ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa komphathi wenkqubo ye-250

Ukukhutshwa komphathi wenkqubo ye-250

Emva kweenyanga ezintlanu zophuhliso, ukukhululwa komphathi wenkqubo systemd 250. Ukukhululwa okutsha kwazisa amandla okugcina iziqinisekiso kwifom efihliweyo, ukuphunyezwa kokuqinisekiswa kwezahlulo ze-GPT ezichongiweyo ngokuzenzekelayo usebenzisa isignesha yedijithali, ulwazi oluphuculweyo malunga nezizathu zokulibaziseka ukuqala kweenkonzo, kunye neenketho ezongeziweyo zokunciphisa ukufikelela kwenkonzo kwiinkqubo ezithile zefayile kunye nojongano lwenethiwekhi, ukuxhaswa kwecandelo lokubeka iliso lokuthembeka usebenzisa imodyuli ye-dm-integrity inikezelwa, kunye nenkxaso ye-sd-boot auto-update yongezwa.

Utshintsho oluphambili:

  • Inkxaso eyongeziweyo yeenkcazi ezifihliweyo neziqinisekisiweyo, ezinokuba luncedo ekugcineni ngokukhuselekileyo imathiriyeli ebuthathaka efana nezitshixo ze-SSL kunye namagama ayimfihlo okufikelela. Ukuchithwa kweziqinisekiso kwenziwa kuphela xa kuyimfuneko kwaye ngokunxulumene nofakelo lwendawo okanye izixhobo. Idatha iguqulelwe ngokuntsonkothileyo kusetyenziswa i-symmetric encryption algorithms, isitshixo esinokuthi sibekwe kwisixokelelwano sefayile, kwitshiphu yeTPM2, okanye kusetyenziswa iskimu esidibeneyo. Xa inkonzo iqala, iinkcazi zicinywa ngokuzenzekelayo kwaye zifumaneke kwinkonzo ngendlela yayo eqhelekileyo. Ukuze usebenze ngeziqinisekiso ezifihliweyo, into eluncedo ye-'systemd-creds' yongeziwe, kwaye i-LoadCredentialEncrypted kunye ne-SetCredentialEncrypted useto zicetyiselwe iinkonzo.
  • sd-stub, i-EFI ephunyeziweyo evumela i-EFI firmware ukuba ilayishe i-Linux kernel, ngoku ixhasa ukuvuthwa kwe-kernel isebenzisa iprotocol ye-LINUX_EFI_INITRD_MEDIA_GUID EFI. Kwakhona kongezwe kwi-sd-stub kukukwazi ukupakisha iziqinisekiso kunye neefayile ze-sysext kwindawo yokugcina ye-cpio kwaye udlulisele olu vimba kwi-kernel kunye ne-initrd (iifayile ezongezelelweyo zibekwe kwi /.extra/ directory). Eli nqaku likuvumela ukuba usebenzise imeko-bume ye-initrd engqinisisekayo engaguqukiyo, encediswa yi-sysexts kunye nedatha yoqinisekiso efihliweyo.
  • Inkcazo yezahlulo eziFumanayo zandiswe kakhulu, zibonelela ngezixhobo zokuchonga, ukunyuswa kunye nokuvula izahlulo zenkqubo usebenzisa i-GPT (i-GUID Partition Tables). Xa kuthelekiswa nokukhutshwa kwangaphambili, inkcazo ngoku ixhasa isahlulo sengcambu kunye / ne-usr yokwahlula uninzi lwezakhiwo, kubandakanya amaqonga angasebenzisi i-UEFI.

    Izahlulo ezifumanekayo zongeza inkxaso yezahlulo ezigcina ingqibelelo ingqinisiswa yimodyuli ye-dm-yoqinisekiso kusetyenziswa i-PKCS#7 imisayino yedijithali, ikwenza kube lula ukwenza imifanekiso yedisk eqinisekisiweyo ngokupheleleyo. Inkxaso yokuqinisekisa idibaniswe kwiinkonzo ezahlukeneyo ezenza imifanekiso yediski, kubandakanywa i-systemd-nspawn, i-systemd-sysext, i-systemd-dissect, iinkonzo ze-RootImage, i-systemd-tmpfiles, kunye ne-systemd-sysusers.

  • Kwiiyunithi ezithatha ixesha elide ukuqala okanye ukuyeka, ukongeza ekuboniseni ibar yenkqubela phambili ene-animated, kuyenzeka ukubonisa ulwazi lwemo ekuvumela ukuba uqonde ukuba kwenzeka ntoni kanye kanye ngenkonzo ngalo mzuzu kwaye yeyiphi inkonzo umphathi wenkqubo. ngoku ilinde ukugqiba.
  • Yongeza i-DefaultOOMScoreAdjust parameter ukuya /etc/systemd/system.conf kunye /etc/systemd/user.conf, ekuvumela ukuba ulungelelanise i-OOM-killer threshold yememori ephantsi, esebenzayo kwiinkqubo eziqala inkqubo kunye nabasebenzisi. Ngokungagqibekanga, ubunzima beenkonzo zenkqubo buphezulu kuneenkonzo zabasebenzisi, okt. Xa kukho inkumbulo engonelanga, ukuba nokwenzeka kokupheliswa kweenkonzo zabasebenzisi kuphezulu kunezo zenkqubo.
  • Yongeza iRestrictFileSystems useto, ekuvumela ukuba uthintele ufikelelo lweenkonzo kwiintlobo ezithile zeenkqubo zefayile. Ukujonga iintlobo zeenkqubo zefayile ezikhoyo, ungasebenzisa umyalelo othi "systemd-analyze filesystems". Ngokulinganisa, ukhetho lweRestrictNetworkInterfaces luphunyeziwe, olukuvumela ukuba uthintele ufikelelo kujongano lwenethiwekhi ethile. Ukuphunyezwa kusekelwe kwimodyuli ye-BPF LSM, ethintela ukufikelela kweqela leenkqubo kwizinto ze-kernel.
  • Yongeza ifayile yoqwalaselo entsha /etc/integritytab kunye ne-systemd-integritysetup utility eqwalasela imodyuli ye-dm-integrity ukulawula imfezeko yedatha kwinqanaba lecandelo, umzekelo, ukuqinisekisa ukungaguquki kwedatha efihliweyo (Ufihlo oluQinisekisiweyo, luqinisekisa ukuba ibhloko yedatha inakho. ayilungiswanga ngendlela ejikelezayo) . Ifomati yefayile ye-/etc/integritytab ifana ne/etc/crypttab kunye/etc/veritytab iifayile, ngaphandle kokuba i-dm-integrity isetyenziswa endaweni ye-dm-crypt kunye ne-dm-verity.
  • Ifayile entsha yefayile ye-systemd-boot-update.service yongeziwe, xa ivuliwe kwaye i-sd-boot bootloader ifakiwe, i-systemd iya kuhlaziya ngokuzenzekelayo uguqulelo lwe-sd-boot-bootloader, igcina ikhowudi ye-bootloader ihlale ihlaziywa. I-sd-boot ngokwayo ngoku yakhiwe ngokungagqibekanga ngenkxaso ye-SBAT (UEFI eKhuselekileyo nge-UEFI yokuQalisa ukuJonga okuPhambili), eyisombulula iingxaki ngorhoxiso lwesatifikethi se-UEFI eKhuselekileyo. Ukongeza, i-sd-boot ibonelela ngesakhono sokwahlula iisetingi ze-Microsoft Windows ukuvelisa ngokuchanekileyo amagama ocalulo lwe-boot ngeWindows kunye nokubonisa inguqulelo yeWindows.

    sd-boot ikwabonelela ngesakhono sokuchaza iskimu sombala ngexesha lokwakha. Ngexesha lenkqubo yokuqalisa, inkxaso eyongeziweyo yokutshintsha isisombululo seskrini ngokucinezela iqhosha elithi "r". Yongezwe i-hotkey "f" ukuya kujongano loqwalaselo lwe-firmware. Yongeza indlela yokuqalisa ngokuzenzekelayo isixokelelwano esihambelana nomba wemenyu ekhethiweyo ngexesha lokuqala lokugqibela. Kongezwe ukukwazi ukulayisha ngokuzenzekelayo abaqhubi be-EFI ababekwe kwi /EFI/systemd/drivers/ directory kwicandelo le-ESP (EFI System Partition).

  • Iyunithi entsha yefayile yefektri-reset.target iqukiwe, ecutshungulwa kwi-systemd-logind ngendlela efanayo yokuqalisa ngokutsha, i-poweroff, ukunqumamisa kunye nokusebenza kwe-hibernate, kwaye isetyenziselwa ukudala abaphathi ukwenza ukusetha kwakhona kwefektri.
  • Inkqubo yokulungiswa kwenkqubo ngoku idala isokhethi eyongezelelweyo yokuphulaphula kwi-127.0.0.54 ngaphezu kwe-127.0.0.53. Izicelo ezifika kwi-127.0.0.54 zihlala zithunyelwa kwi-server ye-DNS ephezulu kwaye ayilungiswanga kwindawo.
  • Kunikezelwe ngesakhono sokwakha inkqubo-ngaphandle kunye ne-systemd-esonjululwe ngethala leencwadi le-OpenSSL endaweni ye-libgcrypt.
  • Inkxaso yokuqala eyongeziweyo yoyilo lweLoongArch olusetyenziswa kwiiprosesa zeLoongson.
  • i-systemd-gpt-auto-generator ibonelela ngokukwazi ukuqwalasela ngokuzenzekelayo izahlulo zokutshintsha ezichazwe kwindlela esezantsi ye-LUKS2.
  • Ikhowudi yokuhlaziya umfanekiso we-GPT esetyenziswe kwi-systemd-nspawn, i-systemd-dissect, kunye nezixhobo ezifanayo zisebenzisa ukukwazi ukucacisa imifanekiso yezinye izakhiwo, ukuvumela ukuba i-systemd-nspawn isetyenziswe ukuqhuba imifanekiso kwi-emulators yezinye izakhiwo.
  • Xa uhlola imifanekiso yedisk, i-systemd-dissect ngoku ibonisa ulwazi malunga nenjongo yolwahlulo, olufana nokufaneleka kokuqala nge-UEFI okanye ukuqhuba kwisikhongozeli.
  • Indawo ethi “SYSEXT_SCOPE” yongezwe kwisistim-extension.d/ iifayile, ekuvumela ukuba ubonise umda womfanekiso wenkqubo - “initrd”, “system” okanye “portable”.
  • Indawo ethi "PORTABLE_PREFIXES" yongezwe kwifayile ye-os-release, enokusetyenziswa kwimifanekiso ephathekayo ukumisela izimaphambili zefayile yeyunithi exhaswayo.
  • i-systemd-logind yazisa izicwangciso ezitsha HandlePowerKeyLongPress, HandleRebootKeyLongPress, HandleSuspendKeyLongPress kunye ne-HandleHibernateKeyLongPress, enokusetyenziswa ukumisela ukuba kwenzeka ntoni na xa amaqhosha athile ebanjwe phantsi ngaphezulu kwemizuzwana emi-5 (umzekelo, ukucofa i-SuspendKeyLongpress) , kwaye xa ibanjwe phantsi, iya kulala) .
  • Kwiiyunithi, i-StartupAllowedCPUs kunye nesetingi se-StartupAllowedMemoryNodes ziyaphunyezwa, ezahluke kwizicwangciso ezifanayo ngaphandle kwe-Startup prefix kuba zisetyenziswa kuphela kwi-boot kunye nenqanaba lokuvala, elikuvumela ukuba ubeke ezinye izithintelo zemithombo ngexesha lokuqalisa.
  • Yongeziwe [Imeko|Assert][Memory|CPU|IO]Izijongi zoxinzelelo ezivumela usetyenziso lweyunithi ukuba lutsibe okanye lwasilela ukuba indlela ye-PSI ibhaqa umthwalo onzima kwimemori, CPU, kunye ne-I/O kwinkqubo.
  • Umda we-inode ongagqibekanga unyuswe kwi-partition / dev ukusuka kwi-64k ukuya kwi-1M, kunye ne- /tmp isahlulo ukusuka kwi-400k ukuya kwi-1M.
  • Isicwangciso se-ExecSearchPath sicetyisiwe kwiinkonzo, esenza kube lula ukutshintsha umendo wokukhangela iifayile eziphunyeziweyo eziqaliswe ngemimiselo efana ne-ExecStart.
  • Yongezwe i-RuntimeRandomizedExtraSec isicwangciso, esikuvumela ukuba wazise ngokunxaxhile okungahleliweyo kwixesha lokuphuma kwe-RuntimeMaxSec, elinqanda ixesha lokwenziwa kweyunithi.
  • I-syntax ye-RuntimeDirectory, i-StateDirectory, i-CacheDirectory kunye nezicwangciso ze-LogsDirectory zandisiwe, apho ngokukhankanya ixabiso elongezelelweyo elahlulwe ngekholoni, ngoku ungaququzelela ukuyilwa kophawu lwekhonkco kulawulo olunikiweyo ukulungiselela ukufikelela kwiindlela ezininzi.
  • Kwiinkonzo, ii-TTYRows kunye ne-TTYColumns useto zinikezelwa ukuseta inani lemiqolo kunye neekholamu kwisixhobo se-TTY.
  • Yongeza i ExitType setting, ekuvumela ukuba utshintshe ingqiqo yokumisela isiphelo senkonzo. Ngokungagqibekanga, inkqubo ijonga kuphela ukufa kwenkqubo engundoqo, kodwa ukuba ExitType=iqela limiselwe, umphathi wenkqubo uya kulinda inkqubo yokugqibela kwiqela ukuba igqitywe.
  • Ukuphunyezwa kwe-systemd-cryptsetup ye-TPM2/FIDO2/PKCS11 inkxaso ngoku nayo yakhiwe njengeplagi ye-cryptsetup, ivumela umyalelo oqhelekileyo we-cryptsetup ukuba usetyenziselwe ukuvula isahlulelo esifihliweyo.
  • Umphathi we-TPM2 kwi-systemd-cryptsetup/systemd-cryptsetup yongeza inkxaso yezitshixo eziphambili ze-RSA ukongeza kwizitshixo ze-ECC zokuphucula ukuhambelana neetshiphusi ezingezizo ze-ECC.
  • Inketho ye-token-timeout yongezwe kwi /etc/crypttab, ekuvumela ukuba uchaze elona xesha liphezulu lokulinda i-PKCS#11/FIDO2 uqhagamshelo lwethokheni, emva koko uya kucelwa ukuba ufake igama eligqithisiweyo okanye isitshixo sokubuyisela.
  • i-systemd-timesyncd yenza i-SaveIntervalSec isicwangciso, ekuvumela ukuba ugcina ixesha lenkqubo yangoku kwidisk, umzekelo, ukuphumeza iwotshi ye-monotonic kwiindlela ngaphandle kwe-RTC.
  • Iinketho zongezwe kusetyenziso lwe-systemd-analyze: "--image" kunye "--root" ukujonga iifayile zeyunithi ngaphakathi komfanekiso onikiweyo okanye ulawulo lweengcambu, "--recursive-errors" ukuthathela ingqalelo iiyunithi ezixhomekeke xa kukho impazamo. ichongiwe, "--offline" ngokujonga ngokwahlukeneyo iifayile zeyunithi ezigcinwe kwidisk, "-json" yemveliso kwifomathi ye-JSON, "-quiet" ukuvala imiyalezo engabalulekanga, "-iprofayile" ukubophelela kwiprofayile ephathekayo. Kwakhona kongezwe ngumyalelo wokuhlola-elf wokwahlulahlula iifayile ezingundoqo kwifomati ye-ELF kunye nokukwazi ukujonga iifayile zeyunithi ngegama elinikiweyo leyunithi, nokuba eli gama liyahambelana negama lefayile.
  • i-systemd-networkd iye yandisiwe inkxaso yebhasi ye-Controller Area Network (CAN). Iisetingi ezongeziweyo zokulawula iindlela ze-CAN: I-Loopback, i-OneShot, i-PresumeAck kunye ne-ClassicDataLengthCode. I-TimeQuantaNSec eyongeziweyo, i-PropagationSegment, i-PhaseBufferSegment1, i-PhaseBufferSegment2, i-SyncJumpWidth, i-DataTimeQuantaNSec, i-DataPropagationSegment, i-DataPhaseBufferSegment1, i-DataPhaseBufferSegment2 kunye ne-DataSyncJumpWidth iinketho zojongano lwe-bit.
  • I-Systemd-networkd yongeze iLabel option yomthengi we-DHCPv4, ekuvumela ukuba uqwalasele ileyibhile yedilesi esetyenziswayo xa uqwalasela iidilesi ze-IPv4.
  • i-systemd-udevd ye-"ethtool" isebenzisa inkxaso yamaxabiso akhethekileyo "max" abeka ubungakanani bebuffer kwixabiso eliphezulu elixhaswa yi-hardware.
  • Kwi-.link iifayile ze-systemd-udevd ngoku ungaqwalasela iiparameters ezahlukeneyo zokudibanisa iiadaptha zothungelwano kunye nokudibanisa izixhobo zehardware (ukhuphelo).
  • i-systemd-networkd ibonelela ngeefayile zenethiwekhi ezintsha ngokungagqibekanga: 80-container-vb.network ukuchaza iibhulorho zothungelwano ezenziweyo xa kuqhutywa i-systemd-nspawn nge “--network-bridge” okanye “--network-zone” iinketho; I-80-6rd-tunnel.network ukuchaza imigudu eyenziwa ngokuzenzekelayo xa ifumana impendulo ye-DHCP kunye nenketho ye-6RD.
  • I-Systemd-networkd kunye ne-systemd-udevd yongeze inkxaso yokuthunyelwa kwe-IP kwi-interfaces ye-InfiniBand, apho icandelo elithi "[IPoIB]" longezwe kwiifayile ze-systemd.netdev, kunye nokuqhutyelwa kwexabiso "ipoib" liphunyeziwe kwi-Kind. ulungiselelo.
  • i-systemd-networkd ibonelela ngoqwalaselo lomzila oluzenzekelayo kwiidilesi ezichazwe kwi-AllowedIPs iparamitha, enokuthi iqwalaselwe nge-RouteTable kunye ne-RouteMetric iparameters kwi-[WireGuard] kunye ne [WireGuardPeer] amacandelo.
  • i-systemd-networkd ibonelela ngokwenziwa ngokuzenzekelayo kweedilesi ze-MAC ezingatshintshiyo ze batadv kunye nojongano lwebhulorho. Ukuyekisa le ndlela yokuziphatha, ungakhankanya i-MACAddress=akukho nanye kwiifayile ze.netdev.
  • I-WakeOnLanPassword isethingi yongezwe kwi-.link iifayile kwicandelo "[Linki]" ukumisela igama eliyimfihlo xa i-WoL isebenza kwimo ye-"SecureOn".
  • Added AutoRateIngress, CompensationMode, FlowIsolationMode, NAT, MPUBytes, PriorityQueueingPreset, FirewallMark, Wash, SplitGSO kunye UseRawPacketSize izicwangciso kwi "[CAKE]" icandelo le.nethwekhi yeefayile ukuchaza iparameters ze-CAKE (IiNkqubo eziQhelekileyo zolawulo ziGciniwe) .
  • Yongeza i-IgnoreCarrierLoss isethingi kwi-"[Network]" icandelo leefayile zenethiwekhi, ekuvumela ukuba ubone ukuba ulinde ixesha elingakanani ngaphambi kokuba usabele kwilahleko yesignali yomthwali.
  • I-Systemd-nspawn, homectl, machinectl kunye ne-systemd-run ziye zandisa i-syntax ye "--setenv" iparameter - ukuba kuphela igama eliguquguqukayo lichaziwe (ngaphandle "="), ixabiso liza kuthathwa kumohluko wemeko-bume ohambelanayo. umzekelo, xa ukhankanya "--setenv=FOO" ixabiso liya kuthathwa kwi-$FOO eguquguqukayo yemeko-bume kwaye isetyenziswe kuguquguquko lwemekobume yegama elifanayo elimiselwe kwisikhongozeli).
  • i-systemd-nspawn yongeze i-"--suppress-sync" ukhetho lokukhubaza ukuvumelanisa ()/fsync()/fdatasync() iminxeba yenkqubo xa usenza isikhongozeli (iluncedo xa isantya siphambili kunye nokugcina ubugcisa bokwakha kwimeko yokusilela kubalulekile, kuba zinokuphinda zenziwe kwakhona nangaliphi na ixesha).
  • I-database entsha ye-hwdb iye yongezwa, equka iintlobo ezahlukeneyo ze-analyzers zesignali (i-multimeters, i-protocol analyzers, i-oscilloscopes, njl.). Ulwazi malunga neekhamera kwi-hwdb lwandisiwe ngentsimi ngolwazi malunga nohlobo lwekhamera (isiqhelo okanye i-infrared) kunye nokubekwa kwelensi (ngaphambili okanye ngasemva).
  • Ukuveliswa okunikwe amandla kwamagama angatshintshiyo wojongano lomsebenzi womnatha wezixhobo zomnatha ezisetyenziswa kwiXen.
  • Uhlalutyo lweefayile eziphambili ngosetyenziso lwe-systemd-coredump esekwe kwi-libdw/libelf libraries ngoku lwenziwa kwinkqubo eyahlukileyo, yodwa kwindawo yebhokisi yesanti.
  • i-systemd-importd yongeze inkxaso yemeko-bume eguquguqukayo $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA, $SYSTEMD_IMPORT_SYNC, apho unokukhubaza ukuveliswa kwe-Btrfs, kunye nokuqwalasela umlinganiselo kunye nongqamaniso lwediski.
  • Kwi-systemd-journald, kwiisistim zeefayile ezixhasa imowudi yokukhuphela-ngokubhala, imo ye-COW yenziwe yasebenza kwakhona kwiijenali ezigciniweyo, ezivumela ukuba zicinezelwe kusetyenziswa i-Btrfs.
  • i-systemd-journald yenza ukuphinda-phinda iindawo ezifanayo kumyalezo omnye, owenziwa kwinqanaba phambi kokubeka umyalezo kwijenali.
  • Kongezwe "--bonisa" ukhetho lokuvala umyalelo wokubonisa ukuvalwa okucwangcisiweyo.

umthombo: opennet.ru

Yongeza izimvo