ProHoster > Blog > internet nhau > systemd system maneja kuburitswa 248

systemd system maneja kuburitswa 248

Mushure memwedzi mina yebudiriro, kuburitswa kwesystem maneja systemd 248. Kuburitswa kutsva kunopa rutsigiro rwemifananidzo yekuwedzera madhairekitori ehurongwa, iyo /etc/veritytab configuration file, systemd-cryptenroll utility, kuvhura LUKS2 uchishandisa TPM2 chips uye FIDO2. tokens, inomhanya mayuniti mune yakasarudzika IPC identifier space, BATMAN protocol yemamesh network, nftables backend ye systemd-nspawn. Systemd-oomd yakagadziriswa.

Shanduko huru:

  • Pfungwa yeSystem Extension mifananidzo yakashandiswa, iyo inogona kushandiswa kuwedzera hutongi hweiyo / usr/ uye / opt/ madhairekitori, uye kuwedzera mamwe mafaera panguva yekumhanya, kunyangwe kana madhairekitori akatarwa akaiswa kuverenga-chete. Kana mufananidzo wekuwedzera wehurongwa wakaiswa, zviri mukati maro zvakafukidzwa pa / usr/ uye / opt/ hierarchy uchishandisa OverlayFS.

    Chishandiso chitsva, systemd-sysext, chave kurongwa kubatanidza, kubvisa, kuona uye kugadzirisa mifananidzo yekuwedzera system. Kuti ubatanidze otomatiki mifananidzo yakatoiswa panguva yebhutsu, iyo systemd-sysext.service sevhisi yakawedzerwa. Yakawedzera "SYSEXT_LEVEL=" parameter kune os-release faira kuona huwandu hweanotsigirwa system ekuwedzera.

  • Kumayuniti, iyo ExtensionImages kuisirwa yaitwa, iyo inogona kushandiswa kubatanidza sisitimu yekuwedzera mifananidzo kune yeFS namespace hierarchy yemasevhisi ega ega.
  • Yakawedzerwa /etc/veritytab faira yekumisikidza kugadzirisa data verification pane block level uchishandisa dm-verity module. Iyo faira fomati yakafanana ne /etc/crypttab - "section_name device_for_data device_for_hashes check_hash_root options." Yakawedzerwa systemd.verity.root_options kernel command line sarudzo kugadzirisa dm-verity maitiro emudziyo mudziyo.
  • systemd-cryptsetup inowedzera kugona kubvisa PKCS#11 token URI uye kiyi yakavharidzirwa kubva kuLUKS2 metadata header muJSON fomati, ichibvumira ruzivo rwekuvhura mudziyo wakavharidzirwa kuti ubatanidzwe mumudziyo pachawo usingasanganisire mafaera ekunze.
  • systemd-cryptsetup inopa rutsigiro rwekuvhura LUKS2 encrypted partitions uchishandisa TPM2 machipi uye FIDO2 tokens, kuwedzera kune yaimbotsigirwa PKCS#11 tokens. Kurodha libfido2 kunoitwa kuburikidza ne dlopen(), kureva. kuwanikwa kunotariswa pane nhunzi, kwete seyakasimba-waya kutsamira.
  • Sarudzo nyowani "no-write-workqueue" uye "hapana-kuverenga-mutsetse webasa" dzakawedzerwa kune /etc/crypttab ye systemd-cryptsetup kuti igone kugonesa kushandiswa kweI/O kwakabatana nekunyorera uye decryption.
  • Iyo systemd-repart utility yakawedzera kugona kumisa yakavharidzirwa partitions uchishandisa TPM2 machipi, semuenzaniso, kugadzira encrypted / var partition pane yekutanga boot.
  • Iyo systemd-cryptenroll utility yakawedzerwa kusunga TPM2, FIDO2 uye PKCS#11 tokens kune LUKS partitions, pamwe nekusunungura uye kuona tokens, kusunga makiyi akasarudzika uye kuseta password kuti uwane.
  • Yakawedzera iyo PrivateIPC paramende, iyo inokutendera iwe kuti ugadzirise iyo unit faira kuti iite maitirwo mune yakasarudzika IPC nzvimbo ine yavo yakasiyana identifiers uye meseji mutsara. Kuti ubatanidze yuniti kune yakatogadzirwa IPC identifier nzvimbo, iyo IPCNamespacePath sarudzo inokurudzirwa.
  • Yakawedzera ExecPaths uye NoExecPaths marongero kubvumidza iyo noexec mureza kuti uiswe kune chaiwo zvikamu zvefaira system.
  • systemd-networkd inowedzera tsigiro yeBATMAN (Nzira Irinani Kunharembozha Adhoc Networking) mesh protocol, iyo inobvumira kugadzirwa kwedecentralized network umo node imwe neimwe yakabatana kuburikidza nenzvimbo dzakavakidzana. Nekugadzirisa, chikamu che [BatmanAdvanced] mu .netdev, BatmanAdvanced parameter mu .network mafaira, uye rudzi rutsva rwe "batadv" rinokurudzirwa.
  • Kuitwa kwemaitiro ekutanga ekupindura kweyakaderera memory musystemd-oomd system yakagadzikana. Yakawedzera iyo DefaultMemoryPressureDurationSec sarudzo yekumisikidza nguva yekumirira kuti sosi iburitswe isati yakanganisa unit. Systemd-oomd inoshandisa iyo PSI (Pressure Stall Information) kernel subsystem uye inobvumidza iwe kuti uone kutanga kwekunonoka nekuda kwekushaikwa kwezviwanikwa uye nekusarudza kumisa masisitimu-akasimba maitiro panguva iyo sisitimu haisati yave munzvimbo yakaoma uye isingaite. tanga kuchekerera zvakanyanya cache uye kuchinjisa data mukuchinjanisa partition.
  • Yakawedzera kernel command line parameter "root = tmpfs", iyo inokutendera iwe kuti uise midzi yekuparadzanisa mukuchengetedza kwenguva pfupi iri mu RAM uchishandisa Tmpfs.
  • Iyo /etc/crypttab parameter inotsanangura kiyi faira inogona ikozvino kunongedza kune AF_UNIX uye SOCK_STREAM socket mhando. Muchiitiko ichi, kiyi inofanira kupiwa kana ichibatanidza kune socket, iyo, semuenzaniso, inogona kushandiswa kugadzira masevhisi anoburitsa makiyi zvine simba.
  • Zita rekudzokera kumashure rekushandisa nesystem maneja uye systemd-hostnamed rave kugona kusetwa munzira mbiri: kuburikidza neDEFAULT_HOSTNAME parameter mune os-release uye kuburikidza neiyo $SYSTEMD_DEFAULT_HOSTNAME nharaunda inosiyana. systemd-hostnamed inobatawo "localhost" muzita rekutambira uye inowedzera kugona kutumira kunze zita remukati pamwe ne "HardwareVendor" uye "HardwareModel" zvivakwa kuburikidza neDBus.
  • Iyo bhuroka ine yakafumurwa nharaunda zvinosiyana zvino inogona kugadziridzwa kuburikidza neiyo itsva ManagerEnvironment sarudzo musystem.conf kana user.conf, uye kwete chete kuburikidza nekernel command line uye unit file settings.
  • Panguva yekubatanidza, zvinogoneka kushandisa iyo fexecve () system yekufona kuti utange maitiro pane execve () kuderedza kunonoka pakati pekutarisa chengetedzo mamiriro nekuishandisa.
  • Kune mafaira emayuniti, maitiro matsva eConditionSecurity=tpm2 uye ConditionCPUFeature akawedzerwa kuti atarise kuvepo kweTPM2 zvishandiso uye munhu wega CPU kugona (semuenzaniso, ConditionCPUFeature=rdrand inogona kushandiswa kutarisa kana processor inotsigira RDRAND mashandiro).
  • Kune kernels dziripo, otomatiki chizvarwa chehurongwa hwekufona matafura e seccomp mafirita akaitwa.
  • Yakawedzera kugona kutsiva mitsva yekusunga mamoiri munzvimbo dziripo dzemazita emasevhisi, pasina kutanga masevhisi. Kutsiva kunoitwa nemirairo 'systemctl bind ...' uye 'systemctl gomo-mufananidzo …'.
  • Yakawedzerwa tsigiro yekutsanangura nzira muStandardOutput uye StandardError marongero mune fomu "truncate: Β»yekuchenesa isati yashandiswa.
  • Yakawedzera kugona kumisikidza chinongedzo kune yakatarwa mushandisi sesheni mukati memudziyo mudziyo kune sd-bhazi. Semuenzaniso "systemctl -user -M lennart@ tanga qux".
  • Aya maparamendi anotevera anoitwa mune systemd.link mafaera muchikamu che [Link]:
    • Promiscuous - inokutendera kuti uchinje mudziyo kuita "unzenza" maitiro ekugadzirisa ese network mapaketi, kusanganisira ayo asina kunyorerwa kune yazvino system;
    • TransmitQueues uye ReceiveQueues yekuseta nhamba yeTX neRX mitsara;
    • TransmitQueueLength kuseta TX queue size; GenericSegmentOffloadMaxBytes uye GenericSegmentOffloadMaxSegment yekuisa miganhu yekushandiswa kweGRO (Generic Receive Offload) tekinoroji.
  • Zvirongwa zvitsva zvakawedzerwa kune systemd.network mafaera:
    • [Network] RouteTable yekusarudza tafura yenzira;
    • [RoutingPolicyRule] Nyora yemhando yenzira ("blackhole, "isingasvikike", "kurambidza");
    • [IPv6AcceptRA] RouteDenyList uye RouteAllowList yezvinyorwa zvinotenderwa uye zvakarambwa nzira kushambadzira;
    • [DHCPv6] UseAdres kufuratira kero yakapihwa neDHCP;
    • [DHCPv6PrefixDelegation] ManageTemporaryAddress;
    • ActivationPolicy kutsanangura mutemo une chekuita neinterface chiitiko (gara uchichengeta uri UP kana PASI mamiriro kana bvumidza mushandisi kuchinja nyika ne "ip link set dev" command).
  • Yakawedzerwa [VLAN] Protocol, IngressQOSMaps, EgressQOSMaps, uye [MACVLAN] BroadcastMulticastQueueLength sarudzo kune systemd.netdev mafaira kugadzirisa VLAN packet kubata.
  • Yakamisa kukwirisa iyo /dev/ dhairekitori mune noexec modhi sezvo ichikonzera kupokana kana uchishandisa iyo inogadziriswa mureza ne /dev/sgx mafaera. Kudzosa maitiro ekare, unogona kushandisa iyo NoExecPaths=/dev kuseta.
  • Iyo /dev/vsock faira mvumo yakashandurwa kuita 0o666, uye iyo /dev/vhost-vsock uye /dev/vhost-net mafaera akaendeswa kuboka rekvm.
  • Iyo hardware ID dhatabhesi yakawedzerwa ne USB zvigunwe kuverenga zvinotsigira nemazvo kurara mode.
  • systemd-yakagadziriswa yakawedzera rutsigiro rwekupa mhinduro kumibvunzo yeDNSSEC kuburikidza ne stub resolutioner. Vatengi vemunharaunda vanogona kuita DNSSEC kusimbiswa pachezvavo, nepo vatengi vekunze vachiiswa proxied isina kuchinjika kune mubereki DNS server.
  • Yakawedzera CacheFromLocalhost sarudzo yekugadzirisa.conf, kana yaiswa, systemd-yakagadziriswa ichashandisa caching kunyange yemafoni kuDNS server pa 127.0.0.1 (nekuda, caching yezvikumbiro zvakadaro inovharwa kudzivirira kaviri caching).
  • systemd-yakagadziriswa inowedzera rutsigiro rweRFC-5001 NSIDs mune yemuno DNS solver, ichibvumira vatengi kusiyanisa pakati pekudyidzana nemugadziri wenzvimbo uye imwe DNS server.
  • Iyo solvectl utility inoshandisa kugona kuratidza ruzivo nezve kwakabva data (yenzvimbo cache, network chikumbiro, yemunharaunda processor mhinduro) uye kushandiswa kwekunyorera pakutumira data. Sarudzo --cache, --synthesize, --network, --zone, --trust-anchor, uye --validate zvinopihwa kudzora zita rekutemesa zita.
  • systemd-nspawn inowedzera rutsigiro rwekugadzirisa firewall uchishandisa nftables mukuwedzera kune iripo iptables rutsigiro. Iyo IPMasquerade setup mu systemd-networkd yakawedzera kugona kushandisa nfttables-based backend.
  • systemd-yenzvimbo yakawedzera tsigiro yekufonera locale-gen kugadzira zvisipo.
  • Sarudzo --pager/-no-pager/-json= dzakawedzerwa kune zvakasiyana-siyana zvinoshandiswa kugonesa / kudzima paging mode uye kubuda muJSON fomati. Yakawedzera kugona kuseta huwandu hwemavara anoshandiswa muterminal kuburikidza neSYSTEMD_COLORS nharaunda inosiyana ("16" kana "256").
  • Iyo inovaka ine yakaparadzana dhairekitori hierarchies (split / uye / usr) uye cgroup v1 rutsigiro rwakadzikiswa.
  • Iro master bazi muGit rakapihwa zita rekuti 'master' kusvika 'main'.

Source: opennet.ru

Voeg