I-ProHoster > Блог > izindaba ze-inthanethi > ukukhishwa komphathi wesistimu ye-243

ukukhishwa komphathi wesistimu ye-243

Ngemva kwezinyanga ezinhlanu zentuthuko kwethulwe ukukhululwa komphathi wesistimu uhlelo lwe-243. Phakathi kwezinto ezintsha, singabona ukuhlanganiswa ku-PID 1 yesibambi sememori ephansi ohlelweni, ukusekelwa kokunamathisela izinhlelo zakho ze-BPF zokuhlunga ithrafikhi yeyunithi, izinketho eziningi ezintsha ze-systemd-networkd, imodi yokuqapha umkhawulokudonsa wenethiwekhi. ukuxhumana, okuvumela ngokuzenzakalelayo kumasistimu we-64-bit izinombolo ze-PID ezingu-22 esikhundleni se-16-bit, ukushintshela kuhlelo lwamaqoqo ahlanganisiwe, ukufakwa ku-systemd-network-generator.

Izinguquko eziyinhloko:

  • Ukuqashelwa kwamasiginali akhiqizwe i-kernel mayelana nokuphuma kwenkumbulo (Out-Of-Memory, OOM) kwengezwe kusibambi se-PID 1 ukuze kudluliselwe amayunithi afinyelele umkhawulo wokusetshenziswa kwenkumbulo esimweni esikhethekile esinekhono lokuzikhethela lokuwaphoqa ukuthi anqamule. noma yeka;
  • Kumafayela eyunithi, amapharamitha amasha IPIngressFilterPath kanye
    I-IPEgressFilterPath, ekuvumela ukuthi uxhume izinhlelo ze-BPF nezibambi ezicindezelayo ukuze uhlunge amaphakethe e-IP angenayo naphumayo akhiqizwe izinqubo ezihlobene nale yunithi. Izici ezihlongozwayo zikuvumela ukuthi udale uhlobo lwe-firewall yezinsizakalo ze-systemd. Isibonelo sokubhala isihlungi esilula senethiwekhi esisekelwe ku-BPF;

  • Umyalo "ohlanzekile" ungeziwe kuhlelo lokusebenza lwe-systemctl ukususa inqolobane, amafayela wesikhathi sokusebenza, imininingwane yesimo kanye nezinkomba zelogi;
  • i-systemd-networkd yengeza usekelo lwe-MACsec, nlmon, IPVTAP ne-Xfrm network interfaces;
  • i-systemd-networkd isebenzisa ukucushwa okuhlukene kwezitaki ze-DHCPv4 ne-DHCPv6 ngezigaba ze-“[DHCPv4]” kanye ne-“[DHCPv6]” kufayela lokumisa. Kwengezwe inketho ye-RoutesToDNS yokwengeza umzila ohlukile kuseva ye-DNS ecaciswe kumapharamitha atholwe kuseva ye-DHCP (ukuze ithrafikhi eya ku-DNS ithunyelwe ngesixhumanisi esifanayo nomzila oyinhloko owamukelwe usuka ku-DHCP). Izinketho ezintsha zengeziwe ze-DHCPv4: I-MaxAttempts - inombolo ephezulu yezicelo zokuthola ikheli, I-BlackList - uhlu olumnyama lwamaseva e-DHCP, ThumelaRelease - vumela ukuthumela imilayezo ye-DHCP RELEASE lapho isikhathi siphela;
  • Imiyalo emisha yengeziwe kuhlelo lokusebenza lokuhlaziya:
    • "isitembu sesikhathi sokuhlaziya" - ukuhlukanisa isikhathi nokuguqulwa;
    • “i-systemd-hlaziya ubude besikhathi” - ukuhlaziya nokuguqulwa kwezikhathi zesikhathi;
    • “isimo sokuhlaziya i-systemd” - ukuhlukanisa nokuhlola izinkulumo ze-ConditionXYZ;
    • “i-systemd-hlaziya isimo sokuphuma” - ukuhlaziya nokuguqula amakhodi okuphuma esuka ezinombolweni aye emagameni futhi ngokuphambene nalokho;
    • "systemd-analyze unit-files" - Ibala zonke izindlela zefayela zamayunithi neziteketiso zeyunithi.
  • Izinketho ze-SuccessExitStatus, RestartPreventExitStatus kanye
    I-RestartForceExitStatus manje ayisekeli nje kuphela amakhodi okubuyisela izinombolo, kodwa nezihlonzi zawo zombhalo (isibonelo, "DATAERR"). Ungabuka uhlu lwamakhodi anikezwe izihlonzi usebenzisa umyalo othi “sytemd-analyze exit-status”;

  • Umyalo othi "susa" ungeziwe ku-networkctl utility ukususa amadivayisi wenethiwekhi ebonakalayo, kanye nenketho ethi "-stats" yokubonisa izibalo zedivayisi;
  • Izilungiselelo ze-SpeedMeter kanye ne-SpeedMeterIntervalSec zengezwe ku-networkd.conf ukuze ngezikhathi ezithile zikalwe ukuphuma kwezixhumi ezibonakalayo zenethiwekhi. Izibalo ezitholwe emiphumeleni yokulinganisa zingabukwa ekuphumeni komyalo 'wesimo se-networkctl';
  • Kwengezwe insiza entsha ye-systemd-network-generator ukuze ukhiqize amafayela
    .network, .netdev kanye .link esekelwe kuzilungiselelo ze-IP ezidluliswe lapho yethulwa ngomugqa womyalo we-Linux kernel ngefomethi yezilungiselelo ze-Dracut;

  • Inani le-sysctl "kernel.pid_max" kumasistimu angu-64-bit manje selimiswe ngokuzenzakalelayo libe ngu-4194304 (ama-22-bit PID esikhundleni samabhithi angu-16), okunciphisa amathuba okungqubuzana lapho kwabiwa ama-PID, kwenyusa umkhawulo enanini ngesikhathi esisodwa. izinqubo ezisebenzayo, futhi inomthelela omuhle ekuvikelekeni. Ushintsho lungase luholele ezindabeni zokuhambisana, kodwa izindaba ezinjalo azikabikwa ngokusebenza;
  • Ngokuzenzakalelayo, isigaba sokwakha sishintshela kusigaba esihlanganisiwe se-cgroups-v2 (“-Ddefault-hierarchy=unified”). Ngaphambilini, okuzenzakalelayo bekuyimodi ye-hybrid (“-Ddefault-hierarchy=hybrid”);
  • Ukuziphatha kwesihlungi sekholi yesistimu (i-SystemCallFilter) kushintshiwe, okuthi, esimweni socingo lwesistimu oluvinjelwe, manje lunqamule yonke inqubo, kunochungechunge olulodwa, njengoba ukunqamula imicu ngayinye kungaholela ezinkingeni ezingalindelekile. Izinguquko zisebenza kuphela uma une-Linux kernel 4.14+ kanye ne-libseccomp 2.4.0+;
  • Izinhlelo ezingavikelekile zinikezwa ikhono lokuthumela amaphakethe e-ICMP Echo (ping) ngokusetha i-sysctl "net.ipv4.ping_group_range" kulo lonke uhla lwamaqembu (kuzo zonke izinqubo);
  • Ukusheshisa inqubo yokwakha, ukukhiqizwa kwezincwadi zabantu kumiswe ngokuzenzakalelayo (ukwakha imibhalo egcwele, udinga ukusebenzisa inketho ethi “-Dman=true” noma “-Dhtml=true” kumanuwali ngefomethi ye-html). Ukwenza kube lula ukubuka amadokhumenti, kufakwe imibhalo emibili: build/man/man and build/man/html ukuze kukhiqizwe futhi kuhlolwe kuqala amamanuwali athakaselwayo;
  • Ukucubungula amagama wesizinda ngezinhlamvu zezinhlamvu kazwelonke, umtapo we-libidn2 usetshenziswa ngokuzenzakalelayo (ukubuyisela i-libidn, sebenzisa inketho ethi “-Dlibidn=true”);
  • Ukusekelwa kwefayela elithi /usr/sbin/halt.local elisebenzisekayo, elinikeze ukusebenza okungazange lisatshalaliswe kabanzi ekusabalaliseni, kunqanyuliwe. Ukuze uhlele ukwethulwa kwemiyalo lapho ucisha, kunconywa ukuthi usebenzise imibhalo ku-/usr/lib/systemd/system-shutdown/ noma uchaze iyunithi entsha encike ku-final.target;
  • Esigabeni sokugcina sokuvala shaqa, i-systemd manje inyusa ngokuzenzakalelayo izinga lelogi ku-sysctl “kernel.printk”, exazulula inkinga ngokuboniswa ezenzakalweni zelogi ezenzeke ezigabeni zakamuva zokuvala, lapho amademoni avamile okugawulwa eseqedile kakade. ;
  • Ku-journalctl nezinye izinsiza ezibonisa amalogi, izexwayiso zigqanyiswe ngombala ophuzi, futhi amarekhodi ocwaningo agqanyiswa ngokuluhlaza okwesibhakabhaka ukuze agqanyiswe esixukwini;
  • Ku-$PATH eguquguqukayo yemvelo, indlela eya ku-bin/ manje iza ngaphambi kwendlela eya ku-sbin/, i.e. uma kunamagama afanayo wamafayela asebenzisekayo kuzo zombili izinkomba, ifayela elisuka ku-bin/ lizosetshenziswa;
  • i-systemd-logind inikeza ucingo lwe-SetBrightness() lokushintsha ngokuphephile ukukhanya kwesikrini ngokweseshini ngayinye;
  • Ifulegi elithi “-wait-for-initialization” lengeziwe emyalweni othi “udevadm info” wokulinda idivayisi ukuthi iqalise;
  • Ngesikhathi sokuqalisa kwesistimu, isibambi se-PID 1 manje sibonisa amagama amayunithi esikhundleni somugqa onencazelo yawo. Ukuze ubuyele ekuziphatheni kwangaphambilini, ungasebenzisa inketho ye-StatusUnitFormat kokuthi /etc/systemd/system.conf noma inketho ye-systemd.status_unit_format kernel;
  • Kwengezwe inketho ye-KExecWatchdogSec kokuthi /etc/systemd/system.conf ye-watchdog PID 1, ecacisa isikhathi sokuvala sokuqala kabusha usebenzisa i-kexec. Isilungiselelo esidala
    I-ShutdownWatchdogSec iqanjwe kabusha ku-RebootWatchdogSec futhi ichaza isikhathi sokuvala semisebenzi ngesikhathi sokuvala shaqa noma ukuqala kabusha okuvamile;

  • Inketho entsha yengezwe kumasevisi I-ExecCondition, okukuvumela ukuthi ucacise imiyalo ezosetshenziswa ngaphambi kwe-ExecStartPre. Ngokusekelwe kukhodi yephutha ebuyisiwe ngumyalo, isinqumo senziwa ngokuqhubeka kweyunithi - uma ikhodi engu-0 ibuyiselwa, ukuqaliswa kweyunithi kuyaqhubeka, uma kusuka ku-1 kuye ku-254 kuphetha buthule ngaphandle kwefulegi lokuhluleka, uma 255 iphetha ngokuthi ifulegi lokuhluleka;
  • Kwengezwe isevisi entsha ye-systemd-pstore.service ukuze kukhishwe idatha ku-sys/fs/pstore/ nasekulondolozeni kuya ku-/var/lib/pstore ukuze kuhlaziywe okwengeziwe;
  • Imiyalo emisha yengeziwe kunsiza ye-timedatectl yokumisa imingcele ye-NTP ye-systemd-timesyncd ngokuhlobene nezixhumi ezibonakalayo zenethiwekhi;
  • Umyalo othi "localectl list-locales" awusabonisi izifunda ngaphandle kwe-UTF-8;
  • Iqinisekisa ukuthi amaphutha esabelo esiguquguqukayo kumafayela we-sysctl.d/ awanakwa uma igama eliguquguqukayo liqala ngohlamvu “-“;
  • service isevisi ye-systemd-random-seed manje inesibopho esiphelele sokuqalisa i-entropy pool ye-Linux kernel pseudorandom number generator. Izinsizakalo ezidinga ukuqaliswa kahle kwe-/dev/urandom kufanele ziqalwe ngemva kwe-systemd-random-seed.service;
  • Isilayishi se-systemd-boot boot sinikeza ikhono lokuzikhethela lokusekela ifayela lembewu ngokulandelana okungahleliwe ku-EFI System Partition (ESP);
  • Imiyalo emisha yengeziwe kunsiza ye-bootctl: “i-bootctl random-seed” ukuze ukhiqize ifayela lembewu ku-ESP kanye “ne-bootctl ifakiwe” ukuhlola ukufakwa kwesilayishi se-systemd-boot boot. I-bootctl iphinde yalungiswa ukuze ibonise izexwayiso mayelana nokucushwa okungalungile kokufakiwe kwe-boot (isibonelo, lapho isithombe se-kernel sisuswa, kodwa okufakiwe kokusilayisha kusele);
  • Ihlinzeka ngokukhetha okuzenzakalelayo kokuhlukaniswa kokushintshana lapho isistimu iya kumodi yokulala. I-partitioning ikhethwa kuye ngokuthi kubaluleke kangakanani okulungiselelwe yona, futhi esimweni sokubaluleka okufanayo, inani lesikhala esikhululekile;
  • Inketho ye-keyfile-timeout engeziwe ku-/etc/crypttab ukusetha ukuthi idivayisi enokhiye wokubethela izolinda isikhathi esingakanani ngaphambi kokwazisa iphasiwedi ukuze ifinyelele ukwahlukanisa okubethelwe;
  • Inketho ye-IOWeight eyengeziwe yokusetha isisindo se-I/O somhleli we-BFQ;
  • Imodi 'eqinile' exazululiwe ye-systemd ye-DNS-over-TLS futhi yafaka ikhono lokufihla izimpendulo ezinhle ze-DNS kuphela ("Cache no-negative" ku-solved.conf);
  • Ku-VXLAN, i-systemd-networkd yengeze inketho ye-GenericProtocolExtension ukuze inike amandla izandiso zephrothokholi ye-VXLAN. Ku-VXLAN ne-GENEVE, inketho ye-IPDoNotFragment yengeziwe ukuze kusethwe ifulegi lokwenqatshelwa kokuhlukaniswa kwamaphakethe aphumayo;
  • Ku-systemd-networkd, esigabeni "[Umzila]", inketho ye-FastOpenNoCookie ivele ukuze ivumele indlela yokuvula ngokushesha uxhumano lwe-TCP (TFO - TCP Fast Open, RFC 7413) ngokuhlobene nemizila ngayinye, kanye nenketho ye-TTLPropagate. ukuze ulungiselele i-TTL LSP (Umzila Oshintshiwe Welebula). Inketho ethi "Uhlobo" ihlinzeka ngokusekela kwasendaweni, ukusakaza, noma yikuphi ukusakaza, i-multicast, noma iyiphi kanye ne-xresolve izindlela zomzila;
  • I-Systemd-networkd inikezela ngenketho ye-DefaultRouteOnDevice kusigaba esithi "[Inethiwekhi]" ukuze ulungiselele ngokuzenzakalelayo umzila ozenzakalelayo wedivayisi yenethiwekhi enikeziwe;
  • I-Systemd-networkd yengeze i-ProxyARP kanye
    I-ProxyARPWifi yokusetha ukuziphatha kwe-ARP yommeleli, i-MulticastRouter yokusetha imingcele yomzila kumodi yokusakaza okuningi, i-MulticastIGMPVersion yokushintsha inguqulo ye-IGMP (Internet Group Management Protocol) yokusakaza okuningi;

  • I-Systemd-networkd yengeze izinketho zasendaweni, i-Peer kanye ne-PeerPort zemigudu ye-FooOverUDP ukuze kulungiselelwe amakheli e-IP asendaweni nakude, kanye nenombolo yembobo yenethiwekhi. Kumigudu ye-TUN, inketho ye-VnetHeader yengeziwe ukuze kulungiselelwe ukwesekwa kwe-GSO (Generic Segment Offload);
  • Ku-systemd-networkd, ku-.network kanye namafayela .link esigabeni esithi [Match], kuvele inketho ethi Property, ekuvumela ukuthi uhlonze amadivaysi ngezici zawo ezithile ku-udev;
  • Ku-systemd-networkd, inketho ye-AssignToLoopback yengezwe kumathaneli, elawula ukuthi isiphetho somhubhe sinikezwe idivayisi ye-loopback ethi “lo”;
  • i-systemd-networkd yenza kusebenze ngokuzenzakalela isitaki se-IPv6 uma ivinjwe nge-sysctl disable_ipv6 - IPv6 iyenziwa isebenze uma izilungiselelo ze-IPv6 (static noma DHCPv6) zichazelwa isixhumi esibonakalayo senethiwekhi, ngaphandle kwalokho inani le-sysctl elisethiwe kakade alishintshi;
  • Kumafayela .network, ukulungiselelwa kwe-CriticalConnection kuthathelwe indawo inketho ye-KeepConfiguration, ehlinzeka ngezindlela ezengeziwe zokuchaza izimo (“yebo”, “static”, “dhcp-on-stop”, “dhcp”) lapho i-systemd-networkd kufanele ungathinti ukuxhumana okukhona lapho uqala;
  • Ukuba sengozini kulungisiwe I-CVE-2019-15718, okubangelwa ukuntuleka kokulawula ukufinyelela ku-D-Bus interface systemd-resolved. Udaba luvumela umsebenzisi ongenalungelo ukuthi enze imisebenzi etholakala kuphela kubalawuli, njengokushintsha izilungiselelo ze-DNS nokuqondisa imibuzo ye-DNS kuseva ekhohlakele;
  • Ukuba sengozini kulungisiwe I-CVE-2019-9619okuhlobene nokunganiki amandla i-pam_systemd kumaseshini angasebenzisani, okuvumela ukonakala kweseshini esebenzayo.

Source: opennet.ru

Engeza amazwana