsa ntchito akuphatikizapo CPU Resource controller, zomwe zidapangitsa kuti zitheke kuwonetsetsa kuti zosintha za CPUWeight zikugwiritsidwa ntchito ku magawo onse a magawo omwe amagwiritsidwa ntchito pogawaniza dongosolo kukhala magawo (app.slice, background.slice, session.slice) kuti alekanitse zothandizira pakati ntchito zosiyanasiyana za ogwiritsa ntchito, kupikisana ndi zida za CPU. CPUWeight imathandiziranso mtengo "wopanda ntchito" kuti muyambitse njira yoyenera yoperekera zida.
  • M'mayunitsi osakhalitsa ("osakhalitsa") komanso muzothandizira za systemd-repart, makonda opitilira apo amaloledwa kupanga mafayilo otsitsa mu /etc/systemd/system/name.d/.
  • Kwa zithunzi zamakina, mbendera yomaliza yothandizira imayikidwa, kutsimikizira izi potengera mtengo wa parameter yatsopano "SUPPORT_END=" mu fayilo /etc/os-release.
  • Zowonjezera "ConditionCredential=" ndi "AssertCredential=", zomwe zingagwiritsidwe ntchito kunyalanyaza kapena kusokoneza mayunitsi ngati zizindikiro zina palibe m'dongosolo.
  • Anawonjezedwa "DefaultSmackProcessLabel=" ndi "DefaultDeviceTimeoutSec=" zoikamo ku system.conf ndi user.conf kutanthauzira mulingo wachitetezo wa SMACK wokhazikika komanso nthawi yotsegulira unit.
  • M'makonzedwe a "ConditionFirmware=" ndi "AssertFirmware=", kutha kutchula magawo a SMBIOS awonjezedwa, mwachitsanzo, kuyambitsa unit pokhapokha ngati gawo la /sys/class/dmi/id/board_name lili ndi mtengo "Custom. Board”, mutha kutchula “ConditionFirmware=smbios” -field(board_name = "Custom Board").
  • Panthawi yoyambitsa (PID 1), kuthekera kolowetsa zidziwitso kuchokera m'magawo a SMBIOS (Mtundu 11, "zingwe za OEM ogulitsa") zawonjezedwa kuwonjezera pa tanthauzo lawo kudzera pa qemu_fwcfg, zomwe zimathandizira kuperekera zidziwitso kumakina enieni ndikuchotsa kufunika kwa zida za chipani chachitatu monga mtambo -init ndi kuyatsa.
  • Panthawi yotseka, malingaliro otsitsa mafayilo amafayilo (proc, sys) asinthidwa ndipo zambiri zokhudzana ndi njira zomwe zimalepheretsa kutsitsa mafayilo zimasungidwa mu chipika.
  • Makina ojambulira mafoni (SystemCallFilter) amalola mwayi wofikira kuyimba kwa riscv_flush_icache mwachisawawa.
  • Sd-boot bootloader imawonjezera kuthekera koyambira mosakanikirana, momwe 64-bit Linux kernel imachokera ku 32-bit UEFI firmware. Anawonjezera luso loyesera kuti mugwiritse ntchito makiyi a SecureBoot kuchokera pamafayilo opezeka mu ESP (EFI system partition).
  • Zosankha zatsopano zawonjezedwa ku bootctl utility: "-zomangamanga" zoyika ma binaries pazomanga zonse za EFI, "-root=" ndi "-image=" pogwira ntchito ndi chikwatu kapena chithunzi cha disk, "-install-source =” pofotokozera gwero lokhazikitsira, "-efi-boot-option-descript=" kuwongolera mayina olowera.
  • Lamulo la 'list-automounts' lawonjezedwa ku systemctl utility kuti muwonetse mndandanda wamakalata okhazikika okha ndi "--image=" njira yochitira malamulo molingana ndi chithunzi cha disk chomwe chafotokozedwa. Onjezani "--state=" ndi "--type = = "zosankha ku malamulo a 'show' ndi 'status'.
  • systemd-networkd anawonjezera options “TCPCongestionControlAlgorithm=” kusankha TCP congestion control aligorivimu, “KeepFileDescriptor=” kusunga file descriptor of TUN/TAP interfaces, “NetLabel=” kukhazikitsa NetLabels, “RapidCommit=” kufulumizitsa kasinthidwe kudzera DHCPv6 (RFC 3315). Gawo la "RouteTable =" limalola kufotokoza mayina a matebulo olowera.
  • systemd-nspawn imalola kugwiritsa ntchito njira zamafayilo achibale mu "--bind=" ndi "--overlay=" zosankha. Thandizo lowonjezera la parameter ya 'rootidmap' ku "--bind=" njira yomanga ID ya wogwiritsa ntchito mumtsuko kwa mwiniwake wa bukhu lokhazikitsidwa kumbali ya wolandira.
  • Systemd-resolved imagwiritsa ntchito OpenSSL monga encryption backend yake mwachisawawa (thandizo la gnutls limasungidwa ngati njira). Ma algorithm osagwirizana a DNSSEC tsopano akuwonedwa ngati osatetezeka m'malo mobwezera cholakwika (SERVFAIL).
  • systemd-sysusers, systemd-tmpfiles ndi systemd-sysctl imagwiritsa ntchito kuthekera kosinthira makonda kudzera munjira yosungiramo mbiri.
  • Anawonjezera lamulo la 'compare-versions' kuti systemd-analyze kufananitsa zingwe ndi manambala amtundu (ofanana ndi 'rpmdev-vercmp' ndi 'dpkg --compare-versions'). Anawonjezera kuthekera kosefera mayunitsi ndi chigoba ku lamulo la 'systemd-analyze dump'.
  • Posankha njira yogona ya masitepe angapo (imitsani-ndiye-hibernate), nthawi yomwe mumayimilira tsopano imasankhidwa kutengera zomwe zanenedweratu za moyo wa batri wotsalira. Kusintha pompopompo kupita kumalo ogona kumachitika ngati batire yochepera 5% yatsala.
  • Njira yatsopano yotulutsa "-o short-delta" yawonjezedwa ku 'journalctl', kusonyeza kusiyana kwa nthawi pakati pa mauthenga osiyanasiyana mu chipika.
  • systemd-repart imawonjezera chithandizo pakupanga magawo ndi fayilo ya Squashfs ndi magawo a dm-verity, kuphatikiza ndi siginecha ya digito.
  • Adawonjezedwa "StopIdleSessionSec="kukhazikitsa ku systemd-logind kuti athetse gawo losagwira ntchito pakatha nthawi yodziwika.
  • Systemd-cryptenroll yawonjezera "--unlock-key-file=" njira yochotsa kiyi yachinsinsi pafayilo m'malo molimbikitsa wogwiritsa ntchito.
  • Tsopano ndizotheka kugwiritsa ntchito systemd-growfs m'malo opanda udev.
  • systemd-backlight yathandizira kuthandizira machitidwe okhala ndi makadi ojambula angapo.
  • Layisensi yazitsanzo zamakhodi zomwe zaperekedwa muzolemba zasinthidwa kuchoka ku CC0 kupita ku MIT-0.

Zosintha zomwe zimasokoneza kugwirizana:

  • Mukayang'ana nambala ya kernel pogwiritsa ntchito malangizo a ConditionKernelVersion, kufananitsa kwa zingwe kosavuta tsopano kukugwiritsidwa ntchito mu '=' ndi '!=' ogwiritsira ntchito, ndipo ngati wofananitsayo sanatchulidwe nkomwe, kufananitsa kwa glob-mask kungagwiritsidwe ntchito pogwiritsa ntchito zilembo '*', '?' Ndipo '[', ']'. Kuti mufananize mitundu ya stverscmp(), gwiritsani ntchito '<', '>', '<=' ndi '>='.
  • Chizindikiro cha SELinux chomwe chimagwiritsidwa ntchito poyang'ana mwayi wopezeka pa fayilo ya unit tsopano chikuwerengedwa panthawi yomwe fayiloyo imayikidwa, osati pa nthawi yofufuza.
  • Mkhalidwe wa "ConditionFirstBoot" tsopano umayambika pa boot yoyamba ya dongosolo molunjika pa sitepe ya boot ndikubwezeretsa "zabodza" poyitana ma unit pambuyo pomaliza boot.
  • Mu 2024, systemd ikukonzekera kusiya kuthandizira cgroup v1 resource limiting mechanism, yomwe idachotsedwa mu systemd release 248. Olamulira akulangizidwa kuti asamalire pasadakhale kusamuka kwa cgroup v2-based services to cgroup v1. Kusiyana kwakukulu pakati pa cgroups v2 ndi v1 ndikugwiritsa ntchito magulu amtundu wamba pamitundu yonse yazachuma, m'malo mwa magawo osiyana pakugawa zida za CPU, pakuwongolera kugwiritsa ntchito kukumbukira, ndi I/O. Magawo osiyana amatsogolera ku zovuta pakukonza mgwirizano pakati pa ogwira ntchito komanso ndalama zowonjezera zopangira kernel mukamagwiritsa ntchito malamulo pamachitidwe omwe amatchulidwa m'magawo osiyanasiyana.
  • Mu theka lachiwiri la 2023, tikukonzekera kuthetsa kuthandizira kwa magawo ogawa, pomwe /usr imayikidwa mosiyana ndi muzu, kapena /bin ndi /usr/bin, /lib ndi /usr/lib amalekanitsidwa.

Source: opennet.ru

Kuwonjezera ndemanga