ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Siideynta maareeyaha nidaamka systemd 243

Siideynta maareeyaha nidaamka systemd 243

Kadib shan bilood oo horumar ah soo bandhigay siidaynta maamulaha nidaamka systemd 243. Mid ka mid ah hal-abuurka, waxaan ogaan karnaa isdhexgalka PID 1 ee maamulaha xasuusta hoose ee nidaamka, taageerada ku dhejinta barnaamijyada BPF ee shaandhaynta taraafikada cutubka, fursado badan oo cusub oo loogu talagalay nidaamka-networkd, hab lagu kormeero xawaaraha shabakada interfaces, oo si toos ah ugu suurtagelinaya nidaamyada 64-bit 22-bit PID nambarada halkii ay ka ahaan lahaayeen 16-bit, u gudubka kala sarreynta kooxaha midaysan, ku darida nidaamka-network-generator.

Isbeddellada ugu waaweyn:

  • Aqoonsiga calaamadaha kernel-ka ee ku saabsan xusuusta ka baxday (Out-Of-Memory, OOM) ayaa lagu daray maamulaha PID 1 si loogu wareejiyo cutubyada gaadhay xadka isticmaalka xusuusta xaalad gaar ah oo leh awood ikhtiyaari ah oo lagu qasbi karo inay joojiyaan ama joogso;
  • Faylasha unugga, cabbirro cusub IIngressFilterPath iyo
    IPEgressFilterPath, kaas oo kuu ogolaanaya in aad ku xidhid barnaamiyada BPF maareeyayaal aan sharci ahayn si aad u shaandhayso xidhmooyinka IP ee soo galaya iyo kuwa baxaya ee ay abuureen hababka la xidhiidha cutubkan. Tilmaamaha la soo jeediyay ayaa kuu oggolaanaya inaad abuurto nooc dab-damis ah oo loogu talagalay adeegyada habaysan. Tusaale qorista filter shabakad fudud oo ku salaysan BPF;

  • Amarka "nadiif" ayaa lagu daray utility systemctl si loo tirtiro kaydka, faylalka runtime, macluumaadka xaalada iyo hagayaasha log;
  • systemd-networkd wuxuu ku darayaa taageerada MACsec, nlmon, IPVTAP iyo shabakadaha shabakada Xfrm;
  • systemd-networkd waxa ay fulisaa isku xidhka DHCPv4 iyo DHCPv6 iyada oo loo marayo qaybaha "[DHCPv4]"iyo"[DHCPv6]" ee faylka qaabaynta. Waxaa lagu daray ikhtiyaarka RoutesToDNS si loogu daro waddo gaar ah server-ka DNS ee ku qeexan xuduudaha laga helay server-ka DHCP (si taraafikada DNS loo diro isku xirka wadada ugu weyn ee laga helo DHCP). Ikhtiyaarada cusub ayaa lagu daray DHCPv4: MaxAttempts - tirada ugu badan ee codsiyada si loo helo ciwaanka, BlackList - liiska madow ee server-yada DHCP, SendRelease - awood u dirida DHCP fariimaha SIIDAYNTA marka fadhigu dhamaado;
  • Amarro cusub ayaa lagu daray utility-falanqaynta:
    • "systemd-falanqeeyaan timestamp" - wakhtiga falanqaynta iyo beddelka;
    • "Nidaamka-falanqaynta waqtiyada" - falanqaynta iyo beddelka xilliyada;
    • "Xaaladda falanqaynta habaysan" - falanqaynta iyo tijaabinta tibaaxaha XaaladdaXYZ;
    • "systemd-analyze exit-status" - falanqaynta iyo beddelka koodka bixista ee nambarada oo loo beddelo magacyo iyo lid ku ah;
    • "systemd-analyze unit-files" - Waxay taxdaa dhammaan dariiqyada faylalka unugyada iyo magacyada unugga.
  • Ikhtiyaarada SuccessExitStatus, Dib u Bilaw Ka HortaggaExitStatus iyo
    RestartForceExitStatus hadda ma taageerto summada soo celinta nambarada, laakiin sidoo kale tilmaameyaashooda qoraalka (tusaale, "DATAERR"). Waxaad arki kartaa liiska koodka loo qoondeeyay aqoonsiga adoo isticmaalaya amarka "sytemd-analyze exit-status";

  • Amarka "tirtirka" ayaa lagu daray utility networkctl si loo tirtiro aaladaha shabakadaha farsamada, iyo sidoo kale ikhtiyaarka "-stats" si loo muujiyo tirakoobka qalabka;
  • Hababka SpeedMeter iyo SpeedMeterIntervalSec ayaa lagu daray networkd.conf si loo cabbiro xilliyada is-dhex-galka shabakadda. Tirakoobyada laga helay natiijooyinka cabbiraadda waxaa lagu eegi karaa soosaarka amarka 'networkctl status';
  • Waxa lagu daray utility systemd-network- dhaliye cusub si loo soo saaro faylasha
    .network, .netdev iyo .link ku salaysan IP settings ayaa la gudbiyay markii la bilaabay iyada oo loo sii marayo khadka taliska Linux kernel ee qaabka Dracut;

  • Qiimaha sysctl "kernel.pid_max" ee nidaamyada 64-bit ayaa hadda si toos ah loogu dejiyay 4194304 (22-bit PIDs halkii ay ka ahaan lahaayeen 16-bits), taas oo yareyneysa suurtagalnimada isku dhaca marka la meeleynayo PID-yada, waxay kordhisaa xaddidaadda tirada isku mar. socodsiinta hababka, waxayna saamayn togan ku leedahay ammaanka. Isbeddelku waxa uu u horseedi karaa arrimo is-waafajin kara, laakiin arrimahan oo kale weli si dhab ah looma soo sheegin;
  • Sida caadiga ah, heerka dhismuhu wuxuu u wareegayaa kala sareynta midaysan cgroups-v2 ("-Ddefault-hierarchy=midaysan"). Markii hore, asalku wuxuu ahaa qaab isku-dhafan ("-Ddefault-hierarchy= hybrid");
  • Habdhaqanka shaandhada wacitaanka nidaamka (SystemCallFilter) waa la beddelay, taas oo, xaaladda wicitaanka nidaamka mamnuuca ah, hadda joojiya nidaamka oo dhan, halkii dunta gaarka ah, maadaama joojinta dunta shaqsiyadeed ay u horseedi karto dhibaatooyin aan la saadaalin karin. Isbeddeladu waxay khuseeyaan kaliya haddii aad leedahay Linux kernel 4.14+ iyo libseccomp 2.4.0+;
  • Barnaamijyada aan mudnaanta lahayn waxaa la siiyaa awoodda ay ku soo diraan xirmooyinka ICMP Echo (ping) iyagoo dejinaya sysctl "net.ipv4.ping_group_range" ee dhammaan noocyada kala duwan ee kooxaha (dhammaan hababka);
  • Si loo dedejiyo geeddi-socodka dhisidda, jiilka buug-gacmeedka ragga ayaa si caadi ah loo joojiyay (si loo dhiso dukumeenti buuxa, waxaad u baahan tahay inaad isticmaasho ikhtiyaarka "-Dman = run" ama "-Dhtml = run" buug-gacmeedyada qaabka html). Si loo fududeeyo daawashada dukumeentiyada, laba qoraal ayaa lagu daray: dhis/nin/nin iyo dhis/nin/html si loo soo saaro loona eego buug-gacmeedyada xiisaha leh;
  • Si loo habeeyo magacyada domainka ee leh xarfaha xarfaha qaranka, maktabadda libidn2 si caadi ah ayaa loo isticmaalaa (si loo soo celiyo libidn, isticmaal ikhtiyaarka "-Dlibidn= run");
  • Taageerada faylka la fulin karo /usr/sbin/halt.local, kaas oo bixiyay shaqeyn aan si ballaaran loogu qaybin qaybinta, waa la joojiyay. Si loo abaabulo bilaabista amarrada marka la xirayo, waxaa lagu talinayaa in la isticmaalo qoraallada gudaha /usr/lib/systemd/system-shutdown/ ama qeex cutub cusub oo ku xiran final.target;
  • Marxaladda ugu dambeysa ee xiritaanka, systemd hadda waxay si toos ah u kordhisaa heerka log ee sysctl "kernel.printk", kaas oo xalliya dhibaatada soo bandhigida dhacdooyinka log ee ka dhacay marxaladaha dambe ee xiritaanka, marka daemons-ka caadiga ah ay horey u dhameeyeen. ;
  • journalctl iyo tasiilaadka kale ee muujinaya diiwaannada, digniinaha waxaa lagu muujiyay jaale, iyo diiwaannada hanti dhowrka waxaa lagu muujiyay buluug si muuqaal ahaan looga muujiyo dadka;
  • Doorsoomiyaha deegaanka $PATH, dariiqa loo maro/hadda waxa ay timaaddaa waddada loo maro sbin/, i.e. Haddii ay jiraan magacyo isku mid ah oo faylasha la fulin karo oo ku jira labada hage, faylka bin/waa la fulin doonaa;
  • systemd-logind waxay bixisaa wicitaan SetBrightness () si ay si badbaado leh u beddesho dhalaalka shaashadda iyadoo loo eegayo fadhi kasta;
  • Calanka "- sugi-for-bilawga" ayaa lagu daray amarka "udevadm info" si loo sugo inta qalabku bilaabayo;
  • Inta lagu jiro bootinta nidaamka, PID 1 gacan bixiyaha hadda waxa uu soo bandhigayaa magacyada cutubyada halkii uu ka ahaan lahaa xarriiq ay ku qoran yihiin sharraxaaddooda. Si aad ugu noqoto dhaqankii hore, waxaad isticmaali kartaa doorashada StatusUnitFormat gudaha /etc/systemd/system.conf ama systemd.status_unit_format kernel option;
  • Waxaa lagu daray KExecWatchdogSec ikhtiyaarka /etc/systemd/system.conf ee watchdog PID 1, kaas oo qeexaya wakhtiga dib loo bilaabayo iyadoo la isticmaalayo kexec. Dejinta hore
    ShutdownWatchdogSec waxa loo bedelay RebootWatchdogSec oo qeexaya wakhtiga shaqada inta lagu jiro xidhitaanka ama dib u bilaabashada caadiga ah;

  • Ikhtiyaar cusub ayaa lagu daray adeegyada Xukun dil, kaas oo kuu ogolaanaya inaad qeexdo amarrada la fulin doono ka hor ExecStartPre. Iyada oo ku saleysan koodhka qaladka ee uu soo celiyay amarku, go'aan ayaa laga gaarayaa fulinta dheeraadka ah ee cutubka - haddii code 0 la soo celiyo, furitaanka cutubku wuu sii socdaa, haddii laga bilaabo 1 ilaa 254 ay aamusnaan ku dhammaato iyada oo aan lahayn calan guuldarro ah, haddii 255 ay ku dhammaato calan guuldarraystay;
  • Lagu daray adeeg cusub systemd-pstore.adeegga si looga soo saaro xogta sys/fs/pstore/ lagana kaydiyo /var/lib/pstore si loo baaro;
  • Amarro cusub ayaa lagu daray utility timedatectl ee habaynta xuduudaha NTP ee systemd-timesyncd ee la xidhiidha is-dhexgalka shabakada;
  • Amarka "localectl list-locales" hadda ma soo bandhigayo meelo aan ahayn UTF-8;
  • Waxay xaqiijisaa in khaladaadka shaqada doorsoomiyaha ee sysctl.d/faylalka la iska indhotiray haddii magaca doorsoomuhu ku bilowdo jilaha "-";
  • adeegga systemd-random-seed.adeeg hadda waxay si buuxda mas'uul uga tahay bilawga barkadda entropy ee koronto-dhaliye lambareedka pseudorandom Linux. Adeegyada u baahan si sax ah loo bilaabay /dev/urandom waa in la bilaabo ka dib adeegga systemd-random-seed.
  • Raadiyaha boot-boot-ka ayaa bixiya awoodda ikhtiyaariga ah ee lagu taageerayo faylka abuurka oo leh isku xigxig aan kala sooc lahayn oo ku jira Qaybta Nidaamka EFI (ESP);
  • Amarro cusub ayaa lagu daray utility bootctl: "bootctl random-seed" si loo soo saaro faylka abuur gudaha ESP iyo "bootctl waa la rakibay" si loo hubiyo rakibidda nidaamka boot-boot bootloader. bootctl sidoo kale waa la hagaajiyay si loo muujiyo digniino ku saabsan qaabeynta khaldan ee galitaanka boot (tusaale, marka sawirka kernel la tirtiro, laakiin gelitaanka soo dejinta waa laga tagay);
  • Waxay bixisaa xulashada tooska ah ee qaybta isdhaafsiga marka nidaamku galo qaabka hurdada. Qaybta waxaa lagu doortaa iyadoo ku xiran mudnaanta loo habeeyey, iyo marka la eego mudnaanta isku midka ah, qadarka booska bilaashka ah;
  • Xulashada furaha-waqti-goosadka lagu daray /etc/crypttab si loo dejiyo inta aaladda leh furaha sirta ah ay sugi doonto ka hor inta aysan kicin furaha sirta ah si loo galo qaybta sirta ah;
  • IOWeight lagu daray si loo dejiyo miisaanka I/O jadwalaha BFQ;
  • hab 'adag' oo lagu daray habka 'adag' ee DNS-over-TLS oo hirgeliyay awoodda lagu kaydiyo jawaabaha DNS togan oo keliya ("Cache no-negative" ee resolved.conf);
  • VXLAN, systemd-networkd waxa ay ku dartay ikhtiyaarka GenericProtocolExtension si ay awood ugu siiso kordhinta borotokoolka VXLAN. Wixii VXLAN iyo GENEVE ah, ikhtiyaarka IPDoNotFragment ayaa lagu daray si loo dejiyo calanka mamnuuca ah ee xirmooyinka baxaya;
  • In systemd-networkd, ee qaybta "[Route]", xulashada FastOpenNoCookie ayaa u muuqatay inay awood u siinayso habka degdega ah ee loo furo isku xirka TCP (TFO - TCP Fast Open, RFC 7413) ee la xidhiidha waddooyinka gaarka ah, iyo sidoo kale ikhtiyaarka TTLPropagate si loo habeeyo TTL LSP (Label Switched Path). Xulashada "Nooca" waxay siisaa taageero maxalli ah, baahinta, wax-soo-saarka, duubista-badan, nooc kasta iyo xresolve hababka jiheynta;
  • Systemd-networkd waxay bixisaa DefaultRouteOnDevice ikhtiyaarka ah ee qaybta "[Network]" si ay si toos ah ugu habayso dariiqa caadiga ah ee qalabka shabakada;
  • Systemd-networkd ayaa ku daray ProxyARP iyo
    ProxyARPWifi oo dejinaya hab-dhaqanka wakiilka ARP, MulticastRouter oo dejinaya cabbiraadaha jiheynta ee habka multicast, MulticastIGMPersion ee beddelka IGMP (Bartakoolka Maamulka Kooxda Internetka) nooca loogu talagalay multicast;

  • Systemd-networkd waxa ay ku dartay Maxalliga, Peer iyo PeerPort fursadaha tunnel-ka FooOverUDP si loo habeeyo ciwaanada IP-ga maxalliga ah iyo kuwa fog, iyo sidoo kale nambarka dekedda shabakadda. Tuulooyinka TUN, ikhtiyaarka VnetHeader ayaa lagu daray si loo habeeyo taageerada GSO (Generic Segment Offload);
  • In systemd-networkd, gudaha .network iyo .link files ee qaybta [Match], doorasho Property ayaa soo muuqday, kaas oo kuu ogolaanaya in aad si ay u aqoonsadaan qalabka by sifooyin gaar ah udev;
  • Nidaamka isku-xidhka, ikhtiyaarka AssignToLoopback ayaa lagu daray tunnel-ka, kaas oo xakameynaya in dhamaadka tunnelka loo qoondeeyay aaladda loopback "lo";
  • systemd-networkd waxay si toos ah u kicisaa xirmada IPv6 haddii lagu xannibo iyada oo loo marayo sysctl disable_ipv6 - IPv6 waa la shaqeeyaa haddii goobaha IPv6 (static ama DHCPv6) lagu qeexo is-dhexgalka shabakadda, haddii kale qiimaha sysctl ee hore loo dejiyay isma beddelin;
  • Faylasha shabakadda .netka, goobta CriticalConnection waxaa beddelay ikhtiyaarka KeepConfiguration, kaas oo siinaya habab badan oo lagu qeexo xaaladaha ("haa", "static", "dhcp-on-stop", "dhcp") kaas oo nidaamka-networkd ay tahay ha taaban xidhiidhada jira marka la bilaabayo;
  • Nuglaanta ayaa go'an CVE-2019-15718, oo ay sababtay la'aanta kontoroolka marin u helka D-Bus interface-la xaliyay. Arrintu waxay u oggolaanaysaa isticmaale aan mudnayn inuu sameeyo hawlgallo ay heli karaan maamulayaasha oo keliya, sida beddelidda goobaha DNS iyo u hagidda su'aalaha DNS server-ka rogue;
  • Nuglaanta ayaa go'an CVE-2019-9619laxidhiidha in aan pam_systemd u suurtagelin kulama aan isdhexgal ahayn, taas oo u ogolaanaysa xaaqidda fadhiga firfircoon.

Source: opennet.ru

Add a comment