ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Siideynta maareeyaha nidaamka systemd 249

Siideynta maareeyaha nidaamka systemd 249

Saddex bilood ka dib horumarinta, sii deynta maamulaha nidaamka systemd 249 ayaa la soo bandhigay. Siideynta cusub waxay siinaysaa awoodda lagu qeexayo isticmaalayaasha / kooxaha qaabka JSON, waxay dejinaysaa borotokoolka Joornaalka, waxay fududaynaysaa abaabulka soo dejinta qaybaha diskka ee isdaba jooga, waxay ku daraysaa awoodda isku xidhka barnaamijyada BPF iyo adeegyada, oo fuliyaa isticmaalayaasha khariidaynta aqoonsiga ee qaybaha rakiban, qayb weyn oo ah goobaha shabakadaha cusub iyo fursadaha furitaanka weelasha ayaa la bixiyaa.

Isbeddellada ugu waaweyn:

  • Xeerka Joornaalka waa la diiwaangeliyay waxaana loo isticmaali karaa macaamiisha beddelka borotokoolka syslog si loogu gudbiyo degaanka ee diiwaannada log. Hab-maamuuska Joornaalka ayaa la hirgeliyay muddo dheer waxaana horay loogu isticmaalay maktabadaha macaamiisha qaarkood, si kastaba ha ahaatee, taageeradeeda rasmiga ah ayaa hadda la shaaciyay.
  • Userdb iyo nss-systemd waxay bixiyaan taageero akhrinta qeexitaanno isticmaale oo dheeri ah oo ku yaal /etc/userdb/, /run/userb/, /run/host/userdb/ iyo /usr/lib/userdb/ directories, oo lagu qeexay qaabka JSON. Waxaa la xusay in qaabkani uu bixin doono hannaan dheeri ah oo lagu abuurayo isticmaalayaasha nidaamka, iyadoo siinaya is-dhexgalka buuxa ee NSS iyo /etc/shadow. Taageerada JSON ee galitaanka isticmaale/kooxdu waxay sidoo kale u oggolaan doontaa maaraynta kheyraadka kala duwan iyo dejinta kale in lagu xidho isticmaalayaasha pam_systemd iyo systemd-logind aqoonsan.
  • nss-systemd waxa ay bixisa isku xidhka isticmaalaha/koox galinta gudaha /etc/shadow iyada oo la isticmaalayo furaha sirta ah ee hashed ee systemd-homed.
  • Nidaam ayaa la hirgeliyay kaas oo fududeynaya abaabulka cusbooneysiinta iyadoo la adeegsanayo qaybo disk ah oo midba midka kale beddelaya (hal qayb ayaa firfircoon, kan labaadna waa firaaqo - cusbooneysiinta waxaa lagu koobiyeeyaa qaybta firaaqada, ka dib markii ay noqoto mid firfircoon). Haddii ay jiraan laba qaybood oo xidid ama / usr ah oo ku yaal sawirka diskka, iyo udev ma ogaanin joogitaanka 'root =' parameter, ama ka shaqeynaya sawirada diskka ee lagu qeexay xulashada "-image" ee nidaamka d-nspawn iyo systemd. -dissect utilities, qaybta boot waxaa lagu xisaabin karaa isbarbardhigga calaamadaha GPT (iyadoo loo maleynayo in calaamadda GPT ay sheegayso nambarka nooca qeeybta waxa ku jira iyo systemd ayaa dooran doona qaybta isbeddellada cusub).
  • Dejinta Barnaamijka BPF ayaa lagu daray faylalka adeegga, kaas oo aad ku habayn karto rarka barnaamijyada BPF ee kernel-ka oo aad ku maarayso iyaga oo ku xidhan adeegyo habaysan oo gaar ah.
  • Systemd-fstab-generator iyo systemd-repart waxay ku daraan kartida ay uga soo bixi karaan saxanadaha kuwaas oo kaliya leh qayb / usr oo aan lahayn qayb xidid (xididka xididka waxaa soo saari doona systemd-repart inta lagu jiro bootka koowaad).
  • In systemd-nspawn, doorashada "--private-user-chown" waxaa lagu beddelay ikhtiyaarka guud ee "--isticmaale-lahaanshaha", kaas oo aqbali kara qiimaha "chown" oo u dhigma "-- private-user-chown", "off" si loo joojiyo dejinta hore, "maab" si loo khariideeyo aqoonsiga isticmaalaha ee nidaamka faylalka rakiban iyo "auto" si loo doorto "maabka" haddii shaqada loo baahan yahay ay ku jirto kernel (5.12+) ama dib u dhacdo. in si isdaba joog ah loogu yeero "chown" haddii kale. Isticmaalka khariidaynta, waxaad khariidad kartaa hal faylal isticmaale oo ku yaal qayb shisheeye oo rakiban una gudbisaa isticmaale kale nidaamka hadda jira, taas oo sahlaysa in la wadaago faylasha isticmaalayaasha kala duwan. Habka tusaha guriga ee la qaadan karo ee habaysan-guri, khariidaynta ayaa u ogolaan doonta isticmaalayaasha inay u guuraan hagaha gurigooda warbaahinta dibadeed oo ay ku isticmaalaan kombiyuutaro kala duwan oo aan lahayn isla qaabka aqoonsiga isticmaalaha.
  • In systemd-nspawn, ikhtiyaarka "--private-user" hadda wuxuu isticmaali karaa qiimaha "aqoonsiga" si uu si toos ah uga tarjumo aqoonsiga isticmaalaha marka la samaynayo meel magac isticmaale, i.e. UID 0 iyo UID 1 ee weelka ku jira waxa ay ka muuqan doonaan UID 0 iyo UID 1 ee dhinaca martida loo yahay, si loo yareeyo waxyeelada weerarka
  • Xulashada "--bind-user" ayaa lagu daray systemd-nspawn si loogu gudbiyo koontada isticmaale ee ka jirta deegaanka martida loo yahay weelka (tusaha guriga ayaa lagu dhejiyay weelka, isticmaale/koox ayaa lagu daraa, iyo khariidadeynta UID waxaa lagu sameeyaa inta u dhaxaysa weelka iyo deegaanka martida loo yahay).
  • systemd-ask-password iyo systemd-sysusers ayaa ku daray taageerada codsiga furaha sirta ah (passwd.hashed-password.iyo passwd.plaintext-password.) iyaga oo isticmaalaya habka lagu soo bandhigay systemd 247 si ay si amaan ah ugu gudbiyaan xogta xasaasiga ah iyadoo la isticmaalayo faylal dhexdhexaad ah oo ku jira hage gaar ah. Sida caadiga ah, shahaadooyinka ayaa laga aqbalayaa nidaamka PID1, kaas oo ka helaya, tusaale ahaan, maareeyaha maareynta weelka, kaas oo kuu ogolaanaya inaad dejiso erayga sirta ah ee isticmaalaha boot-ka koowaad.
  • systemd-firstboot wuxuu ku darayaa taageerada adeegsiga wareejinta aaminka ah ee habka xogta xasaasiga ah si loo waydiiyo cabbirada nidaamka kala duwan, kuwaas oo loo isticmaali karo in lagu bilaabo habaynta nidaamka marka ugu horeysa ee la duubo sawirka weelka oo aan lahayn goobaha lagama maarmaanka ah ee buugga / iwm.
  • Habka PID 1 wuxuu hubinayaa in magaca cutubka iyo sharaxaadda labadaba la soo bandhigay inta lagu jiro boot. Waxaad ku bedeli kartaa wax soo saarka adigoo isticmaalaya "StatusUnitFormat=lagu daray"parameter gudaha system.conf ama ikhtiyaarka khadka taliska kernel "systemd.status-unit-format=lagu daray"
  • Xulashada "--image" ayaa lagu daray nidaamka-machine-id-setup iyo systemd-repart utilities si loogu wareejiyo faylka leh aqoonsiga mashiinka sawirka diskka ama si loo kordhiyo cabbirka sawirka diskka.
  • Halbeegyada MakeDirectories ayaa lagu daray faylka qaabeynta qaybta ee ay adeegsato utility systemd-repart, kaas oo loo isticmaali karo in lagu abuuro hagayaal aan sabab lahayn nidaamka faylka la abuuray ka hor inta aan laga dhex muuqan miiska qaybinta (tusaale, si loo abuuro hagayaal loogu talagalay korka dhibcaha gudaha Qaybta xididka si aad isla markiiba ugu dhejiso qaybta qaab-akhris-kaliya). Si loo xakameeyo calamada GPT ee qaybaha la abuuray, Calamada u dhigma, Halbeegyada ReadOnly iyo NoAuto ayaa lagu daray. Halbeegga CopyBlocks wuxuu leeyahay qiime "auto" si uu si toos ah u doorto qaybta boot hadda jirta sida isha marka la koobiyaynayo blocks (tusaale, markaad u baahan tahay inaad u wareejiso qaybta xididkaaga warbaahinta cusub).
  • GPT waxay fulisaa calanka "Grow-file-system", kaas oo la mid ah x-systemd.growfs mount option wuxuuna bixiyaa balaadhinta tooska ah ee cabbirka FS ee xuduudaha qalabka xannibaadda haddii cabbirka FS uu ka yar yahay qaybta. Calanku waa mid lagu dabaqi karo nidaamyada faylka Ext3, XFS iyo Btrfs, waxaana lagu dabaqi karaa qaybaha si toos ah loo ogaado. Calanku waxa uu si toos ah ugu suurtagelinayaa qaybaha la qori karo oo si toos ah loo sameeyay iyada oo loo marayo systemd-repart. Xulashada GrowFileSystem ayaa lagu daray si loo habeeyo calanka nidaamka dib-u-celinta.
  • Faylka /etc/os-sii-deyntu waxay siisaa taageerada IMAGE_VERSION iyo doorsoomayaasha IMAGE_ID cusub si loo go'aamiyo nooca iyo aqoonsiga sawirada atomikada la cusboonaysiiyay. Tilmaamayaasha %M iyo %A ayaa la soo jeediyay in lagu beddelo qiyamka la cayimay amaro kala duwan.
  • Halbeegga "--extension" ayaa lagu daray utility portablectl si loo dhaqaajiyo sawirada fidinta nidaamka la qaadi karo (tusaale ahaan, iyaga waxaad ku qaybin kartaa sawirro leh adeegyo dheeraad ah oo lagu dhex daray qaybta xididka).
  • Utility systemd-coredump waxa uu bixiyaa soo saarista macluumaadka ELF-id dhis marka la soo saarayo qashin qubka asaasiga ah ee habka, taas oo faa'iido u yeelan karta go'aaminta xirmada habsocodka fashilantay haddii macluumaadka ku saabsan magaca iyo nooca baakadaha deb ama rpm la dhisay. geli faylalka ELF.
  • Qalab cusub oo saldhig u ah aaladaha FireWire (IEEE 1394) ayaa lagu daray udev.
  • Gudaha udev, saddex isbeddel ayaa lagu daray nidaamka xulashada magaca isku-xidhka "net_id" kaas oo ku xad-gudbinaya is-waafajinta gadaal: jilayaasha aan saxda ahayn ee magacyada interface waxaa hadda lagu beddelay "_"; Magacyada booska PCI hotplug ee nidaamyada s390 waxaa lagu farsameeyaa qaab hexadecimal; Isticmaalka ilaa 65535 aaladaha PCI ku dhex jira waa la ogolyahay (tirooyinka hore ee ka sarreeya 16383 waa la xannibay).
  • systemd-resolved wuxuu ku daraa domainka "home.arpa" liiska NTA (Negative Trust Anchors), kaas oo lagu taliyay shabakadaha guriga, laakiin aan loo isticmaalin DNSSEC.
  • Halbeegga CPUAffinity wuxuu bixiyaa falanqaynta "%" tilmaamayaasha.
  • Halbeegyada MaareyntaForeignRoutingPolicyRules ayaa lagu daray .faylalka shabakadda, kaas oo loo isticmaali karo in laga saaro nidaamka-networked habsocodka siyaasadaha marinnada qolo saddexaad.
  • Halbeegga loo baahan yahayFamilyForOnline ayaa lagu daray faylalka "shabakadda" si loo go'aamiyo joogitaanka ciwaanka IPv4 ama IPv6 si ay calaamad u tahay in is-dhex-galka shabakadu uu ku sugan yahay gobolka "online". Networkctl waxay bixisaa muujinta heerka "online" ee xiriiriye kasta.
  • Lagu darey xadaynta Interface-ka Outgoing .faylalka shabakadda si loo qeexo is dhexgalyada baxaya marka la habeynayo buundooyinka shabakadda.
  • Halbeeg-kooxeed ayaa lagu daray faylasha ".network", taasoo kuu ogolaanaysa inaad habayso koox Multipath si aad u geliso qaybta "[NextHop]".
  • Ikhtiyaarada lagu daray "-4" iyo "-6" systemd-network-wait-online si loo xaddido sugidda xiriirinta IPV4 ama IPv6 kaliya.
  • Halbeegga RelayTarget ayaa lagu daray habaynta serverka DHCP, kaas oo u beddela serferka qaabka DHCP Ralay. Qaabeynta dheeriga ah ee gudbinta DHCP, RelayAgentCircuitId iyo RelayAgentRemoteId ayaa la bixiyaa.
  • Halbeegga ServerAddress ayaa lagu daray server-ka DHCP, taasoo kuu ogolaanaysa inaad si cad u dejiso server-ka IP-ga (haddii kale ciwaanka si toos ah ayaa loo doortaa).
  • Adeegga DHCP waxa uu fuliyaa qaybta [DHCPServerStaticLease], kaas oo kuu ogolaanaya in aad habayso xidhidhiyaha ciwaanka taagan (DHCP leases), oo qeexaya xidhidhiyaha IP go'an ee ciwaanada MAC iyo lidka ku ah.
  • Dejinta RestrictAddressFamilies waxay taageertaa qiimaha "midna", taas oo macnaheedu yahay in adeeggu aanu heli doonin saldhigyada ciwaanka qoyska.
  • Faylasha ".network" ee ku jira [Cinwaanka], [DHCPv6PrefixDelegation] iyo [IPv6Prefix] qaybaha, taageerada goobta RouteMetric waa la hirgeliyay, taas oo kuu ogolaanaysa inaad qeexdo mitirka horgalaha dariiqa loo abuuray cinwaanka la cayimay.
  • nss-myhostname iyo systemd-resolved waxay bixiyaan isku-darka diiwaannada DNS oo leh cinwaanno loogu talagalay martigeliyaha leh magac gaar ah "_outbound", kaas oo IP-ga maxalliga ah had iyo jeer la soo saaro, oo lagu doorto si waafaqsan dariiqyada caadiga ah ee loo isticmaalo isku xirka.
  • Faylasha shabakadda .netka, ee qaybta "[DHCPv4]", waxaa lagu daray habayn firfircoon oo RoutesToNTP ah, kaas oo u baahan in lagu daro waddo gooni ah iyada oo loo marayo interface-ka hadda jira si loo galo ciwaanka NTP server-ka ee loo helay is-dhexgalka iyada oo la adeegsanayo DHCP (oo la mid ah DNS). , goobta ayaa kuu ogolaanaysa inaad dammaanad qaaddo in taraafikada server-ka NTP la marin doono interface-ka kaas oo ciwaanka laga helay).
  • Lagu daray SocketBindAllow iyo SocketBindDeny settings si loo xakameeyo gelitaanka saldhigyada ku xidhan adeega hadda jira.
  • Faylasha unugga, meel shuruud ah oo loo yaqaan ConditionFirmware ayaa la hirgeliyey, kaas oo kuu ogolaanaya inaad abuurto jeegag qiimeynaya hawlaha firmware, sida shaqada UEFI iyo nidaamka geedaha, iyo sidoo kale hubi inaad ku habboon tahay qalabka-geedka qaarkood.
  • Hirgeliyay ShuruudahaOSSiida ikhtiyaarka si loo hubiyo meelaha ku jira faylka /etc/os-release. Marka la qeexayo shuruudaha hubinta qiyamka goobta, hawlwadeenada "=", "!=", "=", ">" waa la aqbali karaa.
  • Utility hostnamectl, amarada sida "get-xyz" iyo "set-xyz" ayaa laga xoreeyay horgalayaasha "hel" iyo "set", tusaale ahaan, halkii "hostnamectl heli-hostname" iyo "hostnamectl" set-hostname " waxaad isticmaali kartaa amarka "hostnamectl hostname", shaqada qiimaha kaas oo lagu go'aamiyo iyadoo la qeexayo dood dheeri ah ("hostnamectl hostname value"). Taageerada amarada hore waa la hayaa si loo xaqiijiyo waafaqsanaanta
  • Utility systemd-detect-virt iyo dejinta XaaladdaVirtualization waxay xaqiijiyaan aqoonsiga saxda ah ee deegaanka Amazon EC2.
  • Dejinta LogLevelMax ee faylalka unugga hadda ma khuseeyo oo keliya in lagu qoro farriimaha adeeggu soo saaray, laakiin sidoo kale farriimaha habraaca PID 1 ee sheegaya adeegga.
  • La siiyay awoodda lagu daro xogta SBAT (UEFI Secure Boot Advanced Tarrgeting) ee faylalka EFI PE ee habaysan-boot ah.
  • /etc/crypttab waxay fulisaa doorashooyin cusub "madax la'aan" iyo "password-echo" - marka hore waxay kuu ogolaaneysaa inaad ka gudubto dhammaan hawlgallada la xidhiidha isdhexgalka sirta ah iyo PIN-yada isticmaalaha, kan labaadna wuxuu kuu ogolaanayaa inaad habayso habka lagu muujinayo gelinta erayga sirta ah. (waxba tusin, tusi dabeecad ahaan oo muuji astaamo). In systemd-ask-password, doorashada "--echo" ayaa lagu daray ujeedooyin la mid ah.
  • systemd-cryptenroll, systemd-cryptsetup, iyo systemd-homed ayaa balaariyay taageerada furitaanka LUKS2 qaybo qarsoon iyadoo la adeegsanayo calaamadaha FIDO2. Waxaa lagu daray doorashooyin cusub "--fido2-la joog-isticmaal-joog","--fido2-la xaqiijin-isticmaal"iyo"-fido2-la-macmiil-pin" si loo xakameeyo caddaynta joogitaanka isticmaale, xaqiijinta iyo baahida loo qabo gelitaanka lambarka sirta ah.
  • Waxaa lagu daray "--user", "--system", "--merge" iyo "-file" fursadaha systemd-journal-gatewayd, oo la mid ah doorashooyinka journalctl.
  • Marka lagu daro ku-tiirsanaanta tooska ah ee udhaxeysa cutubyada lagu qeexay xuduudaha OnFailure iyo Slice, taageerada ku-tiirsanaanta gadaashiis OnFailureOf iyo SliceOf ayaa lagu daray, taas oo faa'iido u yeelan karta, tusaale ahaan, go'aaminta dhammaan cutubyada lagu daray jeex.
  • Lagu daray noocyo cusub oo ku-tiirsanaan ah oo u dhexeeya cutubyada: OnSuccess iyo OnSuccessOf (ka soo horjeeda OnFailure, oo loogu yeero dhammaystir guul leh); PropagatesStopTo iyo StopPropagatedFrom (ku oggolow inaad ku faafiso dhacdo joogsiga cutubka cutub kale); Kordhinta iyo Kordhinta (ka beddelka Dib u Bilaabashada).
  • Utility systemd-ask-password hadda wuxuu leeyahay ikhtiyaar "--emoji" si loo xakameeyo muuqaalka calaamadda qufulka (πŸ”) ee khadka gelista sirta ah.
  • Dukumeenti lagu daray qaab dhismeedka geedka isha habaysan.
  • Unugyada, hantida MemoryAvailable ayaa lagu daray, taasoo muujinaysa inta xusuusta ee unuggu ka tagtay ka hor inta aan la gaarin xadka loo dejiyey MemoryMax, MemoryHigh ama MemoryAvailable.

Source: opennet.ru

Add a comment