ProHoster > Blog > litaba tsa inthanete > Tsamaiso ea tsamaiso ea systemd e lokolloa 243

Tsamaiso ea tsamaiso ea systemd e lokolloa 243

Kamora likhoeli tse hlano tsa nts'etsopele hlahisoa ho lokolloa ha mookameli oa tsamaiso tsamaiso 243. Har'a mekhoa e mecha, re ka hlokomela ho kopanngoa ho PID 1 ea mohlokomeli bakeng sa mohopolo o tlaase tsamaisong, ts'ehetso ea ho kenya mananeo a hau a BPF bakeng sa ho sefa sephethephethe sa lisebelisoa, likhetho tse ngata tse ncha tsa systemd-networkd, mokhoa oa ho lekola marang-rang a marang-rang. li-interfaces, tse nolofalletsang ka ho sa feleng lits'ebetsong tsa 64-bit 22-bit PID linomoro ho e-na le 16-bit, phetoho ho ea ho sehlopha se kopaneng sa lihlopha, ho kenyelletsoa ho systemd-network-generator.

Liphetoho tse kholo:

  • Kamohelo ea matšoao a hlahisoang ke kernel mabapi le ho tsoa mohopolong (Out-Of-Memory, OOM) e kenyellelitsoe ho mohlokomeli oa PID 1 ho fetisetsa likarolo tse fihletseng moeli oa tšebeliso ea mohopolo sebakeng se ikhethileng ka bokhoni ba boikhethelo ba ho li qobella ho emisa. kapa emisa;
  • Bakeng sa lifaele tsa yuniti, li-parameter tse ncha IPIngressFilterPath le
    IPEgressFilterPath, e u lumellang hore u hokahane le mananeo a BPF le batho ba sebetsanang le maemo ho sefa lipakete tsa IP tse kenang le tse tsoang tse hlahisoang ke mekhoa e amanang le yuniti ena. Likarolo tse reriloeng li u lumella ho theha mofuta oa firewall bakeng sa lits'ebeletso tsa systemd. Mohlala oa ho ngola filthara e bonolo ea marang-rang e thehiloeng ho BPF;

  • Taelo e "hloekileng" e kenyelelitsoe ho sesebelisoa sa systemctl ho hlakola cache, lifaele tsa nako ea ho sebetsa, lintlha tsa boemo le li-directory tsa log;
  • systemd-networkd e eketsa tšehetso bakeng sa likhokahano tsa marang-rang tsa MACsec, nlmon, IPVTAP le Xfrm;
  • systemd-networkd e sebelisa litlhophiso tse arohaneng tsa DHCPv4 le DHCPv6 ka har'a likarolo tsa "[DHCPv4]" le "[DHCPv6]" faeleng ea tlhophiso. E kentse khetho ea RoutesToDNS ho eketsa tsela e fapaneng ho seva sa DNS e hlalositsoeng ho li-parameter tse amohetsoeng ho tsoa ho seva sa DHCP (e le hore sephethephethe se eang ho DNS se romelloe ka sehokelo se tšoanang le tsela e kholo e amohetsoeng ho tsoa ho DHCP). Likhetho tse ncha li kenyelitsoe bakeng sa DHCPv4: MaxAttempts - palo e kholo ea likopo tsa ho fumana aterese, BlackList - lethathamo le letšo la li-server tsa DHCP, SendRelease - nolofalletsa ho romela melaetsa ea DHCP RELEASE ha seboka se fela;
  • Litaelo tse ncha li kenyellelitsoe ho systemd-analyze utility:
    • "systemd-analyze timestamp" - ho arola nako le ho fetolela;
    • "systemd-analyse timespan" - tlhahlobo le phetoho ea linako tsa nako;
    • "systemd-analyze boemo" - parsing le teko ConditionXYZ lipolelo;
    • "systemd-analyse exit-status" - ho hlalosa le ho fetola mekhoa ea ho tsoa ho tloha ho linomoro ho ea ho mabitso le ka tsela e fapaneng;
    • "systemd-analyze unit-files" - E thathamisa litsela tsohle tsa lifaele bakeng sa li-unit le li-unit aliases.
  • Options SuccessExitStatus, RestartPreventExitStatus le
    RestartForceExitStatus hona joale ha e tšehetse feela linomoro tsa ho khutlisa tsa linomoro, empa hape le litlhaloso tsa mongolo oa tsona (mohlala, "DATAERR"). O ka sheba lenane la dikhoutu tse abetsweng diidentifiers o sebedisa taelo ya "sytemd-analyze exit-status";

  • Taelo ea "hlakola" e kenyelelitsoe ho networkctl utility ho hlakola lisebelisoa tsa marang-rang, hammoho le khetho ea "-stats" ho bontša lipalo-palo tsa lisebelisoa;
  • Litlhophiso tsa SpeedMeter le SpeedMeterIntervalSec li kentsoe ho networkd.conf bakeng sa nako le nako ho metha tšebetso ea likhokahano tsa marang-rang. Lipalopalo tse fumanoeng ho tsoa liphethong tsa tekanyo li ka bonoa tlhahisong ea taelo ea 'networkctl status';
  • E kenyellelitse lisebelisoa tse ncha tsa systemd-network-generator bakeng sa ho hlahisa lifaele
    .network, .netdev le .link e thehiloeng ho li-setting tsa IP tse fetisitsoeng ha li qala ka mola oa taelo ea kernel ea Linux ka sebopeho sa litlhophiso tsa Dracut;

  • The sysctl "kernel.pid_max" boleng ho litsamaiso tsa 64-bit joale e se e behiloe ka ho sa feleng ho 4194304 (22-bit PIDs sebakeng sa 16-bits), e fokotsang monyetla oa ho thulana ha ho ajoa li-PID, e eketsa moeli oa palo ea nako e le 'ngoe. ho tsamaisa mekhoa, 'me e na le phello e ntle ho ts'ireletso. Phetoho e ka 'na ea lebisa litabeng tsa ho lumellana, empa litaba tse joalo ha li e-s'o tlalehoe ka ts'ebetso;
  • Ka mokhoa o ikhethileng, sethala sa kaho se fetohela ho sehlopha se kopaneng sa maemo a holimo-v2 ("-Ddefault-hierarchy=uniified"). Nakong e fetileng, mokhoa oa kamehla e ne e le mokhoa oa lebasetere (“-Ddefault-hierarchy=hybrid”);
  • Boitšoaro ba mochine oa mohala oa tsamaiso (SystemCallFilter) bo fetotsoe, boo, tabeng ea mohala o thibetsoeng oa tsamaiso, joale o felisa ts'ebetso eohle, ho e-na le likhoele ka bomong, kaha ho felisa likhoele ka bomong ho ka lebisa mathateng a sa lebelloang. Liphetoho li sebetsa feela haeba u na le Linux kernel 4.14+ le libseccomp 2.4.0+;
  • Mananeo a se nang tokelo a fuoa bokhoni ba ho romela lipakete tsa ICMP Echo (ping) ka ho beha sysctl "net.ipv4.ping_group_range" bakeng sa lihlopha tsohle tsa lihlopha (bakeng sa mekhoa eohle);
  • Ho potlakisa ts'ebetso ea kaho, tlhahiso ea libuka tsa motho e emisitsoe ka ho sa feleng (ho theha litokomane tse felletseng, o hloka ho sebelisa khetho "-Dman = 'nete" kapa "-Dhtml='nete" bakeng sa libuka ka sebopeho sa html). Ho etsa hore ho be bonolo ho sheba litokomane, ho kenyelelitsoe lingoloa tse peli: build/man/man and build/man/html bakeng sa ho hlahisa le ho hlahloba libuka tsa thahasello;
  • Ho sebetsana le mabitso a marang-rang a nang le litlhaku tse tsoang ho lialfabeta tsa naha, laebrari ea libidn2 e sebelisoa ka ho sa feleng (ho khutlisa libidn, sebelisa khetho ea "-Dlibidn = 'nete");
  • Ts'ehetso bakeng sa faele ea /usr/sbin/halt.local e phethiloeng, e faneng ka ts'ebetso e sa kang ea ajoa haholo kabong, e khaotsoe. Ho hlophisa ho thakholoa ha litaelo ha ho koala, ho kgothaletswa ho sebedisa mengolo ho /usr/lib/systemd/system-shutdown/ kapa ho hlalosa yuniti e ntjha e itshetlehileng ho final.target;
  • Mokhahlelong oa ho qetela oa ho koala, systemd hona joale e eketsa boemo ba log ho sysctl "kernel.printk", e rarollang bothata ka ho bonts'a liketsahalong tsa log tse etsahetseng mekhahlelong ea morao-rao ea ho koala, ha li-daemon tse tloaelehileng tsa ho rema lifate li se li qetile. ;
  • Ho journalctl le lits'ebeletso tse ling tse bonts'ang li-log, litemoso li totobatsoa ka mosehla, 'me lirekoto tsa tlhahlobo li totobatsoa ka boputsoa ho li totobatsa ho tsoa ho bongata;
  • Phapang ea tikoloho ea $ PATH, tsela ea bin/ joale e tla pele ho tsela ea sbin/, ke hore. haeba ho na le mabitso a tšoanang a lifaele tse ka phethisoang litsamaisong ka bobeli, faele e tsoang ho bin/ e tla etsoa;
  • systemd-logind e fana ka mohala oa SetBrightness() ho fetola khanya ea skrine ka mokhoa o sireletsehileng ho latela nako ea nako;
  • Folakha ea "-wait-for-initialization" e kentsoe taelong ea "udevadm info" ea ho emela hore sesebelisoa se qale;
  • Nakong ea boot system, PID 1 handler e se e bonts'a mabitso a diyuniti ho fapana le mola o nang le tlhaloso ea bona. Ho khutlela boitšoarong ba nakong e fetileng, o ka sebelisa khetho ea StatusUnitFormat ho /etc/systemd/system.conf kapa khetho ea systemd.status_unit_format kernel;
  • E kenyellelitse KExecWatchdogSec kgetho ho /etc/systemd/system.conf bakeng sa watchdog PID 1, e hlalosang nako ea ho qala bocha ho sebelisa kexec. Boemo ba khale
    ShutdownWatchdogSec e rehiloe lebitso la RebootWatchdogSec mme e hlalosa nako ea nako ea mesebetsi nakong ea ho koala kapa ho qala bocha;

  • Khetho e ncha e kentsoe bakeng sa lits'ebeletso ExecCondition, e u lumellang hore u hlalose litaelo tse tla etsoa pele ho ExecStartPre. Ho ipapisitsoe le khoutu ea phoso e khutlisitsoeng ke taelo, ho etsoa qeto mabapi le ts'ebetso e tsoelang pele ea yuniti - haeba khoutu ea 0 e khutlisoa, tlhahiso ea yuniti e ntse e tsoela pele, haeba ho tloha ho 1 ho isa ho 254 e fela ka khutso ntle le folakha e hlolehileng, haeba 255 e qetella ka. folakha ea ho hlōleha;
  • E kentse ts'ebeletso e ncha systemd-pstore.service ho ntša data ho sys/fs/pstore/ le ho tloha ho boloka ho /var/lib/pstore bakeng sa tlhahlobo e eketsehileng;
  • Litaelo tse ncha li kenyellelitsoe ts'ebelisong ea timedatectl bakeng sa ho hlophisa liparamente tsa NTP bakeng sa systemd-timesyncd mabapi le likhokahano tsa marang-rang;
  • Taelo ea "localectl list-locales" ha e sa bontša libaka tse ling ntle le UTF-8;
  • E netefatsa hore liphoso tsa likabelo tse fapaneng lifaeleng tsa sysctl.d/ li hlokomolohuoa haeba lebitso le feto-fetohang le qala ka tlhaku “-“;
  • tšebeletso ea systemd-random-peo.tšebeletso e se e ikarabella ka botlalo bakeng sa ho qala letamo la entropy la jenereithara ea nomoro ea kernel ea Linux. Litšebeletso tse hlokang ho qalisoa ka nepo /dev/urandom li lokela ho qalisoa ka mor'a ts'ebeletso ea systemd-random-seed.service;
  • Systemd-boot bootloader e fana ka bokhoni ba boikhethelo ba ho tšehetsa faele ea peo ka tatelano e sa reroang ho EFI System Partition (ESP);
  • Litaelo tse ncha li kentsoe sesebelisoa sa bootctl: "bootctl random-seed" ho hlahisa faele ea peo ho ESP le "bootctl e kentsoe" ho lekola ho kengoa ha systemd-boot bootloader. bootctl e boetse e lokiselitsoe ho bonts'a litemoso mabapi le tlhophiso e fosahetseng ea likenyo tsa boot (mohlala, ha setšoantšo sa kernel se hlakotsoe, empa keno ea ho e kenya e setse);
  • E fana ka khetho ea othomathike ea karohano ea swap ha sistimi e kena mokhoeng oa ho robala. Karohano e khethiloe ho itšetlehile ka lintho tse tlang pele tse lokiselitsoeng bakeng sa eona, 'me tabeng ea lintho tse tlang pele tse tšoanang, palo ea sebaka sa mahala;
  • Kenyelletso ea keyfile-timeout khetho ho /etc/crypttab ho beha hore na sesebelisoa se nang le senotlolo sa encryption se tla ema nako e kae pele se etsa hore phasewete e fihlelle karohano e patiloeng;
  • Khetho ea IOWeight e ekelitsoeng ho beha boima ba I/O bakeng sa kemiso ea BFQ;
  • systemd-resolved e eketsa mokhoa oa ho sebetsa oa 'strict' bakeng sa DNS-over-TLS le ho sebelisa bokhoni ba ho boloka feela likarabo tse ntle tsa DNS ("Cache no-negative" ho solved.conf);
  • Bakeng sa VXLAN, systemd-networkd e kentse khetho ea GenericProtocolExtension ho thusa VXLAN protocol extensions. Bakeng sa VXLAN le GENEVE, khetho ea IPDoNotFragment e kentsoe ho beha folakha ea thibelo ea ho arohana bakeng sa lipakete tse tsoang;
  • Ho systemd-networkd, karolong ea "[Route]", khetho ea FastOpenNoCookie e hlahile ho thusa mochini oa ho bula likhokahano tsa TCP kapele (TFO - TCP Fast Open, RFC 7413) mabapi le litsela ka bomong, hammoho le khetho ea TTLPropagate. ho lokisa TTL LSP (Label Switched Path ). Khetho ea "Mofuta" e fana ka ts'ehetso bakeng sa mekhoa ea ho tsamaisa ea lehae, ea phatlalatso, ea anycast, multicast, efe kapa efe le xresolve;
  • Systemd-networkd e fana ka khetho ea DefaultRouteOnDevice karolong ea "[Network]" ho iketsetsa tsela ea kamehla bakeng sa sesebelisoa sa marang-rang se fanoeng;
  • Systemd-networkd e kentse ProxyARP le
    ProxyARPWifi bakeng sa ho beha boits'oaro ba proxy ARP, MulticastRouter bakeng sa ho beha liparamente tsa ho tsamaisa ka mokhoa oa multicast, MulticastIGMPVersion bakeng sa ho fetola mofuta oa IGMP (Internet Group Management Protocol) bakeng sa multicast;

  • Systemd-networkd e kentse likhetho tsa Local, Peer le PeerPort bakeng sa lithanele tsa FooOverUDP ho lokisa liaterese tsa IP tsa lehae le tse hole, hammoho le nomoro ea boema-kepe ba marang-rang. Bakeng sa lithanele tsa TUN, khetho ea VnetHeader e kentsoe ho lokisa tšehetso ea GSO (Generic Segment Offload);
  • Ho systemd-networkd, ho lifaele tsa .network le .link karolong ea [Match], ho hlahile khetho ea Thepa, e u lumellang ho khetholla lisebelisoa ka thepa ea tsona e khethehileng ho udev;
  • Ho systemd-networkd, khetho ea AssignToLoopback e kentsoe bakeng sa lithanele, e laolang hore na pheletso ea kotopo e abetsoe sesebelisoa sa loopback "lo";
  • systemd-networkd e iketsetsa IPv6 stack haeba e koetsoe ka sysctl disable_ipv6 - IPv6 e butsoe haeba litlhophiso tsa IPv6 (static kapa DHCPv6) li hlalosoa bakeng sa sebopeho sa marang-rang, ho seng joalo boleng ba sysctl bo seng bo ntse bo behiloe ha bo fetohe;
  • Lifaeleng tsa .network, setting ea CriticalConnection e nketsoe sebaka ke KeepConfiguration kgetho, e fanang ka mekhoa e mengata ea ho hlalosa maemo ("yes", "static", "dhcp-on-stop", "dhcp") moo systemd-networkd e lokelang ho ba teng. se ke oa ama likhokahano tse teng ha o qala;
  • Kotsi e tsitsitse CVE-2019-15718, e bakoang ke khaello ea taolo ea phihlello ho D-Bus interface systemd-resolved. Taba ena e lumella mosebelisi ea se nang tokelo hore a etse lits'ebetso tse fumanehang ho batsamaisi feela, joalo ka ho fetola litlhophiso tsa DNS le ho tsamaisa lipotso tsa DNS ho seva e khopo;
  • Kotsi e tsitsitse CVE-2019-9619e amanang le ho se lumelle pam_systemd bakeng sa linako tse sa sebetsaneng, e leng se lumellang ho senyeha ha nako e sebetsang.

Source: opennet.ru

Eketsa ka tlhaloso