ProHoster > Blog > litaba tsa inthanete > Tsamaiso ea tsamaiso ea systemd e lokolloa 248

Tsamaiso ea tsamaiso ea systemd e lokolloa 248

Ka mor'a likhoeli tse 'nè tsa tsoelo-pele, ho hlahisoa ho lokolloa ha tsamaiso ea tsamaiso systemd 248. Tokollo e ncha e fana ka tšehetso bakeng sa litšoantšo bakeng sa ho atolosa litsamaiso tsa tsamaiso, faele ea tlhophiso ea /etc/veritytab, sesebelisoa sa systemd-cryptenroll, ho notlolla LUKS2 ho sebelisa TPM2 chips le FIDO2. li-tokens, li-unit tse sebetsang sebakeng se ikhethileng sa IPC, protocol ea BATMAN bakeng sa marang-rang a marang-rang, li-nftables backend bakeng sa systemd-nspawn. Systemd-oomd e tsitsitse.

Liphetoho tse kholo:

  • Khopolo ea litšoantšo tsa Katoloso ea Sistimi e kentsoe ts'ebetsong, e ka sebelisetsoang ho atolosa bolaoli ba li-directory tsa / usr / le / opt /, le ho eketsa lifaele tse ling ka nako ea nako, le haeba li-directory tse boletsoeng li behiloe feela. Ha setšoantšo sa katoloso ea sistimi se kentsoe, likahare tsa sona li koahetsoe ho /usr/ le /opt/ hierarchy ho sebelisa OverlayFS.

    Sesebelisoa se secha, systemd-sysext, se hlahisitsoe ho hokahanya, ho hakolla, ho sheba le ho ntlafatsa litšoantšo tsa li-extensions tsa sistimi. Ho hokahanya ka boits'oaro litšoantšo tse seng li kentsoe nakong ea boot, ts'ebeletso ea systemd-sysext.service e kentsoe. E kenyellelitsoe "SYSEXT_LEVEL=" parameter ho faele ea os-release ho fumana boemo ba lisebelisoa tsa tsamaiso tse tšehetsoeng.

  • Bakeng sa diyuniti, ho se ho kentswe tshebetsong tlhophiso ya ExtensionImages, e ka sebediswang ho hokela dinepe tsa katoloso ya sistimi le bolaodi ba sebaka sa mabitso sa FS sa ditshebeletso tse ka thoko.
  • E kenyelelitsoe /etc/veritytab configuration file ho lokisa netefatso ea data boemong ba thibela ho sebelisa dm-verity module. Sebopeho sa faele se tšoana le /etc/crypttab - "section_name device_for_data device_for_hashes check_hash_root options." E kentse systemd.verity.root_options kernel taelo ea khetho ea ho lokisa boitšoaro ba dm-verity bakeng sa sesebelisoa sa motso.
  • systemd-cryptsetup e eketsa bokhoni ba ho ntša PKCS#11 token URI le senotlolo se patiloeng ho tloha hloohong ea metadata ea LUKS2 ka mokhoa oa JSON, e leng se lumellang tlhahisoleseding e mabapi le ho bula sesebelisoa se kentsoeng hore se kenngoe mochine ka boeona ntle le ho kenyelletsa lifaele tsa ka ntle.
  • systemd-cryptsetup e fana ka ts'ehetso bakeng sa ho notlolla li-partitions tse patiloeng tsa LUKS2 ho sebelisoa li-chips tsa TPM2 le li-tokens tsa FIDO2, ho kenyelletsa le li-tokens tsa PKCS#11 tse neng li tšehelitsoe pele. Ho kenya libfido2 ho etsoa ka dlopen(), ke hore. ho fumaneha ho hlahlojoa ha fofa, ho e-na le ho itšetleha ka lithapo tse thata.
  • Likhetho tse ncha "no-write-workqueue" le "no-read-workqueue" li kenyellelitsoe ho /etc/crypttab bakeng sa systemd-cryptsetup ho nolofalletsa ts'ebetso ea synchronous ea I/O e amanang le encryption le decryption.
  • Ts'ebeliso ea systemd-repart e ekelitse bokhoni ba ho kenya li-partitions tse patiloeng ka li-chips tsa TPM2, mohlala, ho theha karohano e patiloeng / var ho boot ea pele.
  • Ts'ebeliso ea systemd-cryptenroll e kenyellelitsoe ho tlama li-tokens tsa TPM2, FIDO2 le PKCS#11 ho likarolo tsa LUKS, hammoho le ho notlolla le ho sheba li-tokens, ho tlama linotlolo tsa spare le ho beha phasewete bakeng sa phihlello.
  • E kentse paramethara ea PrivateIPC, e u lumellang hore u hlophise faele ea yuniti ho tsamaisa lits'ebetso sebakeng se ikhethileng sa IPC ka li-identifiers tsa bona tse arohaneng le mola oa melaetsa. Ho hokela yuniti sebakeng se seng se qapiloe sa IPC, ho etsoa tlhahiso ea IPCNamespacePath.
  • Litlhophiso tse kenyellelitsoeng tsa ExecPaths le NoExecPaths ho lumella folakha ea noexec hore e sebelisoe likarolong tse itseng tsa sistimi ea faele.
  • systemd-networkd e eketsa tšehetso bakeng sa protocol ea mesh ea BATMAN (Better Approach To Mobile Adhoc Networking), e lumellang hore ho thehoe marang-rang a arolelanoang moo node e 'ngoe le e' ngoe e hokahaneng ka li-node tsa boahelani. Bakeng sa tlhophiso, karolo ea [BatmanAdvanced] ho .netdev, parameter ea BatmanAdvanced lifaeleng tsa .network, le mofuta o mocha oa sesebelisoa "batadv" lia sisinngoa.
  • Ts'ebetsong ea mokhoa oa pele oa ho arabela bakeng sa mohopolo o fokolang tsamaisong ea systemd-oomd e tsitsitse. E kentse khetho ea DefaultMemoryPressureDurationSec ho hlophisa nako ea ho emela hore sesebelisoa se lokolloe pele se ama yuniti. Systemd-oomd e sebelisa kernel subsystem ea PSI (Pressure Stall Information) mme e o lumella ho bona ho qaleha ha tieho ka lebaka la khaello ea lisebelisoa ebe o khetha ho felisa lits'ebetso tse matla haholo nakong eo sistimi e seng maemong a hlobaetsang. qala ho fokotsa "cache" ka matla le ho tlosa data sebakeng sa karohano ea swap.
  • E kenyellelitsoe kernel line line parameter "root = tmpfs", e u lumellang ho kenya karohano ea motso polokelong ea nakoana e fumanehang ho RAM u sebelisa Tmpfs.
  • Paramethara ea /etc/crypttab e hlalosang faele ea senotlolo joale e ka supa mefuta ea sokete ea AF_UNIX le SOCK_STREAM. Tabeng ena, senotlolo se tlameha ho fanoa ha u hokela soketeng, eo, ka mohlala, e ka sebelisoang ho theha lits'ebeletso tse fanang ka linotlolo ka matla.
  • Fallback hostname bakeng sa ho sebelisoa ke systemd manager le systemd-hostnamed hona joale e ka hlophisoa ka litsela tse peli: ka DEFAULT_HOSTNAME parameter ho os-release le ka $SYSTEMD_DEFAULT_HOSTNAME tikoloho e fapaneng. systemd-hostnamed e boetse e sebetsana le "localhost" lebitsong la moamoheli mme e eketsa bokhoni ba ho romela lebitso la moamoheli hammoho le thepa ea "HardwareVendor" le "HardwareModel" ka DBus.
  • Sebaka se nang le mefuta e sa tšoaneng ea tikoloho se ka lokisoa hona joale ka khetho e ncha ea ManagerEnvironment ho system.conf kapa user.conf, eseng feela ka taelo ea kernel le litlhophiso tsa faele ea unit.
  • Ka nako ea ho kopanya, hoa khonahala ho sebelisa mohala oa fexecve() ho qala lits'ebetso sebakeng sa execve() ho fokotsa tieho lipakeng tsa ho lekola maemo a ts'ireletso le ho a sebelisa.
  • Bakeng sa lifaele tsa yuniti, lits'ebetso tse ncha tsa maemo a ConditionSecurity=tpm2 le ConditionCPUFeature li kentsoe ho lekola boteng ba lisebelisoa tsa TPM2 le bokhoni ba motho ka mong oa CPU (mohlala, ConditionCPUFeature=rdrand e ka sebelisoa ho lekola hore na processor e tšehetsa ts'ebetso ea RDRAND).
  • Bakeng sa lithollo tse fumanehang, litafole tsa mohala tsa sistimi bakeng sa li-filters tsa seccomp li kentsoe tšebetsong.
  • E kentse bokhoni ba ho kenya li-bind mounts sebakeng sa libaka tse teng tsa mabitso tsa lits'ebeletso, ntle le ho qala lits'ebeletso hape. Ho kenya sebaka ho etsoa ka litaelo tsa 'systemctl bind ...' le 'systemctl mount-image …'.
  • Tšehetso e ekelitsoeng bakeng sa ho totobatsa litsela ho litlhophiso tsa StandardOutput le StandardError ka mokhoa oa "truncate: » bakeng sa ho hloekisa pele o sebelisoa.
  • E kentse bokhoni ba ho theha khokahano ho seshene ea mosebelisi e itseng ka har'a sets'oants'o sa lehae ho sd-bus. Mohlala "systemctl -user -M lennart@ qala quux".
  • Lintlha tse latelang li kentsoe tšebetsong lifaeleng tsa systemd.link karolong ea [Link]:
    • Boitšoaro bo hlephileng - bo u lumella hore u fetole sesebelisoa ho "mokhoa o hlephileng" ho sebetsana le lipakete tsohle tsa marang-rang, ho kenyelletsa le tse sa lebisitsoeng tsamaisong ea hona joale;
    • TransmitQueues and ReceiveQueues bakeng sa ho beha palo ea mela ea TX le RX;
    • TransmitQueueLength ho seta boholo ba mola oa TX; GenericSegmentOffloadMaxBytes le GenericSegmentOffloadMaxSegment bakeng sa ho beha meeli ea tšebeliso ea theknoloji ea GRO (Generic Receive Offload).
  • Litlhophiso tse ncha li kentsoe lifaeleng tsa systemd.network:
    • [Network] RouteTable ho khetha tafole ea ho tsamaisa;
    • [RoutingPolicyRule] Mofuta oa mofuta oa ho tsamaisa ("blackhole, "unreachable", "thibela");
    • [IPv6AcceptRA] RouteDenyList le RouteAllowList bakeng sa manane a lipapatso tse lumelletsoeng le tse hanetsoeng;
    • [DHCPv6] UseAdders ho iphapanyetsa aterese e fanoeng ke DHCP;
    • [DHCPv6PrefixDelegation] ManageTemporaryAdress;
    • ActivationPolicy ho hlalosa pholisi e mabapi le ts'ebetso ea li-interface (kamehla boloka boemo ba HO PHAHAMA kapa TLASE, kapa lumella mosebelisi ho fetola maemo ka taelo ea "ip link set dev").
  • E kenyellelitsoe [VLAN] Protocol, IngressQOSMaps, EgressQOSMaps, le [MACVLAN] BroadcastMulticastQueueLength likhetho ho lifaele tsa systemd.netdev ho hlophisa ts'ebetso ea pakete ea VLAN.
  • E emisitse ho kenya / dev/ directory ka mokhoa oa noexec kaha e baka likhohlano ha u sebelisa folakha e sebetsang ka lifaele tsa / dev/sgx. Ho khutlisa boitšoaro ba khale, u ka sebelisa NoExecPaths=/dev setting.
  • Litumello tsa faele ea /dev/vsock li fetotsoe ho 0o666, 'me lifaele tsa /dev/vhost-vsock le /dev/vhost-net li isitsoe sehlopheng sa kvm.
  • Sebaka sa polokelo ea boitsebiso ba hardware se atolositsoe ka libali tsa menoana tsa USB tse tšehetsang mokhoa oa ho robala ka nepo.
  • Ts'ehetso e ekelitsoeng e rarollotsoeng ke systemd bakeng sa ho fana ka likarabo ho lipotso tsa DNSSEC ka sesebelisoa sa stub. Bareki ba lehae ba ka iketsetsa netefatso ea DNSSEC, ha bareki ba kantle ba e-na le proxied ba sa fetohe ho seva sa DNS sa motsoali.
  • E kentse khetho ea CacheFromLocalhost ho solved.conf, ha e setiloe, systemd-resolved e tla sebelisa caching esita le bakeng sa li-call ho seva sa DNS ho 127.0.0.1 (ka ho feletseng, caching ea likopo tse joalo e thibetsoe ho qoba ho boloka habeli).
  • systemd-resolved e eketsa tšehetso bakeng sa RFC-5001 NSIDs sebakeng sa DNS solver, e lumellang bareki ho khetholla lipakeng tsa litšebelisano le mohatelli oa lehae le seva se seng sa DNS.
  • Ts'ebeliso ea solvectl e sebelisa bokhoni ba ho bonts'a tlhahisoleseling mabapi le mohloli oa data (cache ea lehae, kopo ea marang-rang, karabelo ea processor ea lehae) le ts'ebeliso ea encryption ha o fetisetsa data. Likhetho --cache, --synthesize, --network, --zone, --trust-anchor, le --validate li fanoe ho laola mokhoa oa ho khetha lebitso.
  • systemd-nspawn e eketsa tšehetso bakeng sa ho lokisa firewall e sebelisang nftables ho phaella ho tšehetso ea iptables e teng. IPMasquerade setup in systemd-networkd e kentse bokhoni ba ho sebelisa nfttables-based backend.
  • tšehetso e ekelitsoeng ea systemd bakeng sa ho letsetsa locale-gen ho hlahisa libaka tse sieo.
  • Likhetho --pager/-no-pager/-json= li kenyellelitsoe lits'ebetsong tse fapaneng ho thusa / ho tima mokhoa oa ho paging le tlhahiso ka sebopeho sa JSON. E kentse bokhoni ba ho seta palo ea mebala e sebelisoang ho theminale ka SYSTEMD_COLORS e fapaneng ea tikoloho ("16" kapa "256").
  • Moaho o nang le li-hierarchies tse arohaneng (split / le / usr) le tšehetso ea cgroup v1 e tlositsoe.
  • Lekala le leholo la Git le rehiloe lebitso ho tloha ho 'master' ho ea ho 'main'.

Source: opennet.ru

Eketsa ka tlhaloso