ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Siideynta maareeyaha nidaamka systemd 250

Siideynta maareeyaha nidaamka systemd 250

Shan bilood ka dib horumarinta, sii deynta maamulaha nidaamka systemd 250 ayaa la soo bandhigay. Siideynta cusub waxay soo bandhigtay awoodda lagu kaydiyo aqoonsiga qaab qarsoodi ah, xaqiijinta la hirgeliyay ee qaybaha GPT ee si toos ah loo ogaado iyada oo la adeegsanayo saxiixa dhijitaalka ah, macluumaadka la hagaajiyay ee ku saabsan sababaha dib u dhaca marka bilaabida adeegyada, iyo fursadaha lagu daray ee xaddidaya gelitaanka adeegga nidaamyada faylalka qaarkood iyo is-dhexgalka shabakadaha, taageerada la socodka daacadnimada qaybinta iyadoo la adeegsanayo moduleka daacadnimada dm ayaa la bixiyaa, iyo taageerada sd-boot auto-update ayaa lagu daray.

Isbeddellada ugu waaweyn:

  • Taageero lagu daray sir iyo aqoonsiyo la hubiyay, kuwaas oo faa'iido u yeelan kara in si ammaan ah loo kaydiyo walxaha xasaasiga ah sida furayaasha SSL iyo gelitaanka ereyada sirta ah. Decryption ee aqoonsiga waxa la sameeyaa kaliya marka loo baahdo iyo iyada oo la xidhiidha rakibaadda ama qalabka degaanka. Xogta si toos ah ayaa loo xafidaa iyadoo la adeegsanayo algorithms-ka asymmetrical, furaha kaas oo ku jiri kara nidaamka faylka, chip-ka TPM2, ama iyadoo la isticmaalayo nidaam isku dhafan. Marka adeeggu bilaabmo, aqoonsiga si toos ah ayaa loo furayaa oo waxay noqonayaan kuwo la heli karo adeegga qaabkiisa caadiga ah. Si loola shaqeeyo aqoonsiga qarsoon, utility 'systemd-creds' ayaa lagu daray, iyo LoadCredentialEncrypted and SetCredentialEncrypted settings ayaa loo soo jeediyay adeegyada.
  • sd-stub, EFI la fulin karo oo u oggolaanaya EFI firmware inuu ku shubo kernel Linux, hadda waxay taageertaa kicinta kernel-ka iyadoo la adeegsanayo LINUX_EFI_INITRD_MEDIA_GUID EFI borotokool. Waxa kale oo lagu daraa sd-stub waa awooda lagu xidho shahaadooyinka iyo faylalka sysext ee kaydka cpio oo lagu wareejiyo kaydkan kernel-ka oo ay weheliso initrd (faylal dheeri ah ayaa lagu ridayaa /.extra/ directory). Habkani wuxuu kuu ogolaanayaa inaad isticmaasho jawi initrd ah oo la xaqiijin karo, oo lagu kabo sysexts iyo xogta aqoonsiga sir ah.
  • Qeexitaanka Qaybaha Daahsoon kara ayaa si weyn loo balaariyay, iyadoo la siinayo qalab lagu aqoonsanayo, ku dhejinta iyo hawlgelinta qaybaha nidaamka iyadoo la adeegsanayo GPT (Miisaska Qaybta GUID). Marka la barbar dhigo siidooyinkii hore, qeexitaanku hadda wuxuu taageeraa qaybta xididka iyo / usr qaybinta inta badan dhismayaasha, oo ay ku jiraan aaladaha aan isticmaalin UEFI.

    Qaybaha Discoverable waxay sidoo kale ku daraan taageerada qaybaha kuwaas oo daacadnimadooda lagu xaqiijiyay moduleka dm-verity iyadoo la adeegsanayo PKCS#7 saxeexyada dhijitaalka ah, taas oo sahlaysa in la abuuro sawirro saxan oo si buuxda loo xaqiijiyay. Taageerada xaqiijinta waxaa lagu dhex daray agabyo kala duwan oo wax ka tara sawirada diskooga, oo ay ku jiraan systemd-nspawn, systemd-sysext, systemd-dissect, adeegyada RootImage, systemd-tmpfiles, iyo systemd-sysusers.

  • Unugyada qaata waqti dheer inay bilaabaan ama joojiyaan, marka lagu daro soo bandhigida bar horumarka firfircoon, waxaa suurtogal ah in lagu soo bandhigo macluumaadka heerka kaas oo kuu ogolaanaya inaad fahamto waxa dhabta ah ee ka dhacaya adeega wakhtigan iyo adeega maamulaha nidaamka uu yahay hadda la sugayo in la dhammaystiro.
  • Waxaa lagu daray DefaultOOMScoreAdjust parameter to /etc/systemd/system.conf iyo /etc/systemd/user.conf, taas oo kuu ogolaanaysa inaad hagaajiso xadka OOM-killer ee xusuusta hoose, khuseysa hababka habaysan ee u bilaabma nidaamka iyo isticmaalayaasha. Sida caadiga ah, miisaanka adeegyada nidaamka ayaa ka sarreeya kan adeegyada isticmaala, i.e. Marka ay jirto xasuus ku filan, suurtogalnimada joojinta adeegyada adeegsadaha ayaa ka sarreeya kuwa nidaamka.
  • Waxaa lagu daray Dejinta RestrictFileSystems, kaas oo kuu ogolaanaya inaad xaddiddo gelitaanka adeegyada noocyada nidaamyada faylalka qaarkood. Si aad u aragto noocyada nidaamyada faylalka jira, waxaad isticmaali kartaa amarka "systemd-analyze filesystems". Marka la barbardhigo, ikhtiyaarka RestrictNetworkInterfaces ayaa la hirgeliyay, kaas oo kuu ogolaanaya inaad xaddido gelitaanka shabakadaha isku-xidhka qaarkood. Hirgelintu waxay ku salaysan tahay moduleka BPF LSM, kaas oo xaddidaya gelitaanka koox habraacyo walxaha kernelka ah.
  • Waxaa lagu daray faylka qaabeynta cusub /etc/integritytab iyo utility systemd-integritysetup kaas oo habeeya moduleka daacadnimada dm si loo xakameeyo daacadnimada xogta heerka qaybta, tusaale ahaan, si loo dammaanad qaado ma beddeli karo xogta qarsoon laguma beddelin qaab wareeg ah) . Qaabka faylka /etc/integritytab wuxuu la mid yahay faylalka /etc/crypttab iyo /etc/veritytab, marka laga reebo in dm-integrity loo isticmaalo halkii dm-crypt iyo dm-verity.
  • Fayl unug cusub systemd-boot-update.service ayaa lagu daray, marka la shaqeysiiyo oo sd-boot bootloader la rakibo, systemd wuxuu si toos ah u cusbooneysiin doonaa nooca bootloader sd-boot, isagoo ilaalinaya koodhka bootloader had iyo jeer ilaa taariikhda. sd-boot lafteeda hadda waxaa loo dhisay si caadi ah iyadoo la taageerayo habka SBAT (UEFI Secure Boot Advanced Targeting), kaas oo xaliya mashaakilaadka shahaadada ka noqoshada UEFI Secure Boot. Intaa waxaa dheer, sd-boot wuxuu bixiyaa awood uu ku kala saaro Microsoft Windows boot settings si uu si sax ah u soo saaro magacyada qaybaha boot ee Windows oo uu muujiyo nooca Windows.

    sd-boot sidoo kale waxay bixisaa awooda lagu qeexo nidaamka midabka wakhtiga dhismaha. Inta lagu jiro nidaamka boot, taageero lagu daray beddelka xallinta shaashadda adigoo riixaya furaha "r". Furaha furaha lagu daray "f" si loo aado isku xirka qaabeynta firmware. Waxaa lagu daray qaab si toos ah loogu dhaqaajiyo nidaamka u dhigma shayga menu ee la doortay intii lagu jiray bootkii u dambeeyay. Waxaa lagu daray awoodda in si toos ah loogu shubo darawallada EFI ee ku yaala /EFI/systemd/drivers/ directory ee qaybta ESP (EFI System Partition).

  • Fayl unug cusub warshad-reset.target ayaa lagu soo daray, kaas oo lagu farsameeyo systemd-logind si la mid ah dib-u-bixinta, korontadda, hakinta iyo dib-u-dejinta, waxaana loo isticmaalaa in lagu abuuro maamulayaal si loo sameeyo dib u dejin warshadeed.
  • Habka lagu xaliyay nidaamka hadda waxa uu abuuraa godad dhegeysi oo dheeraad ah 127.0.0.54 marka lagu daro 127.0.0.53. Codsiyada imaanaya 127.0.0.54 waxaa had iyo jeer lagu jiheeyaa server-ka sare ee DNS oo aan looga baaraandegin gudaha.
  • La siiyay awoodda lagu dhisayo hab-ka-soo-dejinta iyo habaysan lagu xalliyo maktabadda OpenSSL halkii laga isticmaali lahaa libgcrypt.
  • Taageerada bilowga ah ee lagu daray qaab dhismeedka LoongArch ee loo isticmaalo soo-saareyaasha Loongson.
  • systemd-gpt-auto-generator waxa uu bixiyaa awooda in uu si toos ah u habeeyo qaybaha isku badalashada habaysan ee lagu sireeyay nidaamka hoosaadka LUKS2.
  • Koodhka sawirida sawirka GPT ee loo isticmaalo systemd-nspawn, systemd-dissect, iyo yutiilitida la midka ah waxay fulisaa awooda lagu go'aamiyo sawirada qaab dhismeedka kale, taasoo u ogolaanaysa systemd-nspawn in loo isticmaalo in lagu socodsiiyo sawirada ku dayashada dhismayaasha kale.
  • Marka la baarayo sawirada diskka, systemd-dissect hadda wuxuu soo bandhigayaa macluumaadka ku saabsan ujeedada qaybta, sida ku habboonaanta bootinta iyada oo loo marayo UEFI ama ku dhex ordaya weel.
  • Goobta "SYSEXT_SCOPE" ayaa lagu daray nidaamka-extension.d/ files, taasoo kuu ogolaanaysa inaad muujiso baaxadda sawirka nidaamka - "initrd", "system" ama "la qaadi karo".
  • Aag "PORTABLE_PREFIXES" ayaa lagu daray faylka os-lease, kaas oo loo isticmaali karo sawiro la qaadi karo si loo go'aamiyo horgalayaasha fayl unug taageersan.
  • systemd-logind waxay soo bandhigaysaa habayn cusub HandlePowerKeyLongPress, HandleRebootKeyLongPress, HandleSuspendKeyLongPress iyo HandleHibernateKeyLongPress, kaas oo loo isticmaali karo si loo go'aamiyo waxa dhacaya marka furayaasha qaarkood la hayo in ka badan 5 ilbiriqsi (tusaale ahaan, riixida furaha Suspendur si degdeg ah loo habayn karaa , oo marka hoos loo dhigo, way seexan doontaa).
  • Unugyada, StartupAllowedCPUs iyo StartupAllowedMemoryNodes ayaa la hirgeliyay, kuwaas oo ka duwan goobaha la midka ah iyada oo aan lahayn horgalaha bilawga ah in lagu dabaqo oo kaliya marxaladda boot iyo xidhitaanka, taas oo kuu ogolaanaysa inaad dejiso xayiraadaha kale ee khayraadka inta lagu jiro boot.
  • Lagu daray [Xusuus|Assert][Xusuus|CPU|IO] Jeegaga cadaadiska ee u oggolaanaya hawlgelinta unugga in laga boodo ama fashilmo haddii habka PSI uu ogaado culays culus oo ku jira xusuusta, CPU, iyo I/O ee nidaamka.
  • Xadka ugu sarreeya ee inode-ka caadiga ah ayaa lagu kordhiyey qaybta / dev 64k ilaa 1M, iyo qaybta / tmp laga bilaabo 400k ilaa 1M.
  • Dejinta ExecSearchPath ayaa loo soo jeediyay adeegyada, taas oo suurtogal ka dhigaysa in la beddelo dariiqa raadinta faylasha la fulin karo ee laga bilaabay goobaha sida ExecStart.
  • Lagu daray goobta RuntimeRandomizedExtraSec, kaas oo kuu ogolaanaya inaad soo bandhigto weecsanaan aan kala sooc lahayn wakhtiga RuntimeMaxSec, kaas oo xaddidaya wakhtiga fulinta cutubka.
  • Habaynta RuntimeDirectory, StateDirectory, CacheDirectory iyo LogsDirectory settings ayaa la balaariyay, taas oo adoo qeexaya qiime dheeri ah oo ay kala soocaan xiidan, waxaad hadda abaabuli kartaa abuurista isku xirka astaanta u ah hagaha la siiyay abaabulka gelitaanka waddooyin badan.
  • Adeegyada, TTYRows iyo TTYColumns ayaa la bixiyaa si loo dejiyo tirada safafka iyo tiirarka ku jira aaladda TTY.
  • Lagu daray goobta ExitType, kaas oo kuu ogolaanaya inaad beddesho macquulka ah ee lagu go'aaminayo dhamaadka adeega. Sida caadiga ah, systemd kaliya waxa ay raadisaa dhimashada habka ugu muhiimsan, laakiin haddii ExitType=cgroup la dajiyay, maamulaha nidaamka waxa uu sugi doonaa habka ugu dambeeya ee kooxda si uu u dhamaystiro.
  • Hirgelinta systemd-cryptsetup ee taageerada TPM2/FIDO2/PKCS11 ayaa hadda sidoo kale loo dhisay sidii plugin cryptsetup ah, taasoo u oggolaanaysa amarka caadiga ah ee cryptsetup in loo isticmaalo in lagu furo qayb sir ah.
  • Xakameeyaha TPM2 ee systemd-cryptsetup/systemd-cryptsetup wuxuu ku daraa taageerada furayaasha aasaasiga ah ee RSA marka lagu daro furayaasha ECC si loo wanaajiyo ku habboonaanta chips-yada aan ECC ahayn.
  • Xulashada token-timeout ayaa lagu daray /etc/crypttab, taas oo kuu ogolaanaysa inaad qeexdo wakhtiga ugu badan ee aad sugi karto xiriirka PKCS#11/FIDO2, ka dib waxaa lagugu soo jeedin doonaa inaad geliso furaha sirta ah ama furaha soo kabashada.
  • systemd-timesyncd waxay fulisaa goobta SaveIntervalSec, taas oo kuu ogolaanaysa inaad wakhti wakhti ku kaydsato wakhtiga nidaamka hadda jira diskka, tusaale ahaan, si aad u hirgaliso saacad monotonic ah nidaamyada bilaa RTC.
  • Ikhtiyaarada ayaa lagu daray utility systemd-analyze: "- image" iyo "-root" ee hubinta faylalka unugga ee ku dhex jira sawirka la bixiyay ama tusaha xididka, "--recursive-errors" marka la tixgalinayo cutubyada ku tiirsan marka khalad dhaco waa la ogaadaa, "--offline" si loo hubiyo unug gaar ah faylasha lagu kaydiyay saxanka, "-json" si loo soo saaro qaabka JSON, "- aamusnaanta" si loo joojiyo farriimaha aan muhiimka ahayn, "-profile" si loogu xiro profile la qaadi karo. Waxa kale oo lagu daray amarka kormeer-elf ee kala-saarista faylalka asaasiga ah ee qaabka ELF iyo awoodda lagu hubinayo faylasha unugga ee leh magac unug, iyada oo aan loo eegin haddii magacani ku habboon yahay magaca faylka.
  • systemd-networkd waxay balaadhisay taageerada baska Shabakadda Aagga Xakamaynta (CAN). Dejinta lagu daray si loo xakameeyo qaababka CAN: Loopback, OneShot, PresumeAck iyo ClassicDataLengthCode. Lagu daray TimeQuantaNSec, Qaybaha Faafinta, Qaybta BufferSegment1, PhaseBufferSegment2, SyncJumpWidth, DataTimeQuantaNSec, DataPropagationSegment, DataPhaseBufferSegment1, DataPhaseBufferSegment2 iyo DataSyncJumpWidth ikhtiyaarka isku xidhka qaybta [CAN] ee ikhtiyaarka isku xidhka ee qaybta shaqada.
  • Systemd-networkd waxa ay ku dartay ikhtiyaarka calaamadda macmiilka DHCPv4, kaas oo kuu ogolaanaya inaad habayso summada ciwaanka ee la isticmaalo marka la habaynayo ciwaannada IPv4.
  • systemd-udevd ee "ethtool" waxay fulisaa taageerada qiyamka "max" ee gaarka ah kaas oo dejinaya cabbirka kaydinta qiimaha ugu badan ee ay taageerayaan qalabku.
  • Faylasha .link ee systemd-udevd waxaad hadda u habeyn kartaa cabirro kala duwan si aad isugu darto adabtarada shabakadda iyo isku xirka qalabka gacanta ku haya (offload).
  • systemd-networkd waxay bixisaa .network cusub oo faylal ah sida caadiga ah: 80-container-vb.network si loo qeexo buundooyinka shabakadeed ee la sameeyay marka la shaqeynayo systemd-nspawn oo leh xulashooyinka "--network-bridge" ama "--network-zone"; 80-6rd-tunnel.network si loo qeexo tunnels si toos ah loo sameeyo marka la helo jawaabta DHCP ee leh ikhtiyaarka 6RD.
  • Systemd-networkd iyo systemd-udevd ayaa ku daray taageerada u gudbinta IP-ga ee InfiniBand interfaces, kaas oo qaybta "[IPoIB]" lagu daray faylasha systemd.netdev, iyo habaynta qiimaha "ipoib" ayaa lagu hirgeliyay Nooca. dejinta.
  • systemd-networkd waxa ay si toos ah u habaynaysaa dariiqa ciwaanada lagu cayimay meertada AllowedIPs, kaas oo lagu habayn karo iyada oo loo marayo qiyaasaha RouteTable iyo RouteMetric ee qaybaha [WireGuard] iyo [WireGuardPeer].
  • systemd-networkd waxa ay siisaa jiil toos ah oo aan isbeddelayn ciwaanada MAC ee batadv iyo interfaces-ka buundada. Si aad u baabi'iso habdhaqankan, waxaad qeexi kartaa MACAddress=midna kuma jiro faylasha .netdev.
  • Dejinta WakeOnLanPassword ayaa lagu daray .link faylasha qaybta "[Link]" si loo go'aamiyo erayga sirta ah marka WoL uu ku socdo qaabka "SecureOn".
  • Lagu darey AutoRateIngress, CompensationMode, FlowIsolationMode, NAT, MPUBytes, PriorityQueueingPreset, FirewallMark, Wash, SplitGSO iyo UseRawPacketSize settings ee qaybta "[CAKE]" ee .faylalka shabakada si loo qeexo xuduudaha CAKE (Arjiyada Caadiga ah ee La Hagaajiyey Maaraynta) shabakada .
  • Waxaa lagu daray goobta IgnoreCarrierLoss qaybta "[Network]" ee faylasha .network, taasoo kuu ogolaanaysa inaad go'aamiso inta aad sugayso ka hor inta aanad ka falcelin luminta signalka side.
  • Systemd-nspawn, homectl, machinectl iyo systemd-run waxay kordhiyeen hab-raacyada halbeegga "--setenv" - haddii kaliya magaca doorsoomaha la cayimay (la'aanteed "="), qiimaha waxaa laga soo qaadan doonaa doorsoomaha deegaanka u dhigma (for tusaale ahaan, marka la qeexo "--setenv=FOO" qiimaha waxaa laga soo qaadanayaa doorsoomaha deegaanka $FOO waxaana loo isticmaali doonaa doorsoomka deegaanka ee isla magaca ku jira weelka).
  • systemd-nspawn wuxuu ku daray ikhtiyaarka "--suppress-sync" si loo joojiyo sync ()/fsync ()/fdatasync () wicitaanada nidaamka marka la abuurayo weel (faa'iido leh marka xawaaraha uu yahay mudnaanta iyo ilaalinta qalabka dhismaha haddii ay dhacdo guuldarro ma aha muhiim ah, maadaama dib loo abuuri karo wakhti kasta).
  • Xog cusub oo hwdb ah ayaa lagu daray, oo ay ku jiraan noocyada kala duwan ee falanqeeyayaasha calaamadaha (multimeter, falanqeeye borotokool, oscilloscopes, iwm.). Macluumaadka ku saabsan kamaradaha hwdb ayaa lagu ballaariyay goob leh macluumaad ku saabsan nooca kamarada (caadiga ah ama infrared) iyo meelaynta muraayadaha (hore ama gadaal).
  • Awood abuurista magacyo is-dhexgal shabakadeed oo aan isbeddelayn oo loogu talagalay aaladaha safka hore ee loo isticmaalo Xen.
  • Falanqaynta faylalka xudunta u ah utility systemd-coredump ee ku salaysan maktabadaha libdw/libelf ayaa hadda loo sameeyay hannaan gaar ah, oo ku go'doonsan jawiga sandbox.
  • systemd-importd waxa ay ku dartay taageerada doorsoomayaasha deegaanka $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA, $SYSTEMD_IMPORT_SYNC, kaas oo aad ku gabyi karto jiilka Btrfs qayb-hoosaadyada, iyo sidoo kale habaynta kootada iyo isku xidhka diskka.
  • In systemd-journald, ee nidaamyada faylalka ee taageera qaabka nuqul-qorista, qaabka COW ayaa dib loo furay joornaalada kaydsan, taas oo u oggolaanaysa in lagu cadaadiyo iyadoo la adeegsanayo Btrfs.
  • systemd-journald waxa ay fulisaa kala-goynta goobo isku mid ah oo hal fariin ah, kaas oo lagu sameeyo marxaladda ka hor inta aan fariinta la gelin joornaalka.
  • Waxaa lagu daray "--show" ikhtiyaar si loo xiro amarka si loo muujiyo xirid la qorsheeyay.

Source: opennet.ru

Add a comment