ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa komphathi wenkqubo ye-248

Ukukhutshwa komphathi wenkqubo ye-248

Emva kweenyanga ezine zophuhliso, ukukhululwa komphathi wenkqubo ye-systemd 248 kubonisiwe Ukukhululwa okutsha kunika inkxaso yemifanekiso yokwandisa izikhombisi zenkqubo, ifayile ye-/etc/veritytab, i-systemd-cryptenroll utility, ukuvula i-LUKS2 usebenzisa i-chips TPM2 kunye ne-FIDO2. iimpawu, iiyunithi ezisebenzayo kwindawo ekwanti yokuchonga ye-IPC, iprothokholi ye-BATMAN yothungelwano lomnatha, i-nftables backend ye-systemd-spawn. I-Systemd-oomd izinzile.

Utshintsho oluphambili:

  • Ingqikelelo yemifanekiso yoLwandiso lweSixokelelwano iphunyeziwe, enokusetyenziswa ukwandisa ulawulo lwe/usr/ kunye/opt/ abalawuli, kwaye yongeze iifayile ezongezelelweyo ngexesha lokuqhuba, nokuba abalawuli abachaziweyo banyuselwe ukufunda kuphela. Xa umfanekiso wolwandiso lwenkqubo unyusiwe, imixholo yawo igqunywe kwi/usr/ kunye/opt/ hierarchy usebenzisa iOverlayFS.

    Isixhobo esitsha, i-systemd-sysext, iye yacetywa ukudibanisa, ukuqhawula, ukujonga kunye nokuhlaziya imifanekiso yezandiso zenkqubo. Ukuqhagamshela ngokuzenzekelayo imifanekiso esele ifakiwe ngexesha lokuqalisa, inkonzo ye-systemd-sysext.service yongeziwe. Yongezwe "SYSEXT_LEVEL=" iparameter kwi-os-release file ukumisela umgangatho wokongezwa kwenkqubo exhaswayo.

  • Kwiiyunithi, useto lwe-ExtensionImages luphunyeziwe, olunokuthi lusetyenziswe ukudibanisa imifanekiso yolwandiso lwenkqubo kwi-FS namespace hierarchy yeenkonzo ezizimeleyo ezizimeleyo.
  • Ifayile yoqwalaselo eyongeziweyo /etc/veritytab ukuqwalasela ukuqinisekiswa kwedatha kwinqanaba lebhloko usebenzisa imodyuli ye-dm-verrity. Ifomathi yefayile iyafana /etc/crypttab - "section_name device_for_data device_for_hashes check_hash_root options." Kongezwe i-systemd.verity.root_options kernel ukhetho lomyalelo wokuqwalasela ukuziphatha kwe-dm yokuqinisekisa kwicebo lengcambu.
  • i-systemd-cryptsetup yongeza ukukwazi ukukhupha i-PKCS#11 uphawu lwe-URI kunye nesitshixo esifihliweyo kwi-LUKS2 yemetadata yeheader kwifomati ye-JSON, evumela ulwazi malunga nokuvula isixhobo esifihliweyo ukuba sidibaniswe kwisixhobo ngokwaso ngaphandle kokubandakanya iifayile zangaphandle.
  • i-systemd-cryptsetup ibonelela ngenkxaso yokuvula izahlulo ezifihliweyo ze-LUKS2 kusetyenziswa iitshiphusi ze-TPM2 kunye neempawu ze-FIDO2, ukongeza kwii-PKCS#11 ezixhasiweyo ngaphambili. Ukulayisha i-libfido2 kwenziwa nge-dlopen (), okt. Ubukho bujongwa kwimpukane, kunokuba buxhomekeke kwintambo eqinileyo.
  • Iinketho ezintsha "no-write-workqueue" kunye "no-read-workqueue" zongezwe kwi-/etc/crypttab ye-systemd-cryptsetup ukunika amandla ukusetyenzwa kwe-synchronous ye-I/O ehambelana noguqulelo oluntsonkothileyo kunye ne-decryption.
  • I-systemd-repart utility yongeze ukukwazi ukwenza izahlulelo ezifihliweyo zisebenze usebenzisa iitshiphusi ze-TPM2, umzekelo, ukwenza i-encrypted / var partition kwi-boot yokuqala.
  • Usetyenziso lwe-systemd-cryptenroll longezwe ukubophelela i-TPM2, FIDO2 kunye ne-PKCS#11 iithokheni kwizahlulo ze-LUKS, kunye nokungaphini nokujonga iithokheni, ukubopha izitshixo ezisecaleni kwaye usete igama lokugqitha ukuze ufikelelo.
  • Yongeza iParameter yaBucalaIPC, ekuvumela ukuba uqwalasele ifayile yeyunithi ukuqhuba iinkqubo kwindawo ekwanti ye-IPC enezinto zabo zokufanisa ezahlukeneyo kunye nomgca womyalezo. Ukuqhagamshela iyunithi kwindawo esele yenziwe ye-IPC yokuchonga, i-IPCNamespacePath ukhetho luyacetywa.
  • I-ExecPaths ezongeziweyo kunye neseto ze-NoExecPaths ukuvumela iflegi ye-noexec isetyenziswe kwiindawo ezithile zesixokelelwano sefayile.
  • i-systemd-networkd yongeza inkxaso ye-BATMAN (iNdlela eNgcono kwi-Mobile Adhoc Networking) iprothokholi yomnatha, evumela ukuyilwa kothungelwano olunatyisiweyo apho indawo nganye iqhagamshelwe ngeendawo ezikufutshane. Kuqwalaselo, icandelo le-[BatmanAdvanced] kwi.netdev, iBatmanAdvanced parameter kwiifayile zenethiwekhi, kunye nodidi lwesixhobo esitsha “batadv” ziyacetywa.
  • Ukuphunyezwa kwendlela yokusabela kwangaphambili kwimemori ephantsi kwinkqubo ye-systemd-oomd iye yazinziswa. Yongeze iDefaultMemoryPressureDurationSec ukhetho lokumisela ixesha lokulinda ukuba uvimba ukhululwe phambi kokuchaphazela iyunithi. I-Systemd-oomd isebenzisa inkqubo ye-kernel ye-PSI (i-Pressure Stall Information) kwaye ikuvumela ukuba ubone ukuqala kokulibaziseka ngenxa yokunqongophala kwezixhobo kunye nokuphelisa ngokukhetha iinkqubo ezinzulu zobutyebi kwinqanaba xa inkqubo ingekabikho kwimeko enzima kwaye ingekho. qala ukucheba ngokunzulu i-cache kwaye ukhuphe idatha kwisahlulelo sokutshintsha.
  • Iparameter yomgca womyalelo we-kernel "ingcambu = tmpfs", ekuvumela ukuba uphakamise isahlulelo sengcambu kwindawo yokugcina okwethutyana ebekwe kwi-RAM usebenzisa i-Tmpfs.
  • Iparamitha /etc/crypttab echaza ifayile engundoqo ngoku ingakhomba kwi-AF_UNIX kunye neentlobo zesokethi ze-SOCK_STREAM. Kule meko, isitshixo kufuneka sinikwe xa udibanisa kwi-socket, leyo, umzekelo, ingasetyenziselwa ukudala iinkonzo ezikhupha izitshixo ezinamandla.
  • Igama lenginginya elibuyela umva elisetyenziswa ngumphathi wenkqubo kunye ne-systemd-hostnamed ngoku inokucwangciswa ngeendlela ezimbini: nge DEFAULT_HOSTNAME ipharamitha kukhupho lwe-os kunye ne-$SYSTEMD_DEFAULT_HOSTNAME imo eguquguqukayo. systemd-hostnamed ikwaphatha "localhost" kwigama lenginginya kwaye yongeza ukukwazi ukuthumela ngaphandle igama lenginginya kunye ne "HardwareVendor" kunye ne "HardwareModel" iipropati ngeDBus.
  • Ibhloko enezinto eziguquguqukayo eziveziweyo ngoku zinokuqwalaselwa ngokhetho olutsha loMphathi weNdawo kwi-system.conf okanye umsebenzisi.conf, kwaye kungekhona kuphela ngomgca womyalelo we-kernel kunye nesethingi yefayile yeyunithi.
  • Ngexesha lokuqokelela, kuyenzeka ukusebenzisa i-fexecve() inkqubo yokufowuna ukuqalisa iinkqubo endaweni ye-execve() ukunciphisa ulibaziseko phakathi kokujonga umxholo wokhuseleko kunye nokuwusebenzisa.
  • Kwiifayile zeyunithi, ukusebenza okunemiqathango emitsha ConditionSecurity=tpm2 kunye neConditionCPUFeature zongezwe ukujonga ubukho bezixhobo zeTPM2 kunye nobuchule obubodwa be-CPU (umzekelo, iConditionCPUFeature=rdrand inokusetyenziselwa ukujonga ukuba iprosesa iyawuxhasa na umsebenzi weRDRAND).
  • Kwiinkozo ezikhoyo, ukuveliswa okuzenzekelayo kweetafile zokufowuna kwenkqubo yezihluzi ze-seccomp kuphunyeziwe.
  • Kongezwe ukukwazi ukufaka endaweni entsha yokunyuswa kwezibophelelo kwiindawo ezikhoyo zamagama zeenkonzo, ngaphandle kokuphinda kuqalise iinkonzo. Ufakelo lwenziwa ngemiyalelo ethi 'systemctl bind ...' kunye 'ne-systemctl yomfanekiso-womfanekiso …'.
  • Inkxaso eyongeziweyo yokuchaza iindlela kwi-StandardOutput kunye ne-StandardError useto kwifom “truncate: »ukucoca phambi kokusetyenziswa.
  • Kongezwe ukukwazi ukuseka umdibaniso kwiseshoni yomsebenzisi echaziweyo ngaphakathi kwesikhongozeli sendawo kwi-sd-bus. Umzekelo "systemctl -user -M lennart@ qala qux".
  • Ezi parameters zilandelayo ziphunyeziwe kwifayile ye-systemd.link kwicandelo [Ikhonkco]:
    • Ukuziphatha okubi - kukuvumela ukuba utshintshe isixhobo kwimodi "yokuziphatha okubi" ukuze usebenze zonke iipakethi zenethiwekhi, kubandakanywa nezo zingabhekiswanga kwinkqubo yangoku;
    • I-TransmitQueues kunye neReceiveQueues yokuseta inani le-TX kunye ne-RX queues;
    • TransmitQueueLength ukuseta ubungakanani bomgca weTX; I-GenericSegmentOffloadMaxBytes kunye ne-GenericSegmentOffloadMaxSegment yokumisela imida yokusetyenziswa kweteknoloji ye-GRO (Generic Receive Offload).
  • Izicwangciso ezitsha zongezwe kwiifayile ze-systemd.network:
    • [Inethiwekhi] RouteTable ukukhetha itheyibhile yomzila;
    • [RoutingPolicyRule] Uhlobo lohlobo lomzila ("blackhole, "unreachable", "prohibit");
    • [IPv6AcceptRA] RouteDenyList kunye neRouteAllowList yoluhlu lweentengiso ezivunyelweyo nezikhatyiweyo;
    • [DHCPv6] Sebenzisa iiAddres ukungahoyi idilesi ekhutshwe yi-DHCP;
    • [DHCPv6PrefixDelegation] Lawula idilesi yethutyana;
    • ActivationPolicy ukuchaza umgaqo-nkqubo malunga nomsebenzi wojongano (hlala ugcina UP okanye PHANTSI imo, okanye uvumele umsebenzisi atshintshe iimeko ngomyalelo we "ip link set dev").
  • Iprotocol ye- [VLAN], i-IngressQOSMaps, i-EgressQOSMaps, kunye ne- [MACVLAN] iinketho ze-BroadcastMulticastQueueLength kwiifayile ze-systemd.netdev ukulungiselela ukusetyenzwa kwepakethi ye-VLAN.
  • Yeka ukunyuswa kwe/dev/ ulawulo kwimowudi ye-noexec njengoko ibangela ungquzulwano xa usebenzisa iflegi ephunyeziweyo nge/dev/sgx iifayile. Ukubuyisela ukuziphatha kwakudala, ungasebenzisa i-NoExecPaths=/dev setting.
  • Iimvume ezikwifayile ye-/dev/vsock zitshintshiwe zaba yi-0o666, kwaye iifayile ze-/dev/vhost-vsock kunye ne-/dev/vhost-net zisiwe kwiqela. kvm.
  • I-database ye-ID ye-hardware yandisiwe kunye nabafundi beminwe ye-USB exhasa ngokuchanekileyo imo yokulala.
  • Inkxaso eyongeziweyo esonjululwe yinkqubo yokukhupha iimpendulo kwimibuzo ye-DNSSEC ngesixazululi se-stub. Abathengi bendawo banokwenza uqinisekiso lwe-DNSSEC kubo, ngelixa abathengi bangaphandle beproxied bengatshintshwanga kumncedisi womzali we-DNS.
  • Yongeza i CacheFromLocalhost ukhetho kwi solved.conf, xa isetyenzisiwe, i-systemd-isonjululwe iya kusebenzisa i-caching nakwiminxeba kwiseva ye-DNS kwi-127.0.0.1 (ngokungagqibekanga, i-caching yezicelo ezinjalo ivaliwe ukunqanda ukugcinwa kabini).
  • I-systemd-resolved yongeze inkxaso kwi-RFC-5001 NSIDs kwisisombululo se-DNS sasekuhlaleni, ivumela abathengi ukuba bahlule phakathi kokunxibelelana nesisombululo sendawo kunye nabanye abasombululi. umncedisi I-DNS.
  • Usetyenziso lwe-solventctl lusebenzisa ukukwazi ukubonisa ulwazi malunga nomthombo wedatha (i-cache yendawo, isicelo senethiwekhi, impendulo yeprosesa yendawo) kunye nokusetyenziswa kwe-encryption xa uhambisa idatha. Iinketho --cache, --synthesize, --network, --zone, --trust-anchor, kunye --qinisekisa zinikezelwe ukulawula inkqubo yomiselo lwegama.
  • i-systemd-nspawn yongeza inkxaso yokuqwalasela i-firewall usebenzisa ii-nftables ukongeza kwinkxaso ekhoyo yee-iptables. Umiselo lwe-IPMasquerade kwi-systemd-networkd yongeze ukukwazi ukusebenzisa i-nfttables-based backend.
  • i-systemd-localed inkxaso eyongezelelweyo yokufowunela i-locale-gen ukuvelisa iindawo ezingekhoyo.
  • Iinketho --pager/-no-pager/-json= zongezwe kwizinto ezahlukeneyo ezisetyenziswayo ukunika amandla/ukukhubaza imo yepheyija kunye nemveliso kwifomathi ye-JSON. Kongezwe ukukwazi ukuseta inani lemibala esetyenziswa kwi-terminal nge-SYSTEMD_COLORS eguquguqukayo yokusingqongileyo (“16” okanye “256”).
  • Ulwakhiwo olunoluhlu oluhlukeneyo lolawulo (ukwahlula / kunye / kunye / no-usr) kunye nenkxaso yeqela le-v1 iye yarhoxiswa.
  • Isebe eliyintloko kwi-Git linikwe elinye igama ukusuka ku-'master' ukuya kwi-'main'.

umthombo: opennet.ru

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster