ProHoster > Blog > internet nhau > Kuburitswa kwesystemd system maneja 252 neUKI (Yakabatana Kernel Mufananidzo) rutsigiro

Kuburitswa kwesystemd system maneja 252 neUKI (Yakabatana Kernel Mufananidzo) rutsigiro

Mushure memwedzi mishanu yekuvandudza, kuburitswa kweiyo system maneja systemd 252. Shanduko yakakosha mushanduro nyowani yaive kubatanidzwa kwerutsigiro rwechizvino bhoti process, iyo inobvumidza iwe kuti utarise kwete chete kernel uye bootloader, asiwo zvikamu. yeiyo basic system nharaunda uchishandisa masiginecha edhijitari.

Iyo yakarongwa nzira inosanganisira kushandiswa kweiyo yakabatana kernel mufananidzo UKI (Unified Kernel Image) painorodha, iyo inosanganisa mubati wekutakura kernel kubva kuUEFI (UEFI boot stub), mufananidzo weLinux kernel uye initrd system nharaunda yakarongedzerwa mundangariro, yakashandiswa. yekutanga kutanga pachikuva usati waisa mudzi FS . Mufananidzo weUKI wakarongedzerwa sefaira rimwechete rinogoneka mune PE fomati, inogona kutakurwa uchishandisa echinyakare bootloaders kana kudanwa zvakananga kubva kuEFI firmware. Kana yadaidzwa kubva kuUEFI, zvinokwanisika kuona kuvimbika uye kuvimbika kweiyo siginecha yedhijitari kwete chete kernel, asiwo zviri mukati meiyo initrd.

Kuverenga ma paramita eTPM PCR (Trusted Platform Module Platform Configuration Register) marejista anoshandiswa kutarisa kutendeseka uye kugadzira siginecha yedhijitari yemufananidzo weUKI, itsva utility systemd-measure inosanganisirwa. Kiyi yeruzhinji uye inoperekedza PCR ruzivo rwakashandiswa muchisiginicha inogona kuisirwa zvakananga muUKI boot image (kiyi uye siginicha zvinochengetwa muPE faira mu'.pcrsig' uye '.pcrkey' minda) uye yakatorwa kubva mairi nekunze. kana zvishandiso zvemukati.

Kunyanya, iyo systemd-cryptsetup, systemd-cryptenroll uye systemd-creds zvishandiso zvakagadziridzwa kuti ushandise ruzivo urwu, iyo iwe yaunogona kuve nechokwadi chekuti encrypted disk partitions inosungirirwa kune yakasainwa kernel (munyaya iyi, kupinda kune yakavharidzirwa chikamu. inopihwa chete kana mufananidzo weUKI wapfuura kusimbiswa nedhijitari siginecha zvichienderana nemaparamita ari muTPM).

Pamusoro pezvo, iyo systemd-pcrphase utility inosanganisirwa, iyo inokutendera iwe kudzora kusungirirwa kwematanho akasiyana-siyana ebhutsu kune maparamita ari mundangariro ye cryptoprocessors inotsigira TPM 2.0 yakatarwa (semuenzaniso, unogona kuita kuti LUKS2 partition decryption kiyi iwanikwe chete mukati. iyo yeinitrd mufananidzo uye vhara kupinda kwairi mune gare gare nhanho kurodha).

Dzimwe shanduko:

  • Inova nechokwadi chekuti nzvimbo yakagara iri C.UTF-8 kunze kwekunge imwe nzvimbo yatsanangurwa muzvirongwa.
  • Izvozvi zvinogoneka kuita yakakwana sevhisi preset operation ("systemctl preset") panguva yekutanga boot. Kugonesa preset panguva yebhutsu kunoda kuvaka ne "-Dfirst-boot-full-preset" sarudzo, asi yakarongwa kugoneswa nekusarudzika mukuburitswa mune ramangwana.
  • Iwo emushandisi manejimendi mayuniti anosanganisira CPU resource controller, izvo zvakaita kuti zvikwanise kuve nechokwadi chekuti CPUWeight marongero anoshandiswa kune ese chidimbu mayuniti anoshandiswa kupatsanura sisitimu kuita zvikamu (app.slice, background.slice, session.slice) kupatsanura zviwanikwa pakati. akasiyana masevhisi emushandisi, achikwikwidza CPU zviwanikwa. CPUWeight zvakare inotsigira iyo "isimbe" kukosha kumisa yakakodzera sosi yekupa maitiro.
  • Muzvikamu zvenguva pfupi ("zvichimbi") uye mu-systemd-repart utility, zvigadziriso zvepamusoro zvinobvumirwa nekugadzira mafaira ekudonha mu /etc/systemd/system/name.d/ directory.
  • Pamifananidzo yehurongwa, mureza wekutsigira-unopera unoiswa, uchitarisa ichi chokwadi zvichienderana nekukosha kweiyo parameter nyowani "SUPPORT_END=" mu /etc/os-release file.
  • Yakawedzerwa "ConditionCredential =" uye "AssertCredential=" marongero, ayo anogona kushandiswa kufuratira kana kukanganisa mayunitsi kana humwe hunhu husipo muhurongwa.
  • Yakawedzerwa "DefaultSmackProcessLabel=" uye "DefaultDeviceTimeoutSec=" zvigadziriso kune system.conf uye user.conf kutsanangura iyo yakasarudzika SMACK chengetedzo level uye unit activation timeout.
  • Mu "ConditionFirmware=" uye "AssertFirmware=" marongero, kugona kutsanangura minda yeSMBIOS kwawedzerwa, semuenzaniso, kuvhura unit chete kana iyo /sys/class/dmi/id/board_name ndima ine kukosha "Custom. Bhodhi", unogona kutsanangura "ConditionFirmware=smbios" -field(board_name = "Custom Board").
  • Munguva yekutanga maitiro (PID 1), kugona kupinza zvitupa kubva kuminda yeSMBIOS (Type 11, "OEM mutengesi tambo") yakawedzerwa mukuwedzera kune tsananguro yavo kuburikidza neqemu_fwcfg, iyo inorerutsa kupihwa kwezvitupa kumashini chaiwo uye kubvisa iyo kudiwa kwemidziyo yechitatu-bato senge cloud -init uye ignition.
  • Munguva yekuvhara, iyo pfungwa yekudzikisa chaiwo faira masisitimu (proc, sys) yakashandurwa uye ruzivo nezve maitiro ekuvharira kudzika kwemafaira masisitimu anochengetwa mugiyo.
  • Iyo sisitimu yekufona sefa (SystemCallFilter) inobvumira kupinda kune riscv_flush_icache system call by default.
  • Iyo sd-boot bootloader inowedzera kugona kubhutsu mune yakasanganiswa modhi, umo iyo 64-bit Linux kernel inomhanya kubva ku32-bit UEFI firmware. Yakawedzera kugona kuyedza kushandisa otomatiki SecureBoot makiyi kubva kumafaira anowanikwa muESP (EFI system partition).
  • Sarudzo nyowani dzakawedzerwa kune iyo bootctl utility: "-ese-architectures" yekuisa mabhinari kune ese anotsigirwa EFI architecture, "-root =" uye "-image=" yekushanda nedhairekitori kana disk mufananidzo, "-install-source. =” pakutsanangura kwainobva kuisirwa, "-efi-boot-option-descript=" kudzora mazita ekupinda mubhutsu.
  • Iwo 'list-automounts' murairo wakawedzerwa kune systemctl utility kuratidza runyoro rweotomatiki madhairekitori uye "--image=" sarudzo yekuita mirairo inoenderana neyakatsanangurwa disk mufananidzo. Yakawedzerwa "--state=" uye "--type=" sarudzo ku 'show' uye 'status' mirairo.
  • systemd-networkd yakawedzera sarudzo “TCPCongestionControlAlgorithm=” kusarudza TCP congestion control algorithm, “KeepFileDescriptor=” kuchengetedza faira rinotsanangura reTUN/TAP interfaces, “NetLabel=” kuseta NetLabels, “RapidCommit=” kuti ikurumidze kugadzirisa kuburikidza neDHCPv6. (RFC 3315). Iyo "RouteTable =" parameter inobvumira kutsanangura mazita ematafura ekufambisa.
  • systemd-nspawn inobvumira kushandiswa kwehama dzefaira nzira mune "--bind = "uye "--overlay=" sarudzo. Yakawedzerwa rutsigiro rweiyo 'rootidmap' paramende kune "--bind = "sarudzo yekusunga mudzi wemudziyo ID mumudziyo kune muridzi weakakwidzwa dhairekitori padivi rekugamuchira.
  • systemd-yakagadziriswa inoshandisa OpenSSL seyayo encryption backend nekukasira (rutsigiro rwegnutls runochengetwa senge sarudzo). Zvisina kutsigirwa DNSSEC maalgorithms ave kubatwa seasina kuchengeteka pane kudzosa kukanganisa (SERVFAIL).
  • systemd-sysusers, systemd-tmpfiles uye systemd-sysctl shandisa kugona kuendesa zvigadziriso kuburikidza neyakachengeterwa nzira yekuchengetedza.
  • Yakawedzera 'kuenzanisa-shanduro' kuraira ku systemd-kuongorora kuenzanisa tambo nenhamba dzeshanduro (yakafanana ne'rpmdev-vercmp' uye 'dpkg --compare-versions'). Yakawedzera kugona kusefa zvikamu nemasiki kune iyo 'systemd-kuongorora dump' yekuraira.
  • Paunenge uchisarudza yakawanda-nhanho yekurara modhi (kumisa-ipapo-hibernate), iyo nguva inoshandiswa mune yekumira-mira ikozvino yasarudzwa zvichienderana nekufanotaura kwehupenyu hwasara hwebhatiri. Shanduko yekukurumidza kuenda kumodhi yekurara inoitika kana isingasviki 5% bhatiri ichaja yasara.
  • Iyo nyowani yekubuda modhi "-o pfupi-delta" yawedzerwa ku 'journalctl', ichiratidza musiyano wenguva pakati pemeseji dzakasiyana murogi.
  • systemd-repart inowedzera rutsigiro rwekugadzira zvikamu neSquashfs faira system uye zvikamu zve dm-verity, kusanganisira nemasiginecha edhijitari.
  • Yakawedzerwa "StopIdleSessionSec=" kuseta ku systemd-logind kupedzisa musangano usingaite mushure menguva yakatarwa.
  • Systemd-cryptenroll yakawedzera "--unlock-kiyi-faira = "sarudzo yekubvisa kiyi yedecryption kubva mufaira pane kukurudzira mushandisi.
  • Izvozvi zvinogoneka kumhanya iyo systemd-inokura utility munzvimbo dzisina udev.
  • systemd-backlight yakavandudza rutsigiro rwemasisitimu ane akawanda magiraidhi makadhi.
  • Rezinesi remienzaniso yekodhi yakapihwa muzvinyorwa yakashandurwa kubva kuCC0 kuenda kuMIT-0.

Shanduko dzinoputsa kuenderana:

  • Kana uchitarisa kernel vhezheni nhamba uchishandisa iyo ConditionKernelVersion rairo, yakapusa tambo kuenzanisa iko zvino yave kushandiswa mu '=' uye '!=' vashandisi, uye kana kuenzanisa mushandisi asina kutaurwa zvachose, glob-mask kuenzanisa inogona kushandiswa uchishandisa mavara '*', '?' Uye '[', ']'. Kuti uenzanise stverscmp() style shanduro, shandisa '<', '>', '<=' uye '>=' vanoshandisa.
  • Iyo SELinux tag yakashandiswa kutarisa kuwana kubva kuyuniti faira yave kuverengwa panguva iyo faira yaiswa, pane panguva yekuwana cheki.
  • Iyo "ConditionFirstBoot" mamiriro ave kukonzeresa pane yekutanga bhutsu yesystem chete zvakananga padanho rebhutsu uye inodzoka "nhema" pakufonera mayunitsi mushure mekunge bhutsu yapera.
  • Muna 2024, systemd inoronga kurega kutsigira cgroup v1 resource limiting mechanism, iyo yakaderedzwa mu systemd release 248. Vatungamiri vanorayirwa kuti vatarisire mberi kwekutama cgroup v2-based services ku cgroup v1. Musiyano wakakosha pakati pecgroups v2 uye v1 iko kushandiswa kweakajairwa cgroups hierarchy kune ese marudzi ezviwanikwa, pachinzvimbo cheakaparadzana hierarchies yekugovera CPU zviwanikwa, zvekudzora mashandisirwo endangariro, uye yeI/O. Akaparadzana mahierarchies anotungamira kumatambudziko mukuronga kudyidzana pakati pevanobata uye kune yekuwedzera kernel resource mutengo paunenge uchishandisa mitemo yemaitiro anotsanangurwa mune akasiyana hierarchies.
  • Muhafu yechipiri ya2023, isu tinoronga kugumisa rutsigiro rwekupatsanurwa dhairekitori hierarchies, uko / usr yakamisikidzwa zvakasiyana kubva pamudzi, kana / bin uye / usr / bin, / lib uye / usr / lib zvakaparadzaniswa.

Source: opennet.ru

Voeg