ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa kokusatshalaliswa kwe-Red Hat Enterprise Linux 8.1

Ukukhishwa kokusatshalaliswa kwe-Red Hat Enterprise Linux 8.1

Inkampani yezigqoko ezibomvu kukhishwe ikhithi yokusabalalisa I-Red Hat Enterprise Linux 8.1. Imihlangano yokufaka ilungiselwe i-x86_64, s390x (IBM System z), ppc64le kanye ne-Aarch64 izakhiwo, kodwa iyatholakala ngoba okulandwayo Abasebenzisi ababhalisiwe be-Red Hat Customer Portal kuphela. Ikhodi yomthombo ye-Red Hat Enterprise RPM Linux 8 zisakazwa ngokusebenzisa Inqolobane ye-Git CentOSIgatsha le-RHEL 8.x lizosekelwa okungenani kuze kube ngu-2029.

I-Red Hat Enterprise Linux I-8.1 kwakuyinguqulo yokuqala elungiselelwe ngokomjikelezo omusha wokuthuthukiswa obikezelwayo, ohilela ukukhishwa kokukhishwa njalo ezinyangeni eziyisithupha ngezikhathi ezinqunyiwe. Ukuba nolwazi oluqondile mayelana nesikhathi sokukhishwa kuvumela ukuvumelanisa amashejuli okuthuthukiswa kuwo wonke amaphrojekthi ahlukahlukene, ukulungiselela kusengaphambili ukukhishwa okusha, kanye nokuhlela ukusebenzisa izibuyekezo.

Kuyaphawuleka ukuthi entsha umjikelezo wempilo Imikhiqizo ye-RHEL ithatha izendlalelo eziningi, kufaka phakathi i-Fedora njengesisekelo samakhono amasha, CentOS Stream ukuze kufinyelelwe amaphakheji adalelwe ukukhishwa okumaphakathi okulandelayo kwe-RHEL (inguqulo ephumayo ye-RHEL),
isithombe esiyisisekelo se-minimalistic universal (UBI, Universal Base Image) sokuqalisa izinhlelo zokusebenza ezitsheni ezingazodwa kanye Ukubhaliswa Konjiniyela we-RHEL ukusetshenziswa kwamahhala kwe-RHEL kunqubo yokuthuthukisa.

Ukhiye shintsha:

  • Ukwesekwa okuphelele kwendlela yokufaka ama-Live patches kunikezwa (kpatch) ukuqeda ubuthakathaka ku-kernel Linux Ngaphandle kokuqala kabusha kwesistimu noma isikhathi sokungasebenzi. Ngaphambilini, i-kpatch yayibhekwa njengesici sokuhlola;
  • Ngokusekelwe kuhlaka i-fapolicyd Ikhono lokudala uhlu olumhlophe nolumnyama lwezinhlelo zokusebenza seliqalisiwe, elikuvumela ukuba uhlukanise ukuthi yiziphi izinhlelo ezingaqaliswa ngumsebenzisi futhi ezingakwazi (isibonelo, ukuvimba ukwethulwa kwamafayela asebenzisekayo angaphandle angaqinisekisiwe). Isinqumo sokuvimba noma sokuvumela ukuqaliswa singenziwa ngokusekelwe egameni lesicelo, indlela, i-hashi yokuqukethwe, nohlobo lwe-MIME. Ukuhlola umthetho kwenzeka ngesikhathi sokuvula () kanye ne-exec() izingcingo zesistimu, ngakho-ke kungase kube nomthelela omubi ekusebenzeni;
  • Ukwakheka kufaka phakathi amaphrofayili e-SELinux, igxile ekusetshenzisweni kweziqukathi ezihlukanisiwe kanye nokuvumela ukulawula okungcono kakhulu ekufinyeleleni kwezinsizakalo ezisebenza eziqukathini ukuze zibambe izinsiza zesistimu. Ukuze kukhiqizwe imithetho ye-SELinux Kuye kwethulwa uhlelo olusha, i-udica, lwama-container, okuvumela ukufinyelela okuqondile kwama-container ezinsizeni zangaphandle ezidingekayo kuphela, njengesitoreji, amadivayisi, kanye nenethiwekhi.Linux (libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, mcstrans) zibuyekeziwe zaba yinguqulo 2.9, kanye nephakheji ye-SETools yaba yinguqulo 4.2.2.

    Kungezwe uhlobo olusha lwe-SELinux - boltd_t, ukukhawulela i-boltd, inqubo yokuphatha amadivayisi e-Thunderbolt 3 (i-boltd manje isebenza esitsheni esinqunyelwe yi-SELinux). Kwengezwe isigaba esisha semithetho ye-SELinux — i-bpf, ephatha izingcingo eziya ku-Berkeley Packet Filter (BPF) futhi ihlola izinhlelo zokusebenza ze-eBPF;

  • Ifaka isitaki samaphrothokholi omzila Ukukhipha (BGP4, MP-BGP, OSPFv2, OSPFv3, RIPv1, RIPv2, RIPng, PIM-SM/MSDP, LDP, IS-IS), ethathe indawo yephakheji ye-Quagga eyayisetshenziswa ngaphambilini (i-FRRouting iyimfoloko ye-Quagga, ngakho-ke ukuhambisana akuzange kuthinteke );
  • Ezingxenyeni ezibethelwe ngefomethi ye-LUKS2, ukwesekwa kungeziwe ekubetheleni kabusha amadivaysi e-block on the fly, ngaphandle kokumisa ukusetshenziswa kwawo ohlelweni (isibonelo, manje ungakwazi ukushintsha ukhiye noma i-algorithm yokubethela ngaphandle kokwehlisa ukwahlukanisa);
  • Ukusekelwa kohlelo olusha lwe-SCAP 1.3 protocol (Security Content Automation Protocol) yengezwe kuhlaka lwe-OpenSCAP;
  • Izinguqulo ezibuyekeziwe ze-OpenSSH 8.0p1, Tuned 2.12, chrony 3.5, samba 4.10.4. Amamojula anamagatsha amasha e-PHP 7.3, Ruby 2.6, Node.js 12 kanye ne-nginx 1.16 engeziwe endaweni yokugcina ye-AppStream (ukubuyekeza amamojula namagatsha adlule kuqhubekile). Amaphakheji ane-GCC 9, LLVM 8.0.1, Rust 1.37 kanye ne-Go 1.12.8 engeziwe Eqoqweni Lesofthiwe;
  • Ikhithi yamathuluzi yokulandela umkhondo ye-SystemTap ibuyekeziwe ukuze ibe yigatsha 4.1, futhi ikhithi yamathuluzi yokulungisa iphutha yememori ye-Valgrind iye yabuyekezwa ukuze ibe yinguqulo 3.15;
  • Insizakalo entsha ye-healthcheck ingeziwe kumathuluzi okusebenzisa i-Identity Management (IdM), okwenza kube lula ukuhlonza izinkinga ngezindawo ze-Identity Server. Ukufakwa nokucushwa kwezindawo ze-IdM kwenziwe lula ngokusekelwa kwezindima ze-Ansible kanye nekhono lokufaka amamojula. Ukusekelwa kwe-Active Directory Trusted Forests (ADTFs) kungeziwe. Windows Server 2019.
  • Isishintshi sedeskithophu esibonakalayo sishintshiwe kuseshini ye-GNOME Classic. Iwijethi yokushintsha phakathi kwamadeskithophu manje isitholakala kwesokudla sephaneli engezansi futhi iklanywe njengomucu onezithonjana zedeskithophu (ukuze ushintshele kwenye ideskithophu, mane uchofoze isithonjana esibonisa okuqukethwe kuso);
  • Isistimu encane ye-DRM (Direct Rendering Manager) kanye nabashayeli behluzo abasezingeni eliphansi (amdgpu, nouveau, i915, mgag200) babuyekezwe baba yisimo esivumelana ne-kernel. Linux 5.1. Ukwengezwa kokusekelwa kwezinhlelo zamavidiyo ze-AMD Raven 2, AMD Picasso, AMD Vega, Intel Amber Lake-Y kanye ne-Intel Comet Lake-U;
  • Ikhithi yamathuluzi yokuthuthukisa i-RHEL 7.6 iye ku-RHEL 8.1 yengeze ukwesekwa kokuthuthukiswa ngaphandle kokufakwa kabusha kwe-ARM64, IBM POWER (i-endian encane) ne-IBM Z. Imodi yokuthuthukisa ngaphambilini yesistimu yengezwe kukhonsoli yewebhu. Kwengezwe i-plugin ye-cockpit-leapp ukuze kubuyiselwe isimo uma kuba nezinkinga ngesikhathi sokubuyekeza. Izikhombisi ze/var kanye /usr zihlukaniswa ngezigaba ezihlukene. Kwengezwe ukwesekwa kwe-UEFI. IN I-Leapp amaphakheji abuyekezwa kusukela ku-Supplementary repository (kuhlanganisa amaphakheji okuphathelene);
  • Umakhi Wezithombe wengeze usekelo lokwakha izithombe zezindawo zamafu e-Google Cloud kanye ne-Alibaba Cloud. Lapho udala ukugcwaliswa kwesithombe, ikhono lokusebenzisa i-repo.git lengeziwe ukuze lifake amafayela engeziwe asuka kumakhosombe e-Git angenasizathu;
  • Ukuhlola okwengeziwe kwengezwe ku-Glibc ukuze i-malloc ithole lapho amabhulokhi enkumbulo abelwe wonakala;
  • Iphakheji ye-dnf-utils iqanjwe kabusha ukuze i-yum-utils ukuze ihambisane (ikhono lokufaka i-dnf-utils liyagcinwa, kodwa le phakheji izothathelwa indawo yi-yum-utils);
  • Uhlelo olusha lwe-Red Hat Enterprise lufakiwe. Linux Izindima Zesistimu, ukuhlinzeka isethi yamamojula nezindima zokuphakela uhlelo lokulawulwa kokucushwa okumaphakathi okusekelwe ku-Ansible kanye nokulungiselela ama-subsystems ukuze kunikwe amandla imisebenzi ethile ehlobene nokugcinwa, ukunethiwekha, ukuvumelanisa isikhathi, imithetho ye-SElinux kanye nokusetshenziswa kwendlela ye-kdump. Isibonelo, indima entsha
    isitoreji sikuvumela ukuthi wenze imisebenzi efana nokuphatha izinhlelo zefayela kudiski, ukusebenza namaqembu e-LVM nokuhlukaniswa okunengqondo;
  • Isitaki senethiwekhi se-VXLAN kanye nemigudu ye-GENEVE sisebenzisa ikhono lokucubungula amaphakethe e-ICMP "Indawo Engafinyeleleki", "Iphakethe Elikhulu Kakhulu" kanye "Nokuqondisa kabusha Umlayezo", okuxazulule inkinga ngokungakwazi ukusebenzisa ukuqondisa kabusha umzila kanye ne-Path MTU Discovery ku-VXLAN ne-GENEVE. .
  • Ukusetshenziswa kokuhlola kohlelo olungaphansi lwe-XDP (eXpress Data Path), oluvumela Linux sebenzisa izinhlelo ze-BPF ezingeni lomshayeli wenethiwekhi ngokufinyelela okuqondile ku-packet DMA buffer kanye nasesigabeni ngaphambi kokuba i-skbuff buffer yabelwe yi-network stack, kanye nezingxenye ze-eBPF, ezivumelaniswe ne-kernel. Linux 5.0. Kungezwe ukwesekwa kokuhlola kwesistimu encane ye-kernel ye-AF_XDP (Indlela Yedatha ye-eExpress);
  • Usekelo olugcwele lwephrothokholi yenethiwekhi lunikeziwe I-TIPC (I-Transparent Inter-process Communication), eklanyelwe ukuhlela ukuxhumana kwezinqubo phakathi kweqoqo. Iphrothokholi ihlinzeka ngendlela yokuthi izinhlelo zokusebenza zixhumane ngokushesha nangokuthembekile, kungakhathaliseki ukuthi yimaphi ama-node kuqoqo ezisebenza kuwo;
  • Imodi entsha yokulondoloza ukulahla okuyisisekelo uma kwenzeka ukwehluleka yengezwe kuma-initramfs - “ukulahla kwasekuqaleni", ukusebenza ezigabeni zokuqala zokulayisha;
  • Kwengezwe ipharamitha entsha ye-kernel ipcmni_extend, enweba umkhawulo we-IPC ID ukusuka ku-32 KB (amabhithi angu-15) ukuya ku-16 MB (amabhithi angu-24), okuvumela izinhlelo zokusebenza ukuthi zisebenzise amasegimenti ememori eyabiwe kakhulu;
  • I-Ipset ibuyekeziwe ukuze ikhulule i-7.1 ngokusekelwa kwe-IPSET_CMD_GET_BYNAME kanye nokusebenza kwe-IPSET_CMD_GET_BYINDEX;
  • I-rngd daemon, egcwalisa i-entropy pool ye-pseudorandom generator inombolo, ikhululiwe esidingweni sokusebenza njengempande;
  • Usekelo olugcwele lunikeziwe Intel OPA (I-Omni-Path Architecture) yemishini ene-Host Fabric Interface (HFI) nokusekelwa okugcwele kwamadivayisi e-Intel Optane DC Persistent Memory.
  • Izinhlamvu zokususa iphutha ngokuzenzakalelayo zihlanganisa ukwakhiwa okunomtshina we-UBSAN (Undefined Behavior Sanitizer), esengeza ukuhlola okwengeziwe kukhodi ehlanganisiwe ukuze kutholwe izimo lapho ukuziphatha kohlelo kungachazwanga (isibonelo, ukusetshenziswa kokuguquguquka okungaguquki ngaphambi kokuba kuqaliswe, okuhlukanisayo. izinombolo ngoziro, izinhlobo eziphelele ezisayiniwe ezichichimayo, ukuhoxiswa kwezikhombi ze-NULL, izinkinga zokuqondanisa kwesikhombi, njll.);
  • Isihlahla somthombo we-kernel esinezandiso zesikhathi sangempela (kernel-rt) sivunyelaniswa nekhodi eyinhloko ye-RHEL 8 kernel;
  • Kwengezwe umshayeli we-ibmvnic wesilawuli senethiwekhi ye-vNIC (Virtual Network Interface Controller) ngokusetshenziswa kobuchwepheshe benethiwekhi ebonakalayo ye-PowerVM. Uma isetshenziswe ngokuhambisana ne-SR-IOV NIC, umshayeli omusha uvumela umkhawulokudonsa kanye nekhwalithi yokulawulwa kwesevisi ezingeni le-adaptha yenethiwekhi ebonakalayo, kunciphisa kakhulu i-virtualization overhead nokunciphisa umthwalo we-CPU;
  • Ukwesekwa okwengeziwe Kwezandiso Zobuqotho Bedatha, ezikuvumela ukuthi uvikele idatha emonakalweni lapho ubhalela endaweni yokugcina ngokulondoloza amabhulokhi okulungisa engeziwe;
  • Kwengezwe ukwesekwa kokuhlola (Ukuhlola Kuqala Kobuchwepheshe) kwephakheji nmstate, ehlinzeka ngomtapo wezincwadi we-nmstatectl kanye nensizakalo yokuphatha izilungiselelo zenethiwekhi nge-API ememezelayo (isimo senethiwekhi sichazwa ngendlela yomdwebo ochazwe ngaphambilini);
  • Kwengezwe ukusekelwa kokuhlola kokuqaliswa kwe-kernel-level TLS (KTLS) ngokubethela okusekelwe ku-AES-GCM, kanye nosekelo lokuhlola lwe-OverlayFS, i-cgroup v2, Stratis, mdev(Intel vGPU) kanye ne-DAX (ukufinyelela okuqondile ohlelweni lwefayela ngokudlula inqolobane yekhasi ngaphandle kokusebenzisa izinga ledivayisi yokuvimba) ku-ext4 ne-XFS;
  • Ukusekelwa okwehlisiwe kwe-DSA, TLS 1.0 kanye ne-TLS 1.1, ezikhishwe kusethi ye-DEFAULT futhi zayiswa ku-LEGACY (“update-crypto-policies —set LEGACY”);
  • Amaphakheji we-389-ds-base-legacy-tools ahoxisiwe.
    igunya
    ukugcinwa,
    igama lomethuleli,
    libidn,
    net-amathuluzi,
    imibhalo yenethiwekhi,
    nss-pam-ldapd,
    thumela i-imeyili,
    yp-amathuluzi
    ypbind futhi ypsv. Angase anqanyulwe ekukhishweni okubalulekile okuzayo;
  • Izikripthi ze-ifup ne-ifdown zithathelwe indawo ngama-wrappers abiza i-NetworkManager nge-nmcli (ukubuyisela imibhalo emidala, udinga ukusebenzisa okuthi “yum install network-scripts”).

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster