ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa komphathi wenkqubo ye-243

Ukukhutshwa komphathi wenkqubo ye-243

Emva kweenyanga ezintlanu zophuhliso thaca ukukhululwa komphathi wenkqubo Inkqubo 243. Phakathi kwezinto ezintsha, sinokuqaphela ukudityaniswa kwi-PID 1 yomphathi wememori ephantsi kwinkqubo, inkxaso yokudibanisa iinkqubo zakho ze-BPF zokucoca i-traffic unit, ukhetho olutsha oluninzi lwe-systemd-networkd, indlela yokubeka iliso kwi-bandwidth yenethiwekhi. ujongano, oluvumela ngokungagqibekanga kwiisistim ze-64-bit ye-22-bit amanani e-PID endaweni ye-16-bit, inguqu kwi-hierarchy yamaqela adibeneyo, ukubandakanywa kwi-systemd-network-generator.

Utshintsho oluphambili:

  • Ukuqondwa kweempawu eziveliswe yi-kernel malunga nokuphuma kwimemori (I-Out-Of-Memory, i-OOM) yongezwe kwi-PID 1 yokuphatha ukudlulisa iiyunithi ezifikelele kumda wokusetyenziswa kwememori kwindawo ekhethekileyo kunye nekhono lokuzikhethela lokuzinyanzela ukuba ziphelise. okanye misa;
  • Kwiifayile zeyunithi, iiparamitha ezintsha IPIngressFilterPath kunye
    IPEgressFilterPath, ekuvumela ukuba udibanise iinkqubo ze-BPF kunye nabaphathi abangekho mthethweni ukucoca iipakethi ze-IP ezingenayo neziphumayo ezenziwe ngeenkqubo ezinxulumene nale yunithi. Iimpawu ezicetywayo zikuvumela ukuba wenze uhlobo lwe-firewall yeenkonzo ze-systemd. Umzekelo wokubhala isihluzi senethiwekhi esilula esekwe kwi-BPF;

  • Umyalelo "ococekileyo" wongezwe kwi-systemctl utility ukucima i-cache, iifayile zexesha lokugijima, ulwazi lwesimo kunye nezikhombisi zelogi;
  • i-systemd-networkd yongeza inkxaso ye-MACsec, nlmon, IPVTAP kunye nojongano lwenethiwekhi ye-Xfrm;
  • i-systemd-networkd yenza uqwalaselo olwahlukileyo lwe-DHCPv4 kunye ne-DHCPv6 izitaki nge-[DHCPv4]” kunye ne[DHCPv6]” amacandelo kwifayile yoqwalaselo. Yongeza i-RoutesToDNS inketho yokongeza indlela eyahlukileyo kwiseva ye-DNS echazwe kwiiparamitha ezifunyenwe kwiseva ye-DHCP (ukuze i-traffic kwi-DNS ithunyelwe ngekhonkco elifanayo njengendlela ephambili efunyenwe kwi-DHCP). Izinketho ezintsha zongezwa kwi-DHCPv4: I-MaxAttempts - inani eliphezulu lezicelo zokufumana idilesi, i-BlackList - uluhlu olumnyama lweeseva ze-DHCP, i-SendRelease - yenza ukuthumela i-DHCP RELEASE imiyalezo xa iseshoni iphela;
  • Imiyalelo emitsha yongezwe kusetyenziso lwe-systemd-analyze:
    • “i-systemd-analyze timestamp”- ucazululo lwexesha kunye nokuguqulwa;
    • “i-systemd-analyse timespan” - uhlalutyo noguqulo lwamaxesha exesha;
    • “systemd-analyse condition” - ucazululo kunye nokuvavanya iConditionXYZ amabinzana;
    • “i-systemd-analyze exit-status” - ukwahlula kunye nokuguqula iikhowudi zokuphuma ukusuka kumanani ukuya kumagama kunye nokujika;
    • "systemd-analyze unit-files" - Udwelisa zonke iindlela zefayile kwiiyunithi kunye neziteketiso zeyunithi.
  • Ukhetho lweMpumeleloExitStatus, RestartPreventExitStatus kunye
    RestartForceExitStatus ngoku ayixhasi iikhowudi zokubuyiswa kwamanani kuphela, kodwa kwanezichongi zazo zokubhaliweyo (umzekelo, "DATAERR"). Ungajonga uluhlu lweekhowudi ezabelwe izichazi usebenzisa "sytemd-analyze exit-status" umyalelo;

  • Umyalelo othi "cima" wongezwe kwi-networkctl utility ukucima izixhobo zenethiwekhi yenyani, kunye ne "-stats" ukhetho lokubonisa izibalo zesixhobo;
  • Iisetingi ze-SpeedMeter kunye ne-SpeedMeterIntervalSec zongezwe kwi-networkd.conf ukwenzela ukulinganisa amaxesha ngamaxesha ujongano lwenethiwekhi. Izibalo ezifunyenwe kwiziphumo zokulinganisa zinokujongwa kwimveliso yomyalelo 'we-networkctl status';
  • Kongezwe into entsha ye-systemd-network-generator yokuvelisa iifayile
    .network, .netdev kunye .ikhonkco esekwe kwizicwangciso ze-IP ezigqithiswe xa iqalwa nge-Linux kernel ilayini yomyalelo kwifomati yezicwangciso zeDracut;

  • Ixabiso le-sysctl "kernel.pid_max" kwiinkqubo ze-64-bit ngoku imiselwe ngokungagqibekanga ukuya kwi-4194304 (i-22-bit PIDs endaweni ye-16-bits), enciphisa ukubakho kongquzulwano xa kunikwa ii-PIDs, kwandisa umda kwinani ngaxeshanye. ukuqhuba iinkqubo, kwaye kunempembelelo entle kukhuseleko. Utshintsho lunokukhokelela kwimiba yokuhambelana, kodwa imiba enjalo ayikaxelwa ekusebenzeni;
  • Ngokungagqibekanga, inqanaba lokwakha litshintshela kuluhlu olumanyeneyo lweqela cgroups-v2 (“-Ddefault-hierarchy=uniified”). Ngaphambili, ukungagqibeki ibiyimowudi yomxube (“-Ddefault-hierarchy=hybrid”);
  • Ukuziphatha kwenkqubo yokufowuna kwefowuni (i-SystemCallFilter) itshintshile, leyo, kwimeko yokufowunelwa kwenkqubo enqatshelwe, ngoku iphelisa yonke inkqubo, kunokuba imicu yodwa, ekubeni ukuphelisa imicu nganye kunokukhokelela kwiingxaki ezingalindelekanga. Utshintsho lusebenza kuphela ukuba une-Linux kernel 4.14+ kunye ne-libseccomp 2.4.0+;
  • Iiprogram ezingenanto zinikezelwa amandla okuthumela iipakethi ze-ICMP Echo (ping) ngokucwangcisa i-sysctl "net.ipv4.ping_group_range" kulo lonke uluhlu lwamaqela (kuzo zonke iinkqubo);
  • Ukukhawulezisa inkqubo yokwakha, ukuveliswa kweencwadana zomntu kuye kwamiswa ngokungagqibekanga (ukwakha amaxwebhu apheleleyo, kufuneka usebenzise ukhetho "-Dman=true" okanye "-Dhtml=true" kwiincwadana kwifomathi ye-html). Ukwenza kube lula ukujonga uxwebhu, izikripthi ezimbini zibandakanyiwe: yakha/indoda/indoda kunye nokwakha/indoda/html yokuvelisa nokujonga iincwadana ezinomdla;
  • Ukusetyenzwa kwamagama esizinda ngoonobumba abasuka kwiialfabhethi zesizwe, ilayibrari ye-libidn2 isetyenziswa ngokungagqibekanga (ukubuyisela i-libidn, sebenzisa i-“-Dlibidn=yinyaniso” ukhetho);
  • Inkxaso yefayile /usr/sbin/halt.local ephunyeziweyo, enika umsebenzi ongazange usasazwe ngokubanzi kunikezelo, iyekile. Ukulungiselela ukuqaliswa kwemiyalelo xa uvala, kuyacetyiswa ukuba usebenzise izikripthi kwi /usr/lib/systemd/system-shutdown/ okanye uchaze iyunithi entsha exhomekeke kwi-final.target;
  • Kwinqanaba lokugqibela lokuvalwa, i-systemd ngoku inyusa ngokuzenzekelayo inqanaba lelog kwi-sysctl “kernel.printk”, esombulula ingxaki ngokubonisa kwiziganeko zelog ezenzeke kumanqanaba omva wokuvala, xa iidaemoni zokugawulwa rhoqo sele zigqibile. ;
  • Kwijenali kunye nezinye izinto eziluncedo ezibonisa iinkuni, izilumkiso zigxininiswe emthubi, kwaye iirekhodi zophicotho ziphawulwe ngombala oluhlaza okwesibhakabhaka ukuziqaqambisa ngokubonakalayo kwisihlwele;
  • Kwimeko-bume ye-$ PATH eguquguqukayo, indlela eya kumgqomo/ ngoku iza phambi kwendlela eya sbin/, okt. ukuba kukho amagama afanayo eefayile ezisebenzisekayo kuwo omabini abalawuli, ifayile esuka kumgqomo/ iya kuphunyezwa;
  • systemd-logind ibonelela ngoSetBrightness() umnxeba wokutshintsha ngokukhuselekileyo ukuqaqamba kwekhusi ngokweseshini nganye;
  • Iflegi ethi "-wait-for-initialization" yongezwe kwi "udevadm info" umyalelo wokulinda isixhobo ukuba siqalise;
  • Ngexesha lokuqalisa inkqubo, i-PID 1 yokuphatha ngoku ibonisa amagama eeyunithi endaweni yomgca onenkcazelo yazo. Ukubuyela kwisimilo sangaphambili, ungasebenzisa i-StatusUnitFormat ukhetho kwi /etc/systemd/system.conf okanye i-systemd.status_unit_format kernel ukhetho;
  • Kongezwe ukhetho lwe-KExecWatchdogSec kwi-/etc/systemd/system.conf ye-watchdog PID 1, echaza ixesha lokuvala ukuqalisa kwakhona usebenzisa i-kexec. Isilungiselelo esidala
    I-ShutdownWatchdogSec ithiywe kwakhona kwi-RebootWatchdogSec kwaye ichaza ixesha lokuphuma kwemisebenzi ngexesha lokuvalwa okanye ukuqala kwakhona okuqhelekileyo;

  • Ukhetho olutsha longeziwe kwiinkonzo ExecCondition, ekuvumela ukuba ukhankanye imiyalelo eya kuphunyezwa phambi kwe-ExecStartPre. Ngokusekwe kwikhowudi yempazamo ebuyiselwe ngumyalelo, isigqibo senziwe ngokuqhutywa ngakumbi kweyunithi - ukuba ikhowudi ye-0 ibuyiswe, ukuqaliswa kweyunithi kuyaqhubeka, ukuba ukusuka ku-1 ukuya ku-254 iphela ngokuthula ngaphandle kweflegi yokungaphumeleli, ukuba i-255 iphela iflegi yokusilela;
  • Yongeza inkonzo entsha ye-systemd-pstore.service ukukhupha idatha kwi-sys/fs/pstore/ nasekugcineni ukuya ku-/var/lib/pstore ukuze kuhlalutywe ngakumbi;
  • Imiyalelo emitsha yongezwe kwi-timedatectl into eluncedo yokumisela iiparamitha ze-NTP ze-systemd-timesyncd ngokunxulumene nojongano lwenethiwekhi;
  • Umyalelo othi "localectl list-locales" awusabonisi iindawo ngaphandle kwe-UTF-8;
  • Iqinisekisa ukuba iimpazamo zezabelo eziguquguqukayo kwi-sysctl.d/ iifayile azihoywa ukuba igama eliguquguqukayo liqala ngonobumba “-“;
  • inkonzo inkqubod-imbewu.nkonzo ngoku inoxanduva ngokupheleleyo lokuqalisa iqula le-entropy ye Linux kernel pseudorandom number generator. Iinkonzo ezifuna ukuqaliswa ngokuchanekileyo /dev/urandom kufuneka ziqalwe emva kwe-systemd-random-seed.service;
  • Umlayishi we-systemd-boot ubonelela ngesakhono esikhethiweyo sokuxhasa ifayile yembewu ngokulandelelana okungahleliweyo kwi-EFI System Partition (ESP);
  • Imiyalelo emitsha yongezwe kwisixhobo se-bootctl: "i-bootctl random-seed" ukuvelisa ifayile yembewu kwi-ESP kunye ne "bootctl is-installed" ukujonga ukufakwa kwe-systemd-boot bootloader. I-bootctl iphinde yahlengahlengiswa ukubonisa izilumkiso malunga noqwalaselo olungachanekanga lwamangeno esiqalo (umzekelo, xa umfanekiso wekernel ucinyiwe, kodwa ungeno lokulayisha lushiywe);
  • Inikeza ukhetho oluzenzekelayo lwesahlulelo sokutshintsha xa inkqubo ingena kwindlela yokulala. Ukwahlula kukhethwe ngokuxhomekeke kwizinto eziphambili ezilungiselelwe yona, kwaye kwimeko yezinto eziphambili ezifanayo, ubungakanani bendawo ekhululekile;
  • Ifayile yesitshixo-ixesha lokuvala inketho kwi/etc/crypttab ukuseta ukuba isixhobo esinesitshixo sofihlo siza kulinda ixesha elingakanani phambi kokwazisa igama eligqithisiweyo ukufikelela kwisahlulelo esifihliweyo;
  • Inketho eyongeziweyo ye-IOWeight ukuseta ubunzima be-I/O kumcwangcisi we-BFQ;
  • i-systemd-isonjululwe yongeza indlela yokusebenza 'engqongqo' ye-DNS-over-TLS kwaye iphumeze ukukwazi ukufihla iimpendulo ezilungileyo zeDNS kuphela ("Cache no-negative" kwi-solved.conf);
  • Kwi-VXLAN, i-systemd-networkd yongeze i-GenericProtocolExtension ukhetho ukwenzela ukuba i-VXLAN ikwazi ukwandiswa kweprotocol. Kwi-VXLAN kunye ne-GENEVE, i-IPDoNotFragment ukhetho yongezwe ukuseta iflegi yokuthintela ukwahlula kwiipakethi eziphumayo;
  • Kwi-systemd-networkd, kwicandelo "[Indlela]", i-FastOpenNoCookie ukhetho luye lwabonakala luvumela indlela yokuvula ngokukhawuleza uxhulumaniso lwe-TCP (TFO - TCP Fast Open, RFC 7413) ngokunxulumene neendlela zomntu ngamnye, kunye nokhetho lweTTLPropagate. ukuqwalasela i-TTL LSP (Ileyibhile eTshintshwayo Indlela ). Ukhetho "Uhlobo" lubonelela ngenkxaso yendawo, yosasazo, nayiphi na i-cast, i-multicast, nayiphi na kwaye i-xresolve iindlela zomzila;
  • I-Systemd-networkd inikeza iDefaultRouteOnDevice ukhetho kwi[Inethiwekhi]” icandelo ukuqwalasela ngokuzenzekelayo indlela engagqibekanga yesixhobo somsebenzi womnatha onikiweyo;
  • I-Systemd-networkd yongeze i-ProxyARP kunye
    I-ProxyARPWifi yokumisela ukuziphatha kwe-ARP ye-proxy, i-MulticastRouter yokuseta iiparitha zomzila kwimodi ye-multicast, i-MulticastIGMPVersion yokutshintsha i-IGMP (iProtocol yoLawulo lweQela le-Intanethi) ye-multicast;

  • I-Systemd-networkd yongeze iinketho zeNdawo, iPeer kunye nePeerPort kwiitonela zeFooOverUDP ukulungisa iidilesi ze-IP zasekhaya kunye nezikude, kunye nenombolo ye-network port. Kwiitonela ze-TUN, inketho yeVnetHeader yongezwe ukuqwalasela i-GSO (i-Generic Segment Offload) inkxaso;
  • Kwi-systemd-networkd, kwi .network kunye .link iifayile kwi [Match] icandelo, i Ipropathi ukhetho luye lwavela, olukuvumela ukuba uchonge izixhobo ngeempawu zazo ezithile kwi-udev;
  • Kwi-systemd-networkd, ukhetho lwe-AssignToLoopback longezwe kwiitonela, ezilawula ukuba isiphelo setonela sinikezelwe kwisixhobo sokulupha umva “lo”;
  • i-systemd-networkd yenza ngokuzenzekelayo isitaki se-IPv6 ukuba ivalwe nge-sysctl disable_ipv6 - IPv6 iyasebenza ukuba izicwangciso ze-IPv6 (ezimile okanye i-DHCPv6) zichazwe kujongano lwenethiwekhi, kungenjalo ixabiso esele limisiwe le-sysctl alitshintshi;
  • Kwiifayile zenethwekhi, isicwangciso seCriticalConnection sithathelwe indawo yiKeepConfiguration ukhetho, olubonelela ngeendlela ezininzi zokuchaza iimeko (“ewe”, “static”, “dhcp-on-stop”, “dhcp”) apho inkqubod-networkd kufuneka ungachukumisi imidibaniso ekhoyo xa uqalisa;
  • Ubuthathaka bulungisiwe I-CVE-2019-15718, okubangelwa kukungabikho kolawulo lofikelelo kwi-D-Bus interface systemd-isonjululwe. Umba uvumela umsebenzisi ongenanto ukuba enze imisebenzi efumaneka kuphela kubalawuli, njengokutshintsha izicwangciso ze-DNS kunye nokuqondisa imibuzo ye-DNS kumncedisi okhohlakeleyo;
  • Ubuthathaka bulungisiwe I-CVE-2019-9619enxulumene nokungenzeki pam_systemd kwiiseshoni ezingasebenziyo, evumela ukonakala kweseshoni esebenzayo.

umthombo: opennet.ru

Yongeza izimvo