I-ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa kokusabalalisa kwe-Red Hat Enterprise Linux 8.8

Ukukhishwa kokusabalalisa kwe-Red Hat Enterprise Linux 8.8

Ngemva kokukhululwa kwe-Red Hat Enterprise Linux 9.2, isibuyekezo segatsha langaphambili le-Red Hat Enterprise Linux 8.8 sashicilelwa, esisekelwa ngokufana negatsha le-RHEL 9.x futhi sizosekelwa okungenani kuze kube ngu-2029. Izakhiwo zokufaka zilungiselelwa izakhiwo ze-x86_64, s390x (IBM System z), ppc64le kanye ne-Aarch64, kodwa ziyatholakala ukuze zilandwe kuphela kubasebenzisi ababhalisiwe be-Red Hat Customer Portal (izithombe ze-CentOS Stream 9 iso kanye nezakhelwe mahhala i-RHEL yonjiniyela nazo zingasetshenziswa). Imithombo yamaphakheji weRed Hat Enterprise Linux 8 rpm isatshalaliswa endaweni ye-CentOS Git.

Ukulungiswa kokukhishwa okusha kwenziwa ngokuhambisana nomjikelezo wokuthuthukiswa, okusho ukwakheka kokukhishwa njalo ezinyangeni eziyisithupha ngesikhathi esinqunyiwe. Kuze kube ngu-2024, igatsha le-8.x lizoba sesigabeni sokusekela esigcwele, okusho ukufakwa kokuthuthukiswa kokusebenza, ngemva kwalokho lizodlulela esigabeni sokulungisa, lapho okubalulekile kuzoshintshela ekulungisweni kweziphazamisi nokuphepha, nokuthuthukiswa okuncane okuhlobene nokusekela. amasistimu we-hardware abalulekile.

Izinguquko ezibalulekile:

  • Iseva ebuyekeziwe namaphakheji wesistimu: nginx 1.22, Libreswan 4.9, OpenSCAP 1.3.7, Grafana 7.5.15, powertop rebased 2.15, tuned 2.20.0, NetworkManager 1.40.16, mod_security 2.9.6, samba 4.17.5
  • Ukwakheka kufaka phakathi izinguqulo ezintsha zabadidiyeli namathuluzi onjiniyela: I-GCC Toolset 12, LLVM Toolset 15.0.7, Rust Toolset 1.66, Go Toolset 1.19.4, Python 3.11, Node.js 18.14, PostgreSQL 15, Git 2.39.1 Valgri. , SystemTap 3.19, Apache Tomcat 4.8.
  • Izilungiselelo zemodi ye-FIPS zishintshiwe ukuze zihlangabezane nezimfuneko zezinga le-FIPS 140-3. I-3DES, ECDH ne-FFDH zikhutshaziwe, ubuncane bosayizi wokhiye be-HMAC bukhawulelwe kumabhithi angu-112, futhi ubuncane bosayizi wokhiye be-RSA amabhithi angu-2048, SHA-224, SHA-384, SHA512-224, SHA512-256, SHA3-224 kanye namahashi angu-SHA3 akhutshaziwe ku-DRBG pseudo-random number generator -384.
  • Izinqubomgomo ze-SELinux zibuyekeziwe ukuze zivumele i-systemd-socket-proxyd ukuthi isebenze.
  • Umphathi wephakheji we-yum usebenzisa umyalo wokuthuthukisa ungaxhunyiwe ku-inthanethi ukuze afake izibuyekezo kusistimu ngemodi engaxhunyiwe ku-inthanethi. Ingqikithi yokubuyekezwa okungaxhunyiwe ku-inthanethi ukuthi okokuqala, amaphakheji amasha alandwa kusetshenziswa umyalo othi “yum offline-upgrade download”, ngemva kwalokho umyalo othi “yum offline-upgrade reboot” uyakhishwa ukuze uqalise kabusha uhlelo endaweni encane futhi ufake izibuyekezo ezikhona. kuyo ngaphandle kokuphazamisa izinqubo zomsebenzi. Ngemva kokuqedwa kokufakwa kwezibuyekezo, isistimu iqala kabusha endaweni evamile yokusebenza. Lapho ulanda amaphakheji ezibuyekezo ezingaxhunyiwe ku-inthanethi, ungasebenzisa izihlungi, isibonelo, “--advisory”, “--security”, “--bugfix”.
  • Iphakheji entsha ye-synce4l yengeziwe ukuze kusetshenziswe ubuchwepheshe bokuvumelanisa imvamisa ye-SyncE (Synchronous Ethernet), esekelwa kwamanye amakhadi enethiwekhi namaswishi enethiwekhi, futhi ivumela ukuxhumana okusebenza kahle ezinhlelweni zokusebenza ze-RAN (Radio Access Network) ngenxa yokuvumelanisa isikhathi esinembe kakhudlwana.
  • Ifayela elisha lokucushwa /etc/fapolicyd/rpm-filter.conf lengezwe kuhlaka lwe-fapolicyd (File Access Policy Daemon), olukuvumela ukuthi unqume ukuthi yiziphi izinhlelo ezingaqalwa umsebenzisi othize futhi iziphi ezingakwazi, ukulungisa uhlu. yamafayela esizindalwazi somphathi wephakheji we-RPM acutshungulwa njenge-fapolicyd. Isibonelo, ifayela elisha lokusetha lingasetshenziswa ukukhipha izinhlelo zokusebenza ezithile ezifakwe ngomphathi wephakheji le-RPM kusukela kuzinqubomgomo zokufinyelela.
  • Ku-kernel, lapho ulahla ulwazi mayelana nesikhukhula se-SYN esitholiwe kulogu, ulwazi olumayelana nekheli lasesizindeni se-inthanethi elithole uxhumano lunikezwa ukuze kube lula ukucacisa injongo yesikhukhula kumasistimu anabaphathi ababoshelwe kumakheli e-IP ahlukene.
  • Kwengezwe indima yesistimu yekhithi yamathuluzi e-Podman, okukuvumela ukuthi uphathe izilungiselelo ze-Podman, iziqukathi, namasevisi esistimu asebenzisa iziqukathi ze-Podman. I-Podman yengeza ukusekelwa kokukhiqiza imicimbi yokuhlolwa kwamabhuku, inamathisele izibambi zangaphambi kwe-exec (/usr/libexec/podman/pre-exec-hook kanye /etc/containers/pre-exec-hook), nokusebenzisa ifomethi ye-Sigstore ukugcina amasignesha edijithali kanye izithombe zesiqukathi.
  • Ikhithi yamathuluzi eziqukathi zokuphatha iziqukathi ezihlukanisiwe ibuyekeziwe, okuhlanganisa amaphakheji afana ne-Podman, i-Buildah, i-Skopeo, i-crun ne-runc.
  • Umsebenzi webhokisi lamathuluzi wengeziwe okuvumela ukuthi uqalise indawo eyodwa eyengeziwe, engalungiselelwa nganoma iyiphi indlela kusetshenziswa umphathi wephakheji we-DNF ojwayelekile. Umthuthukisi udinga nje ukusebenzisa umyalo othi "ukudala ibhokisi lamathuluzi", ngemva kwalokho nganoma yisiphi isikhathi angangena endaweni edaliwe ngomyalo othi "faka ibhokisi lamathuluzi" futhi afake noma yimaphi amaphakheji esebenzisa insiza ye-yum.
  • Ukwesekwa okungeziwe kokudala izithombe ngefomethi ye-vhd esetshenziswa ku-Microsoft Azure yezakhiwo ze-ARM64.
  • I-SSSD (I-System Security Services Daemon) yengeze usekelo lokuguqula amagama ohla lwemibhalo lwasekhaya abe yizinhlamvu ezincane (ngokusebenzisa u-"%h" esikhundleni sesibaluli se-override_homedir esicaciswe kokuthi /etc/sssd/sssd.conf). Ukwengeza, abasebenzisi bavunyelwe ukushintsha iphasiwedi egcinwe ku-LDAP (inikwe amandla ngokusetha inani lesithunzi lesibaluli se-ldap_pwd_policy ku-/etc/sssd/sssd.conf).
  • I-glibc isebenzisa i-algorithm entsha yokuxhumanisa ye-DSO esebenzisa i-deep-first search (DFS) ukuze kubhekwane nezinkinga zokusebenza ngokuncika kwe-looping. Ukuze ukhethe i-algorithm yokuhlunga ye-DSO, kuhlongozwa ipharamitha ye-glibc.rtld.dynamic_sort=2, engasethwa ukuze ithi "1" ukuze ibuyele emuva ku-algorithm endala.
  • Insiza ye-rteval ihlinzeka ngolwazi olufingqiwe mayelana nemithwalo yohlelo, izintambo, nama-CPU asetshenziswa ukwenza lezo zintambo.
  • Insiza ye-oslat yengeze izinketho ezengeziwe zokulinganisa ukubambezeleka.
  • Kwengezwe abashayeli abasha be-SoC Intel Elkhart Lake, Solarflare Siena, NVIDIA sn2201, AMD SEV, AMD TDX, ACPI Video, Intel GVT-g ye-KVM, HP iLO/iLO2.
  • Kwengezwe ukusekelwa kokuhlola kwamakhadi ezithombe ze-Intel Arc discrete (DG2/Alchemist). Ukuze unike amandla ukusheshisa kwehadiwe kumakhadi anjalo evidiyo, kufanele ucacise i-PCI ID yekhadi ekuqaleni usebenzisa ipharamitha ye-kernel “i915.force_probe=pci-id”.
  • Iphakheji ye-inkscape i-inkscape1 ithathelwe indawo yi-inkscape1, esebenzisa iPython 3. Inguqulo ye-Inkscape ibuyekeziwe ukusuka ku-0.92 ukuya ku-1.0.
  • Kumodi yekhiyoski, ungasebenzisa ikhibhodi esesikrinini ye-GNOME.
  • Umtapo wezincwadi we-libsoup kanye neklayenti lemeyili ye-Evolution bangeze ukwesekwa kokuqinisekisa ku-Microsoft Exchange Server kusetshenziswa iphrothokholi ye-NTLMv2.
  • I-GNOME inikeza amandla okwenza ngendlela oyifisayo imenyu yokuqukethwe eboniswa lapho uchofoza kwesokudla kudeskithophu. Umsebenzisi manje angakwazi ukwengeza izinto kumenyu ukuze asebenzise imiyalo engafanele.
  • I-GNOME ikuvumela ukuthi ukhubaze ukushintsha amadeskithophu abonakalayo ngokuya phezulu noma phansi ngeminwe emithathu kuphedi yokuthinta.
  • Ukunikezwa okuqhubekayo kosekelo lokuhlola (Ukubuka Kuqala Kobuchwepheshe) kwe-AF_XDP, ukulayishwa kwezingxenyekazi zekhompyutha ze-XDP, i-Multipath TCP (MPTCP), i-MPLS (I-Multi-protocol Label Switching), i-DSA (isisheshisi sokusakaza idatha), i-KTLS, idracut, i-kexec reboot, i-nispor, i-DAX ngaphakathi ext4 kanye ne-xfs, i-systemd-resolved, accel-config, igc, OverlayFS, Stratis, Software Guard Extensions (SGX), NVMe/TCP, DNSSEC, GNOME kuzinhlelo ze-ARM64 kanye ne-IBM Z, AMD SEV ye-KVM, Intel vGPU, Ibhokisi lamathuluzi.

Source: opennet.ru

Engeza amazwana