ProHoster > Blog > internet nhau > systemd system maneja kuburitswa 242

systemd system maneja kuburitswa 242

[:ru]

Mushure memwedzi miviri yebudiriro yakaunzwa system maneja kuburitswa systemd 242. Pakati pezvinhu zvitsva, tinogona kucherechedza kutsigirwa kweL2TP tunnels, kukwanisa kudzora maitiro e-systemd-logind pakutangazve kuburikidza nemamiriro ezvinhu akasiyana-siyana, tsigiro yekuwedzera XBOOTLDR boot partitions yekuisa / bhutsu, kukwanisa kubhutsu nemudzi wekuparadzanisa mune overlayfs, pamwe nenhamba huru yezvigadziro zvitsva zvemhando dzakasiyana dzemayuniti.

Shanduko huru:

  • systemd-networkd inopa rutsigiro rweL2TP tunnel;
  • sd-boot uye bootctl inopa rutsigiro rweXBOOTLDR (Yakawedzerwa Boot Loader) zvikamu zvakagadzirirwa kuiswa pa/boot, kuwedzera kune ESP zvikamu zvakaiswa pa/efi kana /boot/efi. Kernels, marongero, initrd uye mifananidzo yeEFI zvino inogona kutorwa kubva kune ese ESP uye XBOOTLDR zvikamu. Shanduko iyi inokubvumira kushandisa sd-boot bootloader mune mamwe mamiriro ekuchengetedza, kana iyo bootloader pachayo iri muESP, uye iyo yakatakurwa kernels uye yakabatana metadata inoiswa muchikamu chakasiyana;
  • Yakawedzera kugona kubhutsu ne "systemd.volatile=overlay" sarudzo yakapfuudzwa kune kernel, iyo inokutendera iwe kuti uise iyo midzi yekuparadzanisa mu overlayfs uye kuronga basa pamusoro peiyo yekuverenga-chete mufananidzo weiyo dhairekitori yemidzi ine shanduko yakanyorwa kune a. patsanura dhairekitori mu tmpfs (shanduko mune iyi gadziriso yakarasika mushure mekutangazve). Nekufananidza, systemd-nspawn yakawedzera iyo "--volatile = overlay" sarudzo yekushandisa yakafanana mashandiro mumidziyo;
  • systemd-nspawn yakawedzera iyo "--oci-bundle" sarudzo yekubvumidza kushandiswa kwemasumbu ekumhanya kuti ipe kuvhurwa kwega kwemidziyo inoenderana neiyo Open Container Initiative (OCI) yakatarwa. Kuti ishandiswe mumutsara wekuraira uye mayuniti enspawn, tsigiro yesarudzo dzakasiyana-siyana dzinotsanangurwa muiyo OCI yakatarwa inokurudzirwa, semuenzaniso, "--isingasvikiki" uye "Isingasvikiki" sarudzo dzinogona kushandiswa kusabvisa zvikamu zvefaira system, uye " --console” sarudzo dzakawedzerwa kuti dzigadzirise akajairwa kubuda hova uye "-pipe";
  • Yakawedzera kugona kudzora maitiro e systemd-logind kuburikidza nemamiriro ekunze akasiyana: $SYSTEMD_REBOOT_ TO_FIRMWARE_SETUP,
    $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU uye
    $SYSTEMD_REBOOT_ TO_BOOT_LOADER_ENTRY. Uchishandisa aya akasiyana, unogona kubatanidza yako wega reboot process handlers (/run/systemd/reboot-to-firmware-setup, /run/systemd/reboot-to-boot-loader-menu uye
    /run/systemd/reboot-to-boot-loader-entry) kana kudzima zvachose (kana kukosha kwacho kwakaiswa kuva nhema);

  • Yakawedzerwa sarudzo "-boot-load-menu=" uye
    "-boot-loader-entry =", ichikubvumira kuti usarudze chimwe chinhu chebhoti menyu kana boot mode mushure mekutangazve;

  • Yakawedzera new sandbox isolation command "RestrictSUIDSGID=", iyo inoshandisa seccomp kurambidza kusikwa kwemafaira ane SUID/SGID mireza;
  • Kuve nechokwadi chekuti "NoNewPrivileges" uye "RestrictSUIDSGID" zvirambidzo zvinoiswa nekusarudzika mumasevhisi ane simba rekushandisa ID yekugadzira modhi ("DynamicUser" inogoneswa);
  • The default MACAddressPolicy=persistent setting in .link files yakachinjwa kuti ivhare mimwe michina. Iyo inopindirana yemabhiriji etiweki, tunnels (tun, tap) uye aggregated links (bond) hazvizviratidze kunze kwezita retiweki interface, saka zita iri rave kushandiswa sehwaro hwekusunga MAC ne IPv4 kero. Pamusoro pezvo, iyo "MACAddressPolicy=random" yekumisikidza yakawedzerwa, iyo inogona kushandiswa kusunga MAC uye IPv4 kero kumidziyo mune isina kurongeka;
  • ".device" mauniti mafaira akagadzirwa kuburikidza nesystemd-fstab-jenareta haachasanganisi mayunitsi e ".mount" seanotsamira muchikamu che "Wants=". Kungo pluging mumudziyo hakuchaite otomatiki yuniti yekuisa, asi mayunitsi akadai anogona kutangwa nekuda kwezvimwe zvikonzero, senge chikamu che local-fs.target kana sekuvimbika kune mamwe mayunitsi anoenderana ne local-fs.target. ;
  • Yakawedzerwa tsigiro yemasiki (“*”, nezvimwewo) kune “networkctl list/status/lldp” mirairo yekusefa mamwe mapoka etiweki interface nechikamu chezita ravo;
  • Iyo $PIDFILE nharaunda inosiyana yave kuiswa uchishandisa iyo yakakwana nzira yakagadziriswa mumasevhisi kuburikidza ne "PIDFile=;" parameter.
  • Veruzhinji Cloudflare maseva (1.1.1.1) akawedzerwa kune nhamba yekuchengetedza DNS maseva anoshandiswa kana iyo DNS huru isina kunyatsotsanangurwa. Kuti utsanangure zvakare runyoro rwekuchengetedza DNS maseva, unogona kushandisa "-Ddns-servers=" sarudzo;
  • Paunoona kuvapo kwe USB Device Controller, itsva usb-gadget.target handler inotangwa pakarepo (apo hurongwa huri kushanda pa USB peripheral device);
  • Kumafaira eyuniti, iyo "CPUQuotaPeriodSec =" yekumisikidza yaitwa, iyo inotaridza nguva yenguva inoyerwa iyo CPU time quota inoyerwa, yakaiswa kuburikidza ne "CPUQuota =" kuseta;
  • Kumafaira eyuniti, "ProtectHostname=" marongero akaitwa, anorambidza masevhisi kubva pakuchinja ruzivo nezvezita remugamuchiri, kunyangwe aine mvumo yakakodzera;
  • Pamafaira eyuniti, iyo "NetworkNamespacePath =" yekumisikidza yaitwa, iyo inobvumidza iwe kusunga zita rezita kumasevhisi kana socket units nekutsanangura nzira yezita remazita faira mupseudo-FS / proc;
  • Yakawedzera kugona kudzima kutsiva kwezvakatipoteredza zvematanho akatangwa uchishandisa "ExecStart=" kuseta nekuwedzera ":" hunhu pamberi pekutanga kuraira;
  • Zvenguva (.timer units) mireza mitsva "OnClockChange=" uye
    "OnTimezoneChange=", iyo iwe yaunokwanisa kudzora nayo unit call kana system system kana time zone yachinja;

  • Yakawedzera marongero matsva "ConditionMemory =" uye "ConditionCPUs=", iyo inosarudza mamiriro ekufonera unit zvichienderana nehukuru hwekurangarira uye huwandu hweCPU cores (semuenzaniso, sevhisi-inokura-simba inogona kutangwa chete kana huwandu hunodiwa RAM iripo);
  • Yakawedzera imwe nguva-set.target unit inogamuchira nguva yegadziriro yenzvimbo, pasina kushandisa kuyananisa nemaseva ekunze enguva uchishandisa nguva-sync.target unit. Iyo itsva unit inogona kushandiswa nemasevhisi anoda kurongeka kweasina kuwiriraniswa wachi dzemuno;
  • Iyo "--show-transaction" sarudzo yakawedzerwa ku "systemctl kutanga" uye mirairo yakafanana, kana yatsanangurwa, pfupiso yemabasa ese akawedzerwa kumutsara nekuda kwekushanda kwakakumbirwa kunoratidzwa;
  • systemd-networkd inoshandisa tsananguro yenzvimbo nyowani 'yeuranda', inoshandiswa pachinzvimbo che'kuderedzwa' kana 'mutakuri' kunetiweki interfaces ari chikamu cheaggregate link kana network mabhiriji. Kune ekutanga interfaces, kana paine matambudziko neimwe yeanosanganiswa link, iyo 'degraded-carrier' state yakawedzerwa;
  • Yakawedzerwa "IgnoreCarrierLoss=" sarudzo ku .network units kuchengetedza zvigadziriso zvenetiweki kana ukarasikirwa nekubatanidza;
  • Kuburikidza ne “RequiredForOnline=” setting mu .network units, unokwanisa zvino kuseta hushoma hunogamuchirika link state inodiwa kuendesa network ku “online” uye kukonzeresa systemd-networkd-wait-online handler;
  • Yakawedzera iyo "--chero" sarudzo kune systemd-networkd-kumirira-online kumirira kugadzirira kwechero yeyakatarwa network network pane zvese, pamwe ne "--operational-state=" sarudzo yekuona mamiriro chinongedzo chinoratidza kugadzirira;
  • Yakawedzerwa "UseAutonomousPrefix=" uye "UseOnLinkPrefix=" zvigadziriso ku.network units, iyo inogona kushandiswa kufuratira prefixes paunogamuchira.
    chiziviso kubva kune IPv6 router (RA, Router Advertisement);

  • Mu .network units, “MulticastFlood=”, “NeighborSuppression=” uye “Learning=” marongero akawedzerwa kuti achinje maparamendi ekushanda kwebhiriji renetiweki, pamwe ne “TripleSampling=” marongero ekushandura TRIPLE-SAMPLING mode. yeCAN virtual interfaces;
  • "PrivateKeyFile=" uye "PresharedKeyFile=" zvigadziriso zvakawedzerwa kune .netdev units, iyo yaunogona kutsanangura yakavanzika uye yakagovaniswa (PSK) makiyi eWireGuard VPN interfaces;
  • Yakawedzerwa zvakafanana-cpu-crypt uye kutumira-kubva-crypt-cpus sarudzo ku /etc/crypttab, iyo inodzora maitiro emugadziri kana achitama-encryption-ane chekuita nebasa pakati peCPU cores;
  • systemd-tmpfiles inopa kukiya faira kugadzirisa usati waita mashandiro mumadhairekitori nemafaira enguva pfupi, izvo zvinokutendera kuti uvhare basa rekuchenesa mafaera echinyakare kwenguva yezvimwe zviito (semuenzaniso, pakuburitsa tar archive mu /tmp, mafaera ekare anogona kunge ari. yakavhurwa isingakwanise kudzimwa isati yapera chiitiko navo);
  • Mutemo we "systemd-analyze cat-config" unopa kukwanisa kuongorora gadziriro yakakamurwa kuva mafaira akati wandei, semuenzaniso, mushandisi uye system presets, zviri mukati tmpfiles.d uye sysusers.d, udev mitemo, nezvimwe.
  • Yakawedzerwa "--cursor-file=" sarudzo ku "journalctl" kutsanangura faira yekurodha uye kuchengetedza chinzvimbo chitubu;
  • Yakawedzerwa tsananguro yeACRN hypervisor uye WSL subsystem (Windows Subsystem yeLinux) kune systemd-detect-virt kune inotevera branching uchishandisa ane conditional opareta "ConditionVirtualization";
  • Panguva yekuisa systemd (pakuita "ninja install"), kusikwa kwezviratidzo zvinongedzo kune mafaera systemd-networkd.service, systemd-networkd.socket,
    systemd-resolved.service, remote-cryptsetup.target, remote-fs.target,
    systemd-networkd-wait-online.service uye systemd-timesyncd.service. Kuti ugadzire mafaera aya, iwe zvino unofanirwa kumhanya iyo "systemctl preset-all" command.

Chinhuopennet.ru

[: en]

Mushure memwedzi miviri yebudiriro yakaunzwa system maneja kuburitswa systemd 242. Pakati pezvinhu zvitsva, tinogona kucherechedza kutsigirwa kweL2TP tunnels, kukwanisa kudzora maitiro e-systemd-logind pakutangazve kuburikidza nemamiriro ezvinhu akasiyana-siyana, tsigiro yekuwedzera XBOOTLDR boot partitions yekuisa / bhutsu, kukwanisa kubhutsu nemudzi wekuparadzanisa mune overlayfs, pamwe nenhamba huru yezvigadziro zvitsva zvemhando dzakasiyana dzemayuniti.

Shanduko huru:

  • systemd-networkd inopa rutsigiro rweL2TP tunnel;
  • sd-boot uye bootctl inopa rutsigiro rweXBOOTLDR (Yakawedzerwa Boot Loader) zvikamu zvakagadzirirwa kuiswa pa/boot, kuwedzera kune ESP zvikamu zvakaiswa pa/efi kana /boot/efi. Kernels, marongero, initrd uye mifananidzo yeEFI zvino inogona kutorwa kubva kune ese ESP uye XBOOTLDR zvikamu. Shanduko iyi inokubvumira kushandisa sd-boot bootloader mune mamwe mamiriro ekuchengetedza, kana iyo bootloader pachayo iri muESP, uye iyo yakatakurwa kernels uye yakabatana metadata inoiswa muchikamu chakasiyana;
  • Yakawedzera kugona kubhutsu ne "systemd.volatile=overlay" sarudzo yakapfuudzwa kune kernel, iyo inokutendera iwe kuti uise iyo midzi yekuparadzanisa mu overlayfs uye kuronga basa pamusoro peiyo yekuverenga-chete mufananidzo weiyo dhairekitori yemidzi ine shanduko yakanyorwa kune a. patsanura dhairekitori mu tmpfs (shanduko mune iyi gadziriso yakarasika mushure mekutangazve). Nekufananidza, systemd-nspawn yakawedzera iyo "--volatile = overlay" sarudzo yekushandisa yakafanana mashandiro mumidziyo;
  • systemd-nspawn yakawedzera iyo "--oci-bundle" sarudzo yekubvumidza kushandiswa kwemasumbu ekumhanya kuti ipe kuvhurwa kwega kwemidziyo inoenderana neiyo Open Container Initiative (OCI) yakatarwa. Kuti ishandiswe mumutsara wekuraira uye mayuniti enspawn, tsigiro yesarudzo dzakasiyana-siyana dzinotsanangurwa muiyo OCI yakatarwa inokurudzirwa, semuenzaniso, "--isingasvikiki" uye "Isingasvikiki" sarudzo dzinogona kushandiswa kusabvisa zvikamu zvefaira system, uye " --console” sarudzo dzakawedzerwa kuti dzigadzirise akajairwa kubuda hova uye "-pipe";
  • Yakawedzera kugona kudzora maitiro e systemd-logind kuburikidza nemamiriro ekunze akasiyana: $SYSTEMD_REBOOT_ TO_FIRMWARE_SETUP,
    $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU uye
    $SYSTEMD_REBOOT_ TO_BOOT_LOADER_ENTRY. Uchishandisa aya akasiyana, unogona kubatanidza yako wega reboot process handlers (/run/systemd/reboot-to-firmware-setup, /run/systemd/reboot-to-boot-loader-menu uye
    /run/systemd/reboot-to-boot-loader-entry) kana kudzima zvachose (kana kukosha kwacho kwakaiswa kuva nhema);

  • Yakawedzerwa sarudzo "-boot-load-menu=" uye
    "-boot-loader-entry =", ichikubvumira kuti usarudze chimwe chinhu chebhoti menyu kana boot mode mushure mekutangazve;

  • Yakawedzera new sandbox isolation command "RestrictSUIDSGID=", iyo inoshandisa seccomp kurambidza kusikwa kwemafaira ane SUID/SGID mireza;
  • Kuve nechokwadi chekuti "NoNewPrivileges" uye "RestrictSUIDSGID" zvirambidzo zvinoiswa nekusarudzika mumasevhisi ane simba rekushandisa ID yekugadzira modhi ("DynamicUser" inogoneswa);
  • The default MACAddressPolicy=persistent setting in .link files yakachinjwa kuti ivhare mimwe michina. Iyo inopindirana yemabhiriji etiweki, tunnels (tun, tap) uye aggregated links (bond) hazvizviratidze kunze kwezita retiweki interface, saka zita iri rave kushandiswa sehwaro hwekusunga MAC ne IPv4 kero. Pamusoro pezvo, iyo "MACAddressPolicy=random" yekumisikidza yakawedzerwa, iyo inogona kushandiswa kusunga MAC uye IPv4 kero kumidziyo mune isina kurongeka;
  • ".device" mauniti mafaira akagadzirwa kuburikidza nesystemd-fstab-jenareta haachasanganisi mayunitsi e ".mount" seanotsamira muchikamu che "Wants=". Kungo pluging mumudziyo hakuchaite otomatiki yuniti yekuisa, asi mayunitsi akadai anogona kutangwa nekuda kwezvimwe zvikonzero, senge chikamu che local-fs.target kana sekuvimbika kune mamwe mayunitsi anoenderana ne local-fs.target. ;
  • Yakawedzerwa tsigiro yemasiki (“*”, nezvimwewo) kune “networkctl list/status/lldp” mirairo yekusefa mamwe mapoka etiweki interface nechikamu chezita ravo;
  • Iyo $PIDFILE nharaunda inosiyana yave kuiswa uchishandisa iyo yakakwana nzira yakagadziriswa mumasevhisi kuburikidza ne "PIDFile=;" parameter.
  • Veruzhinji Cloudflare maseva (1.1.1.1) akawedzerwa kune nhamba yekuchengetedza DNS maseva anoshandiswa kana iyo DNS huru isina kunyatsotsanangurwa. Kuti utsanangure zvakare runyoro rwekuchengetedza DNS maseva, unogona kushandisa "-Ddns-servers=" sarudzo;
  • Paunoona kuvapo kwe USB Device Controller, itsva usb-gadget.target handler inotangwa pakarepo (apo hurongwa huri kushanda pa USB peripheral device);
  • Kumafaira eyuniti, iyo "CPUQuotaPeriodSec =" yekumisikidza yaitwa, iyo inotaridza nguva yenguva inoyerwa iyo CPU time quota inoyerwa, yakaiswa kuburikidza ne "CPUQuota =" kuseta;
  • Kumafaira eyuniti, "ProtectHostname=" marongero akaitwa, anorambidza masevhisi kubva pakuchinja ruzivo nezvezita remugamuchiri, kunyangwe aine mvumo yakakodzera;
  • Pamafaira eyuniti, iyo "NetworkNamespacePath =" yekumisikidza yaitwa, iyo inobvumidza iwe kusunga zita rezita kumasevhisi kana socket units nekutsanangura nzira yezita remazita faira mupseudo-FS / proc;
  • Yakawedzera kugona kudzima kutsiva kwezvakatipoteredza zvematanho akatangwa uchishandisa "ExecStart=" kuseta nekuwedzera ":" hunhu pamberi pekutanga kuraira;
  • Zvenguva (.timer units) mireza mitsva "OnClockChange=" uye
    "OnTimezoneChange=", iyo iwe yaunokwanisa kudzora nayo unit call kana system system kana time zone yachinja;

  • Yakawedzera marongero matsva "ConditionMemory =" uye "ConditionCPUs=", iyo inosarudza mamiriro ekufonera unit zvichienderana nehukuru hwekurangarira uye huwandu hweCPU cores (semuenzaniso, sevhisi-inokura-simba inogona kutangwa chete kana huwandu hunodiwa RAM iripo);
  • Yakawedzera imwe nguva-set.target unit inogamuchira nguva yegadziriro yenzvimbo, pasina kushandisa kuyananisa nemaseva ekunze enguva uchishandisa nguva-sync.target unit. Iyo itsva unit inogona kushandiswa nemasevhisi anoda kurongeka kweasina kuwiriraniswa wachi dzemuno;
  • Iyo "--show-transaction" sarudzo yakawedzerwa ku "systemctl kutanga" uye mirairo yakafanana, kana yatsanangurwa, pfupiso yemabasa ese akawedzerwa kumutsara nekuda kwekushanda kwakakumbirwa kunoratidzwa;
  • systemd-networkd inoshandisa tsananguro yenzvimbo nyowani 'yeuranda', inoshandiswa pachinzvimbo che'kuderedzwa' kana 'mutakuri' kunetiweki interfaces ari chikamu cheaggregate link kana network mabhiriji. Kune ekutanga interfaces, kana paine matambudziko neimwe yeanosanganiswa link, iyo 'degraded-carrier' state yakawedzerwa;
  • Yakawedzerwa "IgnoreCarrierLoss=" sarudzo ku .network units kuchengetedza zvigadziriso zvenetiweki kana ukarasikirwa nekubatanidza;
  • Kuburikidza ne “RequiredForOnline=” setting mu .network units, unokwanisa zvino kuseta hushoma hunogamuchirika link state inodiwa kuendesa network ku “online” uye kukonzeresa systemd-networkd-wait-online handler;
  • Yakawedzera iyo "--chero" sarudzo kune systemd-networkd-kumirira-online kumirira kugadzirira kwechero yeyakatarwa network network pane zvese, pamwe ne "--operational-state=" sarudzo yekuona mamiriro chinongedzo chinoratidza kugadzirira;
  • Yakawedzerwa "UseAutonomousPrefix=" uye "UseOnLinkPrefix=" zvigadziriso ku.network units, iyo inogona kushandiswa kufuratira prefixes paunogamuchira.
    chiziviso kubva kune IPv6 router (RA, Router Advertisement);

  • Mu .network units, “MulticastFlood=”, “NeighborSuppression=” uye “Learning=” marongero akawedzerwa kuti achinje maparamendi ekushanda kwebhiriji renetiweki, pamwe ne “TripleSampling=” marongero ekushandura TRIPLE-SAMPLING mode. yeCAN virtual interfaces;
  • "PrivateKeyFile=" uye "PresharedKeyFile=" zvigadziriso zvakawedzerwa kune .netdev units, iyo yaunogona kutsanangura yakavanzika uye yakagovaniswa (PSK) makiyi eWireGuard VPN interfaces;
  • Yakawedzerwa zvakafanana-cpu-crypt uye kutumira-kubva-crypt-cpus sarudzo ku /etc/crypttab, iyo inodzora maitiro emugadziri kana achitama-encryption-ane chekuita nebasa pakati peCPU cores;
  • systemd-tmpfiles inopa kukiya faira kugadzirisa usati waita mashandiro mumadhairekitori nemafaira enguva pfupi, izvo zvinokutendera kuti uvhare basa rekuchenesa mafaera echinyakare kwenguva yezvimwe zviito (semuenzaniso, pakuburitsa tar archive mu /tmp, mafaera ekare anogona kunge ari. yakavhurwa isingakwanise kudzimwa isati yapera chiitiko navo);
  • Mutemo we "systemd-analyze cat-config" unopa kukwanisa kuongorora gadziriro yakakamurwa kuva mafaira akati wandei, semuenzaniso, mushandisi uye system presets, zviri mukati tmpfiles.d uye sysusers.d, udev mitemo, nezvimwe.
  • Yakawedzerwa "--cursor-file=" sarudzo ku "journalctl" kutsanangura faira yekurodha uye kuchengetedza chinzvimbo chitubu;
  • Yakawedzerwa tsananguro yeACRN hypervisor uye WSL subsystem (Windows Subsystem yeLinux) kune systemd-detect-virt kune inotevera branching uchishandisa ane conditional opareta "ConditionVirtualization";
  • Panguva yekuisa systemd (pakuita "ninja install"), kusikwa kwezviratidzo zvinongedzo kune mafaera systemd-networkd.service, systemd-networkd.socket,
    systemd-resolved.service, remote-cryptsetup.target, remote-fs.target,
    systemd-networkd-wait-online.service uye systemd-timesyncd.service. Kuti ugadzire mafaera aya, iwe zvino unofanirwa kumhanya iyo "systemctl preset-all" command.

Source: opennet.ru

[:]

Voeg