I-ProHoster > Блог > izindaba ze-inthanethi > ukukhishwa komphathi wesistimu ye-250

ukukhishwa komphathi wesistimu ye-250

Ngemva kwezinyanga ezinhlanu zokuthuthukiswa, kwethulwa ukukhululwa komphathi wesistimu i-systemd 250. Ukukhishwa okusha kwethule ikhono lokugcina imininingwane ngefomu elibetheliwe, ukuqinisekiswa okuqalisiwe kokutholwa ngokuzenzakalela kwezingxenye ze-GPT kusetshenziswa isiginesha yedijithali, ulwazi oluthuthukisiwe mayelana nezimbangela zokubambezeleka lapho ukuqala izinsiza, kanye nezinketho ezingeziwe zokunciphisa ukufinyelela kwesevisi kumasistimu athile wamafayela kanye nokuxhumana kwenethiwekhi, ukusekelwa kokuqapha ubuqotho bokuhlukanisa kusetshenziswa imojula ye-dm-integrity kunikezwa, futhi ukusekelwa kwe-sd-boot auto-update kwengezwe.

Izinguquko eziyinhloko:

  • Usekelo olungeziwe lwemininingwane ebethelwe futhi eqinisekisiwe, engaba usizo ekugcineni ngokuphephile izinto ezibucayi ezifana nokhiye be-SSL kanye namaphasiwedi okufinyelela. Ukukhishwa kwekhodi yemininingwane kwenziwa kuphela uma kunesidingo futhi kuxhumene nokufakwa kwendawo noma okokusebenza. Idatha ibethelwa ngokuzenzakalelayo kusetshenziswa ama-algorithms wokubethela okulinganisa, ukhiye ongatholakala kusistimu yefayela, ku-chip ye-TPM2, noma kusetshenziswa isikimu senhlanganisela. Uma isevisi iqala, imininingwane ikhishwa ngokuzenzakalelayo futhi itholakale kusevisi ngendlela yayo evamile. Ukuze usebenze ngemininingwane ebethelwe, insiza ye-'systemd-creds' yengeziwe, futhi izilungiselelo ze-LoadCredentialEncrypted kanye ne-SetCredentialEncrypted ziphakanyiselwe amasevisi.
  • sd-stub, i-EFI esebenzisekayo evumela i-firmware ye-EFI ukuthi ilayishe i-Linux kernel, manje isekela ukuqala kwe-kernel isebenzisa iphrothokholi ye-LINUX_EFI_INITRD_MEDIA_GUID EFI. Okunye okwengezwe ku-sd-stub yikhono lokupakisha imininingwane namafayela e-sysext endaweni yomlando ye-cpio futhi udlulisele le ngobo yomlando ku-kernel kanye ne-initrd (amafayela engeziwe abekwe ku-/.extra/ directory). Lesi sici sikuvumela ukuthi usebenzise indawo ye-initrd engaguquleki eqinisekisekayo, ehambisana nama-sysexts kanye nedatha yokuqinisekisa ebethelwe.
  • Ukucaciswa kwe-Discoverable Partitions kuye kwanwetshwa kakhulu, kuhlinzeka ngamathuluzi okuhlonza, ukukhwezwa kanye nokwenza kusebenze izingxenye zesistimu kusetshenziswa i-GPT (GUID Partition Tables). Uma kuqhathaniswa nokukhishwa kwangaphambilini, ukucaciswa manje kusekela ukuhlukaniswa kwezimpande kanye / nokuhlukaniswa kwe-usr kwezakhiwo eziningi, okuhlanganisa amapulatifomu angasebenzisi i-UEFI.

    I-Discoverable Partitions futhi yengeza ukusekelwa kwama-partitions ubuqotho bawo buqinisekiswa yimojuli ye-dm-verrity kusetshenziswa amasiginesha edijithali ye-PKCS#7, okwenza kube lula ukudala izithombe zediski ezigunyazwe ngokugcwele. Ukusekelwa kokuqinisekisa kuhlanganiswe ezinsizeni ezihlukahlukene ezikhohlisa izithombe zediski, okuhlanganisa i-systemd-nspawn, i-systemd-sysext, i-systemd-dissect, izinsizakalo ze-RootImage, i-systemd-tmpfiles, nama-systemd-sysusers.

  • Kumayunithi athatha isikhathi eside ukuthi aqale noma ame, ngaphezu kokubonisa ibha yenqubekelaphambili egqwayizayo, kuyenzeka ubonise imininingwane yesimo ekuvumela ukuthi uqonde ukuthi yini ngempela eyenzekayo ngesevisi okwamanje nokuthi iyiphi isevisi umphathi wesistimu. okwamanje ilinde ukuqeda.
  • Kwengezwe ipharamitha ye-DefaultOOMScoreAdjust ku-/etc/systemd/system.conf kanye /etc/systemd/user.conf, ekuvumela ukuthi ulungise umkhawulo we-OOM-killer wememori ephansi, esebenza ezinqubweni eziqala i-systemd ohlelweni nakubasebenzisi. Ngokuzenzakalelayo, isisindo sezinsizakalo zesistimu siphezulu kunezinsizakalo zabasebenzisi, i.e. Uma kunenkumbulo enganele, amathuba okunqanyulwa kwamasevisi omsebenzisi angaphezulu kwalawo esistimu.
  • Kwengezwe ukulungiselelwa kwe-RestrictFileSystems, okukuvumela ukuthi ukhawulele ukufinyelela kwezinsizakalo ezinhlotsheni ezithile zezinhlelo zamafayela. Ukuze ubuke izinhlobo zezinhlelo zamafayela ezitholakalayo, ungasebenzisa umyalo othi “systemd-analyze filesystems”. Ngokwesifaniso, inketho ye-RestrictNetworkInterfaces isetshenzisiwe, ekuvumela ukuthi ukhawulele ukufinyelela kwezinye izixhumi ezibonakalayo zenethiwekhi. Ukuqaliswa kusekelwe kumojuli ye-BPF LSM, ekhawulela ukufinyelela kweqembu lezinqubo ezintweni ze-kernel.
  • Kwengezwe ifayela elisha lokumisa /etc/integritytab kanye nensiza ye-systemd-integritysetup elungiselela imojula ye-dm-integrity ukulawula ubuqotho bedatha ezingeni lomkhakha, isibonelo, ukuqinisekisa ukungaguquki kwedatha ebethelwe (Ukubethela Okuqinisekisiwe, kuqinisekisa ukuthi i-data block ine ayilungiswanga ngendlela ezungezayo) . Ifomethi yefayela /etc/integritytab iyafana namafayela /etc/crypttab kanye /etc/veritytab, ngaphandle kokuthi dm-integrity isetshenziswa esikhundleni se-dm-crypt ne-dm-verity.
  • Ifayela leyunithi elisha le-systemd-boot-update.service lengeziwe, lapho ivuliwe futhi i-sd-boot bootloader ifakiwe, i-systemd izobuyekeza ngokuzenzakalelayo inguqulo ye-sd-boot bootloader, igcine ikhodi ye-bootloader isesikhathini njalo. I-sd-boot ngokwayo manje yakhiwe ngokuzenzakalelayo ngokusekelwa kwendlela ye-SBAT (UEFI Secure Boot Advanced Targeting), exazulula izinkinga ngokuhoxiswa kwesitifiketi se-UEFI Secure Boot. Ngaphezu kwalokho, i-sd-boot inikeza amandla okuhlaziya izilungiselelo zokuqalisa ze-Microsoft Windows ukuze ukhiqize kahle amagama ezihlukaniso zokuqalisa nge-Windows futhi ubonise inguqulo ye-Windows.

    I-sd-boot iphinde inikeze amandla okuchaza isikimu sombala ngesikhathi sokwakha. Phakathi nenqubo yokuqalisa, ukwesekwa okwengeziwe kokushintsha ukulungiswa kwesikrini ngokucindezela inkinobho ethi “r”. Kwengezwe i-hotkey "f" ukuze uye kusixhumi esibonakalayo sokucushwa kwe-firmware. Kwengezwe imodi yokuqalisa ngokuzenzakalelayo isistimu ehambisana nento yemenyu ekhethiwe ngesikhathi sokuqalisa kokugcina. Kwengezwe amandla okulayisha ngokuzenzakalelayo abashayeli be-EFI abatholakala ku-/EFI/systemd/drivers/ directory esigabeni se-ESP (EFI System Partition).

  • Ifayela leyunithi entsha ye-factory-reset.target ifakiwe, ecutshungulwa ku-systemd-logind ngendlela efanayo nokuqalisa kabusha, i-poweroff, ukumisa okwesikhashana kanye nokusebenza kokulala, futhi isetshenziselwa ukudala izibambi zokwenza ukusetha kabusha kwefekthri.
  • Inqubo exazululwe nge-systemd manje idala isokhethi yokulalela eyengeziwe kokuthi 127.0.0.54 ngaphezu kokuthi 127.0.0.53. Izicelo ezifika ku-127.0.0.54 zihlala ziqondiswa kabusha kuseva ye-DNS ekhuphuka nomfula futhi azicutshungulwa endaweni.
  • Kunikezwe ikhono lokwakha i-systemd-importd kanye ne-systemd-exazululiwe ngelabhulali ye-OpenSSL esikhundleni se-libgcrypt.
  • Kwengezwe usekelo lokuqala lwezakhiwo ze-LoongArch ezisetshenziswa kuma-Loongson processors.
  • i-systemd-gpt-auto-generator inikeza amandla okumisa ngokuzenzakalelayo izingxenye zokushintshana ezichazwe ngohlelo oluncane lwe-LUKS2.
  • Ikhodi yokuhlaziya yesithombe ye-GPT esetshenziswe ku-systemd-nspawn, systemd-dissect, nasezinsizeni ezifanayo isebenzisa ikhono lokunquma izithombe zezinye izakhiwo, ivumela i-systemd-nspawn ukuthi isetshenziselwe ukusebenzisa izithombe kuzifanisi zezinye izakhiwo.
  • Lapho uhlola izithombe zediski, i-systemd-dissect manje ibonisa ulwazi mayelana nenjongo yokuhlukanisa, njengokufaneleka kokuqalisa nge-UEFI noma ukusebenza esitsheni.
  • Inkambu ethi “SYSEXT_SCOPE” yengezwe kumafayela e-system-extension.d/, okukuvumela ukuthi ubonise ububanzi besithombe sohlelo - “initrd”, “system” noma “portable”.
  • Inkambu ethi “PORTABLE_PREFIXES” yengezwe kufayela le-os-release, elingasetshenziswa ezithombeni eziphathwayo ukuze kunqunywe iziqalo zefayela leyunithi elisekelwayo.
  • I-systemd-logind yethula izilungiselelo ezintsha HandlePowerKeyLongPress, HandleRebootKeyLongPress, HandleSuspendKeyLongPress kanye ne-HandleHibernateKeyLongPress, ezingasetshenziswa ukunquma ukuthi yini eyenzekayo uma okhiye abathile bebanjwe imizuzwana engaphezu kwemi-5 (isibonelo, ukucindezela inkinobho yokumisa okwesikhashana ukuze kumiswe ngokushesha , futhi lapho ibanjwe, iyolala) .
  • Kumayunithi, izilungiselelo ze-StartupAllowedCPUs kanye ne-StartupAllowedMemoryNodes ziyasetshenziswa, ezihlukile kuzilungiselelo ezifanayo ngaphandle kwesiqalo Sokuqalisa ngoba asetshenziswa kuphela ekuqaleni nesiteji sokuvala shaqa, okukuvumela ukuthi usethe eminye imikhawulo yensiza ngesikhathi sokuqalisa.
  • Kwengezwe [Condition|Assert][Memory|CPU|IO]Ukuhlolwa kokucindezela okuvumela ukwenziwa kusebenze kweyunithi ukuthi kweqiwe noma kwehluleke uma indlela ye-PSI ithola umthwalo osindayo kumemori, CPU, kanye ne-I/O ohlelweni.
  • Umkhawulo ozenzakalelayo omkhulu we-inode unyusiwe we-partition ye-dev kusuka ku-64k kuya ku-1M, kanye nokuhlukaniswa kwe-tmp kusuka ku-400k kuya ku-1M.
  • Ukulungiselelwa kwe-ExecSearchPath kuphakanyiselwe amasevisi, okwenza kube nokwenzeka ukushintsha indlela yokusesha amafayela asebenzisekayo aqaliswe ngezilungiselelo ezifana ne-ExecStart.
  • Kwengezwe isethingi ye-RuntimeRandomizedExtraSec, ekuvumela ukuthi uthule ukuchezuka okungahleliwe ekuphelelweni kwesikhathi kwe-RuntimeMaxSec, okukhawulela isikhathi sokwenziwa seyunithi.
  • I-syntax yezilungiselelo ze-RuntimeDirectory, StateDirectory, CacheDirectory kanye ne-LogsDirectory inwetshiwe, lapho ngokucacisa inani elingeziwe elihlukaniswa koloni, ungakwazi manje ukuhlela ukudalwa kwesixhumanisi esingokomfanekiso kuhla lwemibhalo olunikeziwe ukuze uhlele ukufinyelela ezindleleni ezimbalwa.
  • Ngamasevisi, izilungiselelo ze-TTYRows kanye ne-TTYColumns zinikezwa ukuze kusethwe inani lemigqa namakholomu kudivayisi ye-TTY.
  • Kwengezwe isilungiselelo se-ExitType, esikuvumela ukuthi uguqule ingqondo ukuze unqume ukuphela kwesevisi. Ngokuzenzakalelayo, i-systemd iqapha kuphela ukufa kwenqubo eyinhloko, kodwa uma i-ExitType=cgroup isethiwe, umphathi wesistimu uzolinda inqubo yokugcina eqenjini ukuthi iqede.
  • Ukuqaliswa kwe-systemd-cryptsetup kosekelo lwe-TPM2/FIDO2/PKCS11 manje sekwakhiwe njenge-plugin ye-cryptsetup, okuvumela umyalo ovamile we-cryptsetup ukuthi usetshenziselwe ukuvula ukwahlukanisa okubethelwe.
  • Isibambi se-TPM2 ku-systemd-cryptsetup/systemd-cryptsetup sengeza usekelo lokhiye abayinhloko be-RSA ngaphezu kokhiye be-ECC ukuze kuthuthukiswe ukusebenzisana nama-non-ECC chips.
  • Inketho ye-token-timeout yengezwe ku-/etc/crypttab, okukuvumela ukuthi uchaze isikhathi esiphezulu sokulinda uxhumano lwethokheni ye-PKCS#11/FIDO2, ngemva kwalokho uzocelwa ukuthi ufake iphasiwedi noma ukhiye wokutakula.
  • i-systemd-timesyncd isebenzisa ukulungiselelwa kwe-SaveIntervalSec, okukuvumela ukuthi ngezikhathi ezithile ulondoloze isikhathi sesistimu yamanje kudiski, isibonelo, ukusebenzisa iwashi le-monotonic kumasistimu ngaphandle kwe-RTC.
  • Izinketho zengeziwe kuhlelo lokusebenza lokuhlaziya: "--image" kanye "--root" ukuze kuhlolwe amafayela eyunithi ngaphakathi kwesithombe esinikeziwe noma umkhombandlela wezimpande, "--recursive-errors" ukuze ucabangele amayunithi ancike lapho iphutha kutholwa, “--okungaxhunyiwe ku-inthanethi” ukuze kuhlolwe ngokuhlukile amafayela eyunithi alondolozwe kudiski, “—json” ukuze kukhishwe ngefomethi ye-JSON, “—kuthule” ukukhubaza imilayezo engabalulekile, “—iphrofayela” ukuze ihlanganise iphrofayela ephathekayo. Okunye okwengezwe umyalo we-inspect-elf wokuhlaziya amafayela angumongo ngefomethi ye-ELF kanye nekhono lokuhlola amafayela eyunithi ngegama leyunithi elinikeziwe, kungakhathaliseki ukuthi leli gama lifana negama lefayela.
  • i-systemd-networkd inwebise usekelo lwebhasi Yenethiwekhi Yokulawula Indawo (CAN). Izilungiselelo ezingeziwe zokulawula amamodi e-CAN: I-Loopback, i-OneShot, i-PresumeAck ne-ClassicDataLengthCode. Kwengezwe i-TimeQuantaNSec, i-PropagationSegment, i-PhaseBufferSegment1, i-PhaseBufferSegment2, i-SyncJumpWidth, i-DataTimeQuantaNSec, i-DataPropagationSegment, i-DataPhaseBufferSegment1, i-DataPhaseBufferSegment2 kanye nezinketho ze-DataSyncJumpWidth kusigaba se-bit.CANwork to control bit.
  • I-Systemd-networkd yengeze inketho Yelebula yeklayenti le-DHCPv4, ekuvumela ukuthi ulungiselele ilebula yekheli elisetshenziswa lapho ulungiselela amakheli e-IPv4.
  • i-systemd-udevd ye-"ethtool" isebenzisa usekelo lwamanani akhethekile "obukhulu" abeka usayizi webhafa kunani eliphakeme elisekelwa ihadiwe.
  • Kumafayela we-.link we-systemd-udevd ungakwazi manje ukumisa amapharamitha ahlukahlukene ukuze uhlanganise ama-adaptha enethiwekhi nezibambi zokuxhuma zehadiwe (ukukhulula).
  • i-systemd-networkd inikeza amafayela enethiwekhi amasha ngokuzenzakalelayo: 80-container-vb.network ukuchaza amabhuloho enethiwekhi adalwe lapho kusetshenziswa i-systemd-nspawn ngezinketho ze-“--network-bridge” noma “--network-zone”; 80-6rd-tunnel.network ukuchaza amathaneli adalwa ngokuzenzakalelayo lapho ethola impendulo ye-DHCP ngenketho ye-6RD.
  • I-Systemd-networkd ne-systemd-udevd bangeze usekelo lokudlulisela phambili i-IP ngezixhumi ezibonakalayo ze-InfiniBand, lapho ingxenye ye-[IPoIB]” yengezwe kumafayela e-systemd.netdev, futhi ukucutshungulwa kwevelu ye-“ipoib” kuye kwasetshenziswa Ohlotsheni. setting.
  • i-systemd-networkd inikeza ukulungiselelwa komzila okuzenzakalelayo kumakheli acaciswe kupharamitha ye-AllowedIPs, engalungiselelwa ngemingcele ye-RouteTable kanye ne-RouteMetric kuzigaba ze-[WireGuard] kanye ne- [WireGuardPeer].
  • i-systemd-networkd ihlinzeka ngokuzenzakalela kwamakheli e-MAC angashintshi we-batadv nezixhumanisi zebhuloho. Ukuze ukhubaze lokhu kuziphatha, ungacacisa i-MACAddress=none kumafayela we-.netdev.
  • Isilungiselelo se-WakeOnLanPassword sengezwe kokuthi .link amafayela esigabeni esithi “[Xhuma]” ukuze kunqunywe iphasiwedi lapho i-WoL isebenza ngemodi ethi “SecureOn”.
  • Kwengezwe i-AutoRateIngress, CompensationMode, FlowIsolationMode, NAT, MPUBytes, PriorityQueueingPreset, FirewallMark, Wash, SplitGSO kanye nezilungiselelo ze-UseRawPacketSize esigabeni esithi "[CAKE]" samafayela enethiwekhi ukuze kuchazwe imingcele yendlela yokuphathwa kwenethiwekhi ye-CAKE (Izinhlelo Ezivamile Zokugcina) .
  • Kwengezwe isilungiselelo se-IgnoreCarrierLoss engxenyeni ethi "[Network]" yamafayela enethiwekhi, okukuvumela ukuthi unqume ukuthi ulinde isikhathi esingakanani ngaphambi kokusabela ekulahlekelweni kwesignali yenkampani yenethiwekhi.
  • I-Systemd-nspawn, i-homectl, i-machinectl kanye ne-systemd-run yandise i-syntax yepharamitha ethi "--setenv" - uma kuphela igama eliguquguqukayo lishiwo (ngaphandle kokuthi "="), inani lizothathwa kokuhlukahluka kwemvelo okuhambisanayo (for isibonelo, lapho ucacisa okuthi "--setenv=FOO" inani lizothathwa kokuhluka kwendawo okuzungezile $FOO futhi lisetshenziswe ekuguquguqukeni kwemvelo kwegama elifanayo elibekwe esitsheni).
  • i-systemd-nspawn yengeze inketho ethi "--suppress-sync" ukuze ukhubaze izingcingo zesistimu zokuvumelanisa()/fsync()/fdatasync() lapho udala isiqukathi (kuyasiza uma isivinini sibalulekile futhi ukulondoloza ama-artifact okwakha uma kwenzeka ukwehluleka okubalulekile, njengoba zingaphinda zidalwe nganoma yisiphi isikhathi).
  • I-database entsha ye-hwdb yengeziwe, ehlanganisa izinhlobo ezahlukene zokuhlaziya amasignali (ama-multimeter, abahlaziyi bephrothokholi, ama-oscilloscopes, njll.). Ulwazi olumayelana namakhamera aku-hwdb lunwetshiwe ngenkambu enolwazi mayelana nohlobo lwekhamera (evamile noma ye-infrared) nokubekwa kwelensi (ngaphambili noma ngemuva).
  • Ukukhiqizwa okunikwe amandla kwamagama okusebenzelana kwenethiwekhi okungaguquki kumadivayisi we-netfront asetshenziswa ku-Xen.
  • Ukuhlaziywa kwamafayela angumongo ngosizo lwe-systemd-coredump okusekelwe kumitapo yolwazi ye-libdw/libelf manje kwenziwa ngenqubo ehlukile, ebekwe yodwa endaweni ye-sandbox.
  • i-systemd-importd yengeze ukusekelwa kokuhluka kwemvelo $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA, $SYSTEMD_IMPORT_SYNC, ongakhubaza ngayo ukukhiqizwa kwama-subpartitions e-Btrfs, kanye nokumisa ama-quota nokuvumelanisa kwediski.
  • Ku-systemd-journald, kumasistimu wefayela asekela imodi yokukopisha-on-ubhala, imodi ye-COW inikwe amandla kabusha kumajenali afakwe kungobo yomlando, okuwavumela ukuthi acindezelwe kusetshenziswa ama-Btrfs.
  • i-systemd-journald isebenzisa ukuphindaphinda kwezinkambu ezifanayo kumlayezo owodwa, okwenziwa esiteji ngaphambi kokubeka umlayezo kujenali.
  • Kwengezwe inketho ethi "--show" kumyalo wokuvala shaqa ukuze ubonise ukuvala shaqa okuhleliwe.

Source: opennet.ru

Engeza amazwana