I-ProHoster > Блог > izindaba ze-inthanethi > ukukhishwa komphathi wesistimu ye-246

ukukhishwa komphathi wesistimu ye-246

Ngemva kwezinyanga ezinhlanu zentuthuko kwethulwe ukukhululwa komphathi wesistimu uhlelo lwe-246. Ukukhishwa okusha kuhlanganisa ukusekelwa kwamayunithi okuqandisa, amandla okuqinisekisa isithombe sediski yezimpande usebenzisa isiginesha yedijithali, ukusekelwa kokucindezelwa kwelogi kanye nokulahla okuyisisekelo kusetshenziswa i-algorithm ye-ZSTD, ikhono lokuvula izinkomba zasekhaya eziphathwayo usebenzisa amathokheni e-FIDO2, ukusekelwa kokuvula i-Microsoft BitLocker. ukwahlukanisa nge-/etc/crypttab, I-BlackList iqanjwe kabusha yaba yi-DenyList.

main shintsha:

  • Ukwesekwa okwengeziwe kwesilawuli sensiza yesiqandisi okusekelwe kumaqoqo v2, ongamisa ngawo izinqubo futhi ukhulule izinsiza ezithile (CPU, I/O, kanye nenkumbulo okungenzeka) ukuze wenze eminye imisebenzi. Ukubanda nokuncibilika kwamayunithi kulawulwa kusetshenziswa umyalo omusha othi “systemctl freeze” noma nge-D-Bus.
  • Ukwesekwa okwengeziwe kokuqinisekisa isithombe sediski yempande kusetshenziswa isiginesha yedijithali. Ukuqinisekisa kwenziwa kusetshenziswa izilungiselelo ezintsha kumayunithi esevisi: I-RootHash (i-root hash yokuqinisekisa isithombe sediski esicaciswe ngenketho ye-RootImage) kanye ne-RootHashSignature (isiginesha yedijithali ngefomethi ye-PKCS#7 ye-root hashi).
  • Isibambi se-PID 1 sisebenzisa ikhono lokulayisha ngokuzenzakalelayo imithetho ye-AppArmor ehlanganiswe ngaphambili (/etc/apparmor/earlypolicy) esigabeni sokuqala sokuqalisa.
  • Izilungiselelo zefayela leyunithi entsha zengeziwe: I-ConditionPathIsEncrypted kanye ne-AssertPathIsEncrypted ukuhlola ukubekwa kwendlela ecacisiwe kudivayisi yebhulokhi esebenzisa ukubethela (dm-crypt/LUKS), i-ConditionEnvironment kanye ne-AssertEnvironment ukuhlola okuguquguqukayo kwendawo (isibonelo, lezo ezisethwe yi-PAM noma lapho uhlela iziqukathi).
  • Kumayunithi e-*.mount, isilungiselelo se-ReadWriteOnly sisetshenzisiwe, esivimbela ukukhwezwa kwesahlukaniso kumodi yokufunda kuphela uma kungenzeki ukukhwezwa ukuze kufundwe nokubhala. Ku-/etc/fstab le modi ilungiswa kusetshenziswa inketho ethi “x-systemd.rw-only”.
  • Kumayunithi *.socket, isilungiselelo sePassPacketInfo sengeziwe, esivumela i-kernel ukuthi ingeze imethadatha eyengeziwe yephakethe ngalinye elifundwa kusokhethi (inika amandla amamodi e-IP_PKTINFO, IPV6_RECVPKTINFO kanye ne-NETLINK_PKTINFO esokhethi).
  • Ngamasevisi (*.amayunithi wesevisi), kuhlongozwa izilungiselelo ze-CoredumpFilter (zichaza izigaba zememori okufanele zifakwe ekulahleni okuyinhloko) kanye
    I-TimeoutStartFailureMode/TimeoutStopFailureMode (ichaza ukuziphatha (SIGTERM, SIGABRT noma SIGKILL) uma ukuphela kwesikhathi kwenzeka uma uqala noma umisa isevisi).

  • Izinketho eziningi manje zisekela amanani we-hexadecimal ashiwo kusetshenziswa isiqalo esithi "0x".
  • Kumapharamitha womugqa womyalo ohlukahlukene kanye namafayela okumisa ahlobene nokusetha okhiye noma izitifiketi, kungenzeka ukucacisa indlela eya kumasokhethi e-unix (AF_UNIX) yokudlulisa okhiye nezitifiketi ngokushayela izingcingo eziya kumasevisi e-IPC uma kungafiseleki ukubeka izitifiketi kudiski elingabhaliwe. isitoreji.
  • Ukwesekwa okwengeziwe kwezicacisi ezintsha eziyisithupha ezingasetshenziswa kumayunithi, tmpfiles.d/, sysusers.d/ namanye amafayela okumisa: %a ukufaka esikhundleni sezakhiwo zamanje, %o/%w/%B/%W esikhundleni sezinkambu izihlonzi ezivela ku-/etc/os-release kanye ne-%l yokushintshanisa igama lomethuleli elifushane.
  • Amafayela eyunithi awasasekeli i-syntax ethi “.include”, eyehliswa eminyakeni engu-6 edlule.
  • Izilungiselelo ze-StandardError kanye ne-StandardOutput azisawasekeli amanani "syslog" kanye "syslog-console", azoguqulwa ngokuzenzakalelayo abe "ijenali" kanye "nejenali+console".
  • Kumaphoyinti wokukhweza asuselwa ku-tmpfs adalwe ngokuzenzakalelayo (/tmp, /run, /dev/shm, njll.), kunikezwe imikhawulo kusayizi nenombolo yama-inode, ehambisana no-50% wosayizi we-RAM we /tmp kanye /dev/ shm, kanye no-10% we-RAM yawo wonke umuntu.
  • Kwengezwe izinketho ezintsha zomugqa womyalo we-kernel: systemd.hostname ukuze usethe igama lomethuleli esigabeni sokuqala sokuqalisa, udev.blockdev_read_only ukuze ukhawulele wonke amadivayisi wokuvimba ahlobene namadrayivu aphathekayo kumodi yokufunda kuphela (ungasebenzisa umyalo othi "blockdev --setrw" ukuze ngokukhetha khansela), i-systemd .shintshanisa ukuze ukhubaze ukwenza kusebenze okuzenzakalelayo kwengxenye yokushintshana, i-systemd.clock-usec ukusetha iwashi lesistimu kuma-microseconds, systemd.condition-needs-update kanye ne-systemd.condition-first-boot ukuze ikhiphe i-ConditionNeedsUpdate kanye ne-ConditionFirstBoot amasheke.
  • Ngokuzenzakalelayo, i-sysctl fs.suid_dumpable isethwe ukuze ithi 2 (“suidsafe”), evumela ukulondoloza ukulahlwa okubalulekile kwezinqubo ngefulegi le-suid.
  • Ifayela /usr/lib/udev/hwdb.d/60-autosuspend.hwdb libolekwe kusizindalwazi sezingxenyekazi zekhompuyutha kusuka ku-ChromiumOS, okuhlanganisa ulwazi olumayelana ne-PCI namadivayisi e-USB asekela imodi yokulala ezenzakalelayo.
  • Isethingi ye-ManageForeignRoutes yengezwe ku-networkd.conf, uma inikwe amandla, i-systemd-networkd izoqala ukuphatha yonke imizila emiswe ezinye izinsiza.
  • Isigaba esithi "[SR-IOV]" sengezwe kumafayela enethiwekhi ukuze kulungiswe amadivayisi enethiwekhi asekela i-SR-IOV (I-Single Root I/O Virtualization).
  • Ku-systemd-networkd, isilungiselelo se-IPv4AcceptLocal sengezwe esigabeni esithi “[Inethiwekhi]” ukuze kuvunyelwe amaphakethe afika nekheli lomthombo wasendaweni ukuthi amukelwe kusixhumi esibonakalayo senethiwekhi.
  • i-systemd-networkd yengeze amandla okumisa iziyalo zokubekwa phambili kwethrafikhi ye-HTB ngokusebenzisa i-[HierarchyTokenBucket] kanye
    [HierarchyTokenBucketClass], "pfifo" nge-[PFIFO], "GRED" nge-[GenericRandomEarlyDetection], "SFB" nge-[StochasticFairBlue], "ikhekhe"
    nge-[CAKE], "PIE" nge-[PIE], "DRR" nge-[DeficitRoundRobinScheduler] kanye
    [DeficitRoundRobinSchedulerClass], "BFIFO" nge-[BFIFO],
    "PFIFOHeadDrop" nge-[PFIFOHeadDrop], "PFIFOFast" nge-[PFIFOFast], "HHF"
    nge-[HeavyHitterFilter], "ETS" nge-[EnhancedTransmissionSelection],
    "QFQ" nge-[QuickFairQueueing] kanye ne-[QuickFairQueueingClass].

  • Ku-systemd-networkd, isilungiselelo se-UseGateway sengezwe esigabeni [DHCPv4] ukuze kukhubazwe ukusetshenziswa kolwazi lwesango olutholwe nge-DHCP.
  • Ku-systemd-networkd, ezigabeni ze-[DHCPv4] kanye ne-[DHCPServer], isilungiselelo se-SendVendorOption sengeziwe ukuze kufakwe futhi kucutshungulwe izinketho ezengeziwe zomthengisi.
  • i-systemd-networkd isebenzisa isethi entsha yezinketho ze-EmitPOP3/POP3, EmitSMTP/SMTP kanye ne-EmitLPR/LPR esigabeni esithi [DHCPServer] ukwengeza ulwazi mayelana namaseva e-POP3, SMTP kanye ne-LPR.
  • Ku-systemd-networkd, kumafayela we-.netdev esigabeni esithi [Bridge], isilungiselelo se-VLANProtocol sengeziwe ukuze kukhethwe iphrothokholi ye-VLAN ezosetshenziswa.
  • Ku-systemd-networkd, kumafayela enethiwekhi esigabeni esithi [Isixhumanisi], isilungiselelo seQembu sisetshenziswa ukuze kuphathwe iqembu lezixhumanisi.
  • Izilungiselelo ze-BlackList ziqanjwe kabusha ngokuthi i-DenyList (igcina ukuphathwa kwegama elidala ukuze kuhambisane nokubuyela emuva).
  • I-Systemd-networkd yengeze ingxenye enkulu yezilungiselelo ezihlobene ne-IPv6 ne-DHCPv6.
  • Kwengezwe umyalo othi "forcerenew" ku-networkctl ukuphoqa konke ukubophezela kwekheli ukuthi kubuyekezwe (ukuqasha).
  • Ku-systemd-exazululiwe, ekucushweni kwe-DNS, kube nokwenzeka ukucacisa inombolo yembobo negama lomsingathi wokuqinisekisa isitifiketi se-DNS-over-TLS. Ukuqaliswa kwe-DNS-over-TLS kungeze usekelo lokuhlola i-SNI.
  • I-Systemd-resolved manje inamandla okumisa ukuqondisa kabusha kwamagama e-DNS enelebula eyodwa (ilebula elilodwa, elisuka egameni elilodwa lomsingathi).
  • i-systemd-journald inikeza ukwesekwa kokusebenzisa i-algorithm ye-zstd ukucindezela izinkambu ezinkulu kumajenali. Senziwe umsebenzi wokuvikela ukungqubuzana kwamathebula e-hash asetshenziswa kumajenali.
  • Ama-URL achofozekayo anezixhumanisi zokuya kumadokhumenti engeziwe ku-journalctl lapho kuboniswa imilayezo yelogi.
  • Kwengezwe ukulungiselelwa koCwaningo ku-journald.conf ukuze ulawule ukuthi ukuhlola kuvuliwe yini ngesikhathi sokuqaliswa kwe-systemd-journald.
  • I-Systemd-coredump manje inamandla okucindezela ukulahlwa okubalulekile kusetshenziswa i-algorithm ye-zstd.
  • Kwengezwe ukulungiselelwa kwe-UUID ku-systemd-repart ukuze kwabele i-UUID esabelweni esidaliwe.
  • Isevisi ye-systemd-homed, ehlinzeka ngokuphathwa kwemibhalo yasekhaya ephathekayo, yengeze ikhono lokuvula uhla lwemibhalo lwasekhaya kusetshenziswa amathokheni e-FIDO2. I-LUKS partition encryption backend yengeze usekelo lokubuyisela ngokuzenzakalelayo amabhulokhi esistimu yefayela angenalutho lapho isikhathi siphela. Ukuvikela okungeziwe ekubethelweni okukabili kwedatha uma kunqunywa ukuthi ukuhlukaniswa kwe/home kusistimu sekuvele kubethelwe.
  • Izilungiselelo ezingeziwe ku-/etc/crypttab: "keyfile-erase" ukususa ukhiye ngemuva kokusetshenziswa kanye "zama-empty-password" ukuzama ukuvula ukwahlukanisa ngephasiwedi engenalutho ngaphambi kokwazisa umsebenzisi iphasiwedi (iwusizo ekufakeni izithombe ezibethelwe nephasiwedi eyabelwe ngemva kokuqala kokuqala , hhayi phakathi nokufakwa).
  • i-systemd-cryptsetup ingeza ukusekelwa kokuvula izingxenye ze-Microsoft BitLocker ngesikhathi sokuqalisa usebenzisa /etc/crypttab. Futhi yengeze ikhono lokufunda
    okhiye bokuvula ngokuzenzakalelayo ama-partitions kumafayela /etc/cryptsetup-keys.d/ .key kanye /run/cryptsetup-keys.d/ .ukhiye.

  • Kwengezwe i-systemd-xdg-autostart-generator ukuze kudalwe amafayela eyunithi kusuka kumafayela okuqalisa ngokuzenzakalelayo we-.desktop.
  • Kwengezwe umyalo othi "reboot-to-firmware" ku-"bootctl".
  • Izinketho ezingeziwe ku-systemd-firstboot: "--image" ukuze ucacise isithombe sediski esizoqaliswa, "--kernel-command-line" ukuqalisa ifayela /etc/kernel/cmdline, "--root-password-hashed" ukuze cacisa i-hashi ye-root password, kanye "--delete-root-password" ukususa iphasiwedi yezimpande.

Source: opennet.ru

Engeza amazwana