ProHoster > Blog > internet nhau > systemd system maneja kuburitswa 243

systemd system maneja kuburitswa 243

Mushure memwedzi mishanu yebudiriro yakaunzwa system maneja kuburitswa systemd 243. Pakati pezvinhu zvitsva, tinogona kucherechedza kubatanidzwa muPID 1 yemubati weyekuyeuka yakaderera muhurongwa, tsigiro yekubatanidza yako yeBPF zvirongwa zvekusefa unit traffic, akawanda matsva sarudzo dzesystemd-networkd, modhi yekutarisa bandwidth yetiweki. interfaces, inogonesa nekusarudzika pane 64-bit masisitimu 22-bit PID nhamba panzvimbo ye16-bit, shanduko kune yakabatana cgroups hierarchy, kubatanidzwa mu systemd-network-jenareta.

Shanduko huru:

  • Kuzivikanwa kwemasaini-akagadzirwa nekernel nezve kunze kwendangariro (Out-Of-Memory, OOM) yakawedzerwa kune PID 1 inobata kuendesa mayuniti asvika pachiyero chekushandisa ndangariro kupinda munzvimbo yakakosha ine sarudzo yekugona kuvamanikidza kumisa. kana kumira;
  • Kune mafaira emayuniti, mitsva mitsva IPIngressFilterPath uye
    IPEgressFilterPath, iyo inokutendera kuti ubatanidze zvirongwa zveBPF nevanobata zvisina tsarukano kusefa inopinda uye inobuda IP packets inogadzirwa nemaitiro ane chekuita neyuniti iyi. Izvo zvinofungidzirwa zvinokutendera iwe kuti ugadzire rudzi rwe firewall ye systemd masevhisi. Kunyora muenzaniso iri nyore network sefa yakavakirwa paBPF;

  • Murairo "wakachena" wakawedzerwa kune systemctl utility kudzima cache, runtime mafaera, ruzivo rwemamiriro uye log madhairekitori;
  • systemd-networkd inowedzera rutsigiro rweMACsec, nlmon, IPVTAP uye Xfrm network interfaces;
  • systemd-networkd inoshandisa gadziriso yakasiyana yeDHCPv4 uye DHCPv6 stacks kuburikidza ne[DHCPv4]" uye "[DHCPv6]" zvikamu mufaira rekugadzirisa. Yakawedzera nzira yeRoutesToDNS yekuwedzera nzira yakaparadzana kune sevha yeDNS inotsanangurwa mumatanho anogamuchirwa kubva kuDHCP server (kuitira kuti traffic kuenda kuDNS itumirwe kuburikidza neicho chinongedzo senzira huru inogamuchirwa kubva kuDHCP). Zvitsva zvingasarudzwa zvakawedzerwa zveDHCPv4: MaxAttempts - nhamba yepamusoro yezvikumbiro zvekuwana kero, BlackList - black list yemaseva eDHCP, SendRelease - gonesa kutumira DHCP RELEASE mameseji kana musangano wapera;
  • Mirairo mitsva yakawedzerwa kune systemd-kuongorora utility:
    • "systemd-analyze timestamp" - nguva yekufambisa uye kutendeuka;
    • "systemd-kuongorora nguva" - kuongorora uye kushandurwa kwenguva dzenguva;
    • "systemd-analyze mamiriro" - parsing uye kuyedza ConditionXYZ mataurirwo;
    • "systemd-ongorora yekubuda-chimiro" - kupatsanura uye kushandura macode ekubuda kubva kunhamba kuenda kumazita uye neimwe nzira;
    • "systemd-analyze unit-files" - Inonyora ese mafaera nzira dzemayuniti uye mauniti aliases.
  • Sarudzo SuccessExitStatus, RestartPreventExitStatus uye
    RestartForceExitStatus ikozvino haitsigire nhamba dzekudzoka kwenhamba chete, asiwo zviziviso zvemavara (semuenzaniso, "DATAERR"). Iwe unogona kuona rondedzero yemakodhi akagoverwa kune zviziviso uchishandisa iyo "sytemd-analyze yekubuda-chimiro" murairo;

  • Murairo we "delete" wakawedzerwa kune networkctl utility kudzima virtual network zvishandiso, pamwe ne "-stats" sarudzo yekuratidza manhamba emudziyo;
  • SpeedMeter uye SpeedMeterIntervalSec marongero akawedzerwa kune networkd.conf yenguva nenguva kuyera mabudiro etiweki interfaces. Nhamba dzakawanikwa kubva pazviyero zvawanikwa zvinogona kutariswa mune zvakabuda zve 'networkctl status' command;
  • Yakawedzera itsva utility systemd-network-jenareta yekugadzira mafaera
    .network, .netdev uye .link yakavakirwa paIP marongero apfuura payakatangwa kuburikidza neLinux kernel command line muDracut settings format;

  • Iyo sysctl "kernel.pid_max" kukosha pa 64-bit masisitimu ikozvino yaiswa nekusarudzika ku4194304 (22-bit PIDs pachinzvimbo che16-bits), iyo inoderedza mukana wekudhumhana pakugovera maPID, inowedzera muganho pahuwandu hwenguva imwe chete. kumhanya maitiro, uye ane mhedzisiro yakanaka pane chengetedzo. Shanduko inogona kuita kuti pave nenyaya dzekuenderana, asi nyaya dzakadai hadzisati dzataurwa mukuita;
  • Nekumisikidza, nhanho yekuvaka inoshandura kune yakabatana hierarchy cgroups-v2 ("-Ddefault-hierarchy = yakabatana"). Pakutanga, iyo yakasarudzika yaive yakasanganiswa modhi (β€œ-Ddefault-hierarchy=hybrid”);
  • Maitiro eiyo system call filter (SystemCallFilter) yakashandurwa, iyo, kana iri iyo inorambidzwa system call, ikozvino inogumisa iyo yese hurongwa, pane yega tambo, sezvo kumisa tambo dzega-dzoga kunogona kutungamirira kumatambudziko asingatarisirwi. Shanduko dzinoshanda chete kana uine Linux kernel 4.14+ uye libseccomp 2.4.0+;
  • Zvirongwa zvisina kurongeka zvinopihwa kugona kutumira ICMP Echo (ping) mapaketi nekuisa iyo sysctl "net.ipv4.ping_group_range" yemhando yese yemapoka (yezvese maitiro);
  • Kuti ukurumidze kuita basa rekuvaka, chizvarwa chezvinyorwa zvemurume chakamiswa nekusarudzika (kuvaka magwaro akazara, unofanirwa kushandisa sarudzo "-Dman = yechokwadi" kana "-Dhtml = yechokwadi" yezvinyorwa mune html fomati). Kuita kuti zvive nyore kuona zvinyorwa, zvinyorwa zviviri zvakabatanidzwa: kuvaka/murume/murume uye kuvaka/murume/html nokuda kwekugadzira nekuongorora zvinyorwa zvinofarirwa;
  • Kugadzirisa mazita emazita ane mavara kubva kumarudzi alphabets, libidn2 raibhurari inoshandiswa nekusarudzika (kudzosera libidn, shandisa iyo "-Dlibidn = yechokwadi" sarudzo);
  • Tsigiro ye /usr/sbin/halt.local executable faira, iyo yakapa mashandiro ayo asina kugoverwa zvakanyanya mukugovera, yakamiswa. Kuronga kutangwa kwemirairo paunenge uchivhara, zvinokurudzirwa kushandisa zvinyorwa mukati /usr/lib/systemd/system-shutdown/ kana kutsanangura chikwata chitsva chinoenderana nefinal.target;
  • Padanho rekupedzisira rekuvhara, systemd ikozvino inongowedzera iyo yerogi level mu sysctl "kernel.printk", iyo inogadzirisa dambudziko nekuratidzira mugiyo zviitiko zvakaitika mumatanho ekupedzisira ekuvharwa, kana madhimoni agara atopedza. ;
  • Mujournalctl nezvimwe zvinoshandiswa zvinoratidzira matanda, yambiro inoiswa muyero, uye marekodhi ekuongorora anoratidzwa nebhuruu kuti aaise pachena kubva kuboka revanhu;
  • Muiyo $PATH nharaunda inoshanduka, nzira inoenda kubhini/ ikozvino inouya pamberi penzira yeku sbin/, kureva. kana paine mazita akafanana emafaira anogona kuitiswa mune ese madhairekitori, iyo faira kubva kubin/ ichaitwa;
  • systemd-logind inopa SetBrightness () kufona kuti uchinje zvakachengeteka kupenya kwechidzitiro pane-chikamu-chikamu;
  • Mureza we "--wait-for-initialization" wawedzerwa kune "udevadm info" murairo wekumirira kuti mudziyo utange;
  • Panguva yebhoti yehurongwa, PID 1 mubatsiri zvino anoratidza mazita emayuniti panzvimbo yemutsara ane tsananguro yavo. Kuti udzoke kune maitiro ekare, unogona kushandisa StatusUnitFormat sarudzo mu /etc/systemd/system.conf kana systemd.status_unit_format kernel sarudzo;
  • Yakawedzerwa KExecWatchdogSec sarudzo ku /etc/systemd/system.conf yewatchdog PID 1, iyo inotsanangura nguva yekubuda kwekutangazve uchishandisa kexec. Old setting
    ShutdownWatchdogSec yakatumidzwa zita rekuti RebootWatchdogSec uye inotsanangura nguva yekubuda kwemabasa panguva yekuvharwa kana kwakajairika kutangazve;

  • Imwe sarudzo itsva yawedzerwa kune masevhisi ExecCondition, iyo inokutendera kuti utaure mirairo ichaitwa pamberi peExecStartPre. Zvichienderana nekodhi yekukanganisa yakadzoserwa nemurairo, sarudzo inoitwa pakuenderera mberi kwekuita kweyuniti - kana kodhi 0 ikadzoserwa, kuvhurwa kweyuniti kunoenderera, kana kubva 1 kusvika 254 ichipera chinyararire pasina kutadza mureza, kana 255 ichipera mureza wekukundikana;
  • Yakawedzera sevhisi nyowani systemd-pstore.service kuburitsa data kubva sys/fs/pstore/ uye kubva kuchengetedza kuenda /var/lib/pstore kuti uwedzere kuongororwa;
  • Mirairo mitsva yakawedzerwa kune timedatectl utility yekugadzirisa NTP paramita ye systemd-timesyncd ine chekuita netiweki interfaces;
  • Iwo "localectl list-locales" murairo haucharatidza nzvimbo kunze kweUTF-8;
  • Inova nechokwadi chekuti mhosho dzekuita zvakasiyana-siyana mu sysctl.d/ mafaera hadzitariswe kana zita rakasiyana richitanga nemavara β€œ-β€œ;
  • sevhisi systemd-random-seed.service iye zvino ane basa rakazara rekutanga iyo entropy dziva reLinux kernel pseudorandom nhamba jenareta. Masevhisi anoda kugadziridzwa nemazvo /dev/urandom anofanirwa kutangwa mushure mesystemd-random-seed.service;
  • Iyo systemd-boot boot loader inopa sarudzo yekugona kutsigira seed file nekutevedzana zvisina mwero muEFI System Partition (ESP);
  • Mirairo mitsva yakawedzerwa kune bootctl utility: "bootctl random-seed" kugadzira mbeu faira muESP uye "bootctl is-installed" kutarisa kuisirwa systemd-boot boot loader. bootctl yakagadziridzwawo kuti iratidze yambiro pamusoro pekugadzirisa kusina kunaka kwezvinyorwa zvebhoot (somuenzaniso, kana mufananidzo wekernel wadzimwa, asi yekupinda yekuiisa yasara);
  • Inopa otomatiki kusarudzwa kweiyo swap partition kana sisitimu yapinda muhope mode. Kupatsanura kunosarudzwa zvichienderana nekutanga kurongedzerwa kwairi, uye mumamiriro ezvinhu akafanana ekutanga, huwandu hwenzvimbo yemahara;
  • Yakawedzerwa keyfile-timeout sarudzo ku /etc/crypttab kuseta kuti mudziyo une kiyi yekuvharidzira ichamirira nguva yakareba sei usati wakurudzira password kuti iwane iyo encryption partition;
  • Yakawedzera IOWeight sarudzo yekuseta iyo I/O huremu hweiyo BFQ scheduler;
  • systemd-yakagadziriswa yakawedzera 'yakasimba' modhi yeDNS-pamusoro-TLS uye yakashandisa kugona kuchengetedza chete mhinduro dzeDNS dzakanaka ("Cache no-negative" muyakagadziriswa.conf);
  • YeVXLAN, systemd-networkd yakawedzera GenericProtocolExtension sarudzo yekugonesa VXLAN protocol extensions. YeVXLAN neGENEVE, iyo IPDoNotFragment sarudzo yakawedzerwa kuseta mureza wekurambidza kupatsanurwa kwemapaketi ari kubuda;
  • Mu systemd-networkd, muchikamu che "[Route]", iyo FastOpenNoCookie sarudzo yaonekwa kuti igone kugonesa iyo nzira yekukurumidza kuvhura TCP yekubatanidza (TFO - TCP Fast Open, RFC 7413) zvine chekuita negwara rega rega, pamwe neiyo TTLPpagate sarudzo. kugadzirisa TTL LSP (Label Switched Path). Iyo "Type" sarudzo inopa rutsigiro rwemunharaunda, kutepfenyura, anycast, multicast, chero uye xresolve routing modes;
  • Systemd-networkd inopa DefaultRouteOnDevice sarudzo muchikamu che "[Network]" kuti ugadzirise otomatiki nzira yekupihwa yakapihwa network;
  • Systemd-networkd yakawedzera ProxyARP uye
    ProxyARPWifi yekuseta proxy ARP maitiro, MulticastRouter yekumisikidza routing paramita mune multicast modhi, MulticastIGMPVersion yekushandura iyo IGMP (Internet Boka Management Protocol) shanduro yemulticast;

  • Systemd-networkd yakawedzera Local, Peer uye PeerPort sarudzo dzeFooOverUDP tunnels kugadzirisa emunharaunda uye kure IP kero, pamwe nenetiweki port nhamba. Kune TUN tunnels, iyo VnetHeader sarudzo yakawedzerwa kugadzirisa GSO (Generic Segment Offload) rutsigiro;
  • Mu systemd-networkd, mune .network uye .link mafaira mu [Match] chikamu, a Property sarudzo yakaonekwa, iyo inokubvumira kuti uone zvigadziriso nemaitiro avo chaiwo mu udev;
  • Mu systemd-networkd, sarudzo yeAssignToLoopback yakawedzerwa kune tunnels, iyo inodzora kana magumo emugero akapihwa kune loopback mudziyo "lo";
  • systemd-networkd inogadzirisa iyo IPv6 stack kana yakavharwa kuburikidza ne sysctl disable_ipv6 - IPv6 inoshandiswa kana IPv6 marongero (static kana DHCPv6) anotsanangurwa kune network interface, zvikasadaro iyo yakatosetwa sysctl kukosha haichinji;
  • Mu.network mafaira, CriticalConnection setting yakatsiviwa neKeepConfiguration sarudzo, iyo inopa dzimwe nzira dzekutsanangura mamiriro ezvinhu ("hongu", "static", "dhcp-on-stop", "dhcp") umo systemd-networkd inofanira. kwete kubata hukama huripo paunotanga;
  • Kusagadzikana kwakagadziriswa CVE-2019-15718, zvichikonzerwa nekushaikwa kwekutonga kwekuwana kune D-Bus interface systemd-yakagadziriswa. Iyo nyaya inobvumira mushandisi asina kurongeka kuita mashandiro anongowanikwa kune vatariri, sekuchinja DNS marongero uye kutungamira mibvunzo yeDNS kune akashata server;
  • Kusagadzikana kwakagadziriswa CVE-2019-9619zvine chekuita nekusagonesa pam_systemd yezvisiri-zvinopindirana zvikamu, izvo zvinobvumira spoofing yechikamu chinoshanda.

Source: opennet.ru

Voeg