ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Siideynta maareeyaha nidaamka systemd 248

Siideynta maareeyaha nidaamka systemd 248

Ka dib afar bilood oo horumarin ah, sii deynta maamulaha nidaamka systemd 248 ayaa la soo bandhigay. Siideynta cusub waxay bixisaa taageerada sawirada ballaarinta habraaca nidaamka, faylka qaabeynta / etc / veritytab, utility systemd-cryptenroll, furitaanka LUKS2 adoo isticmaalaya TPM2 chips iyo FIDO2 calaamado, unugyo ku shaqeeya meel IPC ah oo go'doonsan, nidaamka BATMAN ee shabakadaha mesh, nftables backend for systemd-nspawn. Systemd-oomd waa la xasiliyay

Isbeddellada ugu waaweyn:

  • Fikradda sawirada fidinta nidaamka waa la hirgaliyay, kaas oo loo isticmaali karo in lagu kordhiyo kala sareynta /usr/ iyo /opt/ directories, oo lagu daro faylal dheeraad ah wakhtiga runtime, xitaa haddii hagayaasha la cayimay lagu rakibay akhri-kaliya. Marka sawirka fidinta nidaamka la rakibo, waxa ku jira waxa lagu dahaadhay /usr/ iyo /opt/ kala sareynta iyadoo la isticmaalayo OverlayFS.

    Utility cusub, systemd-sysext, ayaa la soo jeediyay in lagu xidho, la gooyo, la eego oo la cusboonaysiiyo sawirada nidaamka fidinta. Si toos loogu xidho sawirada hore loo rakibay inta lagu jiro boot, adeega systemd-sysext.service ayaa lagu daray. Lagu darey "SYSEXT_LEVEL="parameterka faylka os-lease si loo go'aamiyo heerka kordhinta nidaamka la taageeray.

  • Unugyada, goobta ExtensionImages waa la hirgaliyay, kaas oo loo isticmaali karo in lagu xidho sawirada fidinta nidaamka iyo kala saraynta magaca FS ee adeegyada go'doonsan.
  • Lagu daray /etc/veritytab faylka qaabeynta si loo habeeyo xaqiijinta xogta heerka xannibaadda iyadoo la adeegsanayo moduleka dm-verity. Qaabka faylka wuxuu la mid yahay /etc/crypttab - "section_name device_for_data device_for_hashes check_hash_root options." Lagu daray systemd.verity.root_options kernel line option si loo habeeyo dabeecadda dm-verity ee aaladda xididka.
  • systemd-cryptsetup wuxuu ku darayaa awooda lagu soo saaro calaamada PKCS#11 URI iyo furaha sirta ah ee LUKS2 madaxa metadata ee qaabka JSON, taasoo u ogolaanaysa macluumaadka ku saabsan furitaanka qalabka sirta ah in lagu dhex daro qalabka laftiisa iyada oo aan ku lug lahayn faylasha dibadda.
  • systemd-cryptsetup waxa ay taageertaa furitaanka LUKS2 qaybo sir ah oo la isticmaalayo TPM2 chips iyo FIDO2 tokens, marka lagu daro calaamadihii PKCS#11 ee hore loo taageeray. Soo dejinta libfido2 waxa lagu sameeyaa dlopen(), i.e. Helitaanka waxaa lagu hubiyaa duulista, halkii laga ahaan lahaa ku tiirsanaanta xargaha adag.
  • Ikhtiyaarada cusub "no-write-workqueue" iyo "no-read-workqueue" ayaa lagu daray /etc/crypttab ee systemd-cryptsetup si ay awood ugu yeelato habaynta isku midka ah ee I/O ee la xidhiidha sirta iyo fur-furista.
  • Utility-dib-u-celinta waxay ku dartay awoodda ay ku hawlgeliso qaybo sir ah iyadoo la adeegsanayo chips TPM2, tusaale ahaan, si loo abuuro qayb qarsoon / var boot-ka koowaad.
  • Utility systemd-cryptenroll ayaa lagu daray in lagu xidho TPM2, FIDO2 iyo PKCS#11 calaamadaha qaybaha LUKS, iyo sidoo kale in la furo oo la eego calaamadaha, xidho furayaasha firaaqada oo dejiso furaha sirta ah ee gelitaanka.
  • Waxaa lagu daray halbeegga gaarka ah eeIPC, kaasoo kuu ogolaanaya inaad habayso faylka cutubka si aad ugu socodsiiso geeddi-socodyada meel IPC-ga go'doonsan oo wata aqoonsigooda gaarka ah iyo safka farriinta. Si loogu xidho cutub meel bannaan oo IPC ah oo hore loo abuuray, IPCnamespacePath doorashada ayaa la soo jeediyay.
  • Lagu daray ExecPaths iyo NoExecPaths settings si loogu ogolaado calanka noexec in lagu dabaqo qaybo gaar ah oo nidaamka faylka ah.
  • systemd-networkd wuxuu ku darayaa taageerada BATMAN (Wanaag Wanaagsan ee Shabakada Adhoc Networking) mesh borotokoolka, kaas oo u oggolaanaya abuuritaanka shabakado baahsan oo nood kastaa uu ku xiran yahay qanjidhada deriska ah. Qaabeynta, qaybta [BatmanAdvanced] ee .netdev, cabbirka BatmanAdvanced ee faylasha shabakadda, iyo aalad cusub oo ah nooca β€œbatadv” ayaa la soo jeediyay.
  • Hirgelinta habka jawaabta hore ee xusuusta hoose ee nidaamka systemd-oomd waa la xasiliyay. Lagu daray ikhtiyaarka DefaultMemoryPressureDurationSec si loo habeeyo wakhtiga sugitaanka ee kheyraadka la sii daayo ka hor inta uusan saameynin cutubka. Systemd-oomd waxay isticmaashaa PSI (Cadaadiska Stall Information) kernel subsystem waxayna kuu ogolaaneysaa inaad ogaato bilawga dib u dhaca sababtoo ah kheyraad la'aanta oo aad si xushmad leh u joojiso geeddi-socod-dhaqdhaqaaqa kheyraadka heer uusan nidaamku weli ku jirin xaalad xasaasi ah oo uusan ku jirin Bilaw inaad si adag u jarto kaydka oo aad xogta u beddesho qayb isku beddelasho.
  • Qiyaasta khadka taliska kernel ee lagu daray "root=tmpfs", kaas oo kuu oggolaanaya inaad ku dhejiso qaybta xididka kaydinta ku meel gaadhka ah ee RAM adoo isticmaalaya Tmpfs.
  • Halbeegga /etc/crypttab ee qeexaya feylka furaha ayaa hadda tilmaami kara noocyada AF_UNIX iyo SOCK_STREAM. Xaaladdan oo kale, furaha waa in la bixiyaa marka lagu xirayo godka, taas oo, tusaale ahaan, loo isticmaali karo in lagu abuuro adeegyo si firfircoon u soo saara furayaasha.
  • Magaca dib-u-dhaca ee loo isticmaalo maamulaha nidaamka iyo nadaamka-martigeliyaha hadda waxa loo dejin karaa laba siyaabood: iyada oo loo marayo xadka DEFAULT_HOSTNAME ee os-sii daynta iyo iyada oo loo marayo doorsoomiyaha deegaanka $SYSTEMD_DEFAULT_HOSTNAME. systemd-hostnamed sidoo kale waxay gacanta ku haysaa "localhost" magaca martida loo yahay waxayna ku daraysaa awooda dhoofinta magaca martida loo yahay iyo sidoo kale guryaha "HardwareVendor" iyo "HardwareModel" iyada oo loo sii marayo DBus.
  • Baloogga leh doorsoomayaasha deegaanka ee bannaan ayaa hadda lagu habeyn karaa iyada oo loo marayo ikhtiyaarka cusub ee ManagerEnvironment ee system.conf ama user.conf, oo aan kaliya loo marin khadka taliska kernel iyo dejinta faylka cutubka.
  • Wakhtiga la isku duba rido, waxa suurtogal ah in la isticmaalo nidaamka fexecve() wicida si loo bilaabo hababka halkii la fulin lahaa () si loo yareeyo daahitaanka u dhexeeya hubinta xaalada amniga iyo ku dabaqmista.
  • Faylasha unugga, hawlgallada shuruudaysan ee cusub ConditionSecurity=tpm2 iyo ConditionCPUFeature ayaa lagu daray si loo hubiyo joogitaanka aaladaha TPM2 iyo awoodaha CPU ee shaqsiga ah (tusaale ahaan, ConditionCPUFeature=rdrand waxa loo isticmaali karaa in lagu hubiyo in processor-ku uu taageerayo hawlgalka RDRAND).
  • Kernel-ka la heli karo, jiilka tooska ah ee miisaska wicitaanka nidaamka ee filtarrada seccomp ayaa la hirgeliyay.
  • Waxaa lagu daray awoodda lagu beddelo xirmooyinka cusub ee dhejiska ee meelaha sare ee magacyada adeegyada, iyada oo aan dib loo bilaabin adeegyada. Beddelka waxaa lagu sameeyaa amarrada 'systemctl bind ...' iyo 'systemctl mount-image …'.
  • Taageero lagu daray si loo qeexo waddooyinka StandardOutput iyo StandardError ee qaabka "truncate: Β» nadiifinta ka hor isticmaalka.
  • Waxaa lagu daray awoodda lagu sameeyo isku xirka fadhiga isticmaale ee cayiman ee ku dhex jira weelka deegaanka ee sd-bus. Tusaale ahaan "systemctl -user -M lennart@ start quux".
  • Qiyaasaha soo socda ayaa lagu fuliyay faylalka systemd.link ee qaybta [Link]:
    • Promiscuous - waxay kuu ogolaaneysaa inaad u beddesho aaladda qaabka "promiscuous" si aad u socodsiiso dhammaan xirmooyinka shabakada, oo ay ku jiraan kuwa aan ku hadlin nidaamka hadda jira;
    • TransmitQueues iyo ReceiveQueues ee dejinta tirada TX iyo RX safafka;
    • TransmitQueueLength si loo dejiyo cabbirka safka TX; SegmentOffloadMaxBytes iyo Qaybta Guud eeOffloadMax ee dejinta xadka isticmaalka tignoolajiyada GRO (Generic Receive Offload).
  • Habayn cusub ayaa lagu daray galalka systemd.network:
    • [Network] RouteTable si aad u doorato miiska dajinta;
    • [RoutingPolicyRule] Nooca nooca dariiqa ("blackhole, "aan la gaari karin", "mamnuuc");
    • [IPv6AcceptRA] RouteDenyList iyo RouteAllowList ee liisaska xayaysiisyada wadooyinka ee la ogol yahay iyo kuwa la diiday;
    • [DHCPv6] IsticmaalCinwaanka si aad isaga indho tirto ciwaanka ay bixiso DHCP;
    • [DHCPv6PrefixDelegation] Maamul Ciwaanka Ku Meel Gaarka ah;
    • DhaqdhaqaaqaPolicy si loo qeexo siyaasadda ku saabsan waxqabadka interface (had iyo jeer ilaali kor ama gobolka hoos, ama u oggolow isticmaaluhu inuu beddelo gobollada "IP link set dev") amarka.
  • Ku darey borotokoolka [VLAN], IngressQOSMaps, EgressQOSMaps, iyo [MACVLAN] BroadcastMulticastQueueLength xulashooyinka nidaamkad.netdev si loo habeeyo habaynta xirmada VLAN.
  • La joojiyay ku shubista/dev/ tusaha qaabka noexec maadaama ay sababto isku dhac marka la isticmaalayo calanka la fulin karo ee leh /dev/sgx. Si aad u soo celiso dhaqankii hore, waxaad isticmaali kartaa NoExecPaths=/dev settings.
  • Oggolaanshaha faylka / dev/vsock ayaa loo beddelay 0o666, iyo / dev/vhost-vsock iyo / dev/vhost-net faylasha ayaa loo wareejiyay kooxda kvm.
  • Xogta aqoonsiga qalabka waxa lagu ballaadhiyay akhristayaasha faraha USB ee si sax ah u taageera qaabka hurdada.
  • systemd-xaliyay taageero dheeri ah oo loogu talagalay soo saarista jawaabaha su'aalaha DNSSEC iyada oo loo marayo xaliye madax adag. Macaamiisha maxalliga ah waxay samayn karaan ansaxinta DNSSEC laftooda, halka macaamiisha dibadda ay yihiin kuwo aan isbeddelin server-ka DNS ee waalidka.
  • Waxaa lagu daray ikhtiyaarka CacheFromLocalhost si loo xaliyo.conf, marka la dejiyo, systemd-resolved waxay isticmaali doontaa kaydinta xitaa wicitaanada server-ka DNS ee 127.0.0.1 (sida caadiga ah, kaydinta codsiyada noocaas ah waa naafo si looga fogaado kaydinta labanlaab).
  • systemd-xalinku wuxuu ku darayaa taageerada RFC-5001 NSIDs ee xaliyaha DNS ee deegaanka, taasoo u oggolaanaysa macaamiisha inay kala soocaan isdhexgalka xaliyaha maxalliga ah iyo server kale oo DNS ah.
  • Utility resolvectl wuxuu fuliyaa awooda lagu soo bandhigo macluumaadka ku saabsan isha xogta (cache local, codsi shabakad, jawaabta processor-ka maxalliga ah) iyo adeegsiga sirta marka la gudbinayo xogta. Ikhtiyaarada --cache, --synthesize, --network, --zone, --trust-anchor, iyo --validate ayaa la bixiyaa si loo xakameeyo habka go'aaminta magaca.
  • systemd-nspawn wuxuu ku darayaa taageerada habaynta firewall iyadoo la adeegsanayo nftables marka lagu daro taageerada iptables ee jirta. Habaynta IPMasquerade ee systemd-networkd waxay ku dartay awooda isticmaalka dhabarka danbe ee nftables-ku-salaysan.
  • systemd-localed ku daray taageero loogu yeero locale-gen si ay u abuuraan meelaha maqan.
  • Ikhtiyaarada --pager/-no-pager/-json= ayaa lagu daray yutiilitida kala duwan si loo suurtogeliyo/la joojiyo habka bogga iyo wax soo saarka qaabka JSON. Waxaa lagu daray awoodda lagu dejinayo tirada midabada lagu isticmaalo terminaalka iyada oo loo marayo isbeddelka deegaanka SYSTEMD_COLORS ("16" ama "256").
  • Dhismaha leh hagaha hagaha gaarka ah (qaybsan/iyo/usr) iyo taageerada kooxda v1 waa la joojiyay.
  • Laantii sayid ee Git waxa laga beddelay 'master' oo loo beddelay 'main'.

Source: opennet.ru

Add a comment