I-ProHoster > Блог > izindaba ze-inthanethi > ukukhishwa komphathi wesistimu ye-249

ukukhishwa komphathi wesistimu ye-249

Ngemuva kwezinyanga ezintathu zokuthuthukiswa, kwethulwa ukukhishwa komphathi wesistimu i-systemd 249. Ukukhishwa okusha kunikeza ikhono lokuchaza abasebenzisi/amaqembu ngefomethi ye-JSON, kunzinzisa i-Journal protocol, kwenza kube lula ukuhlelwa kokulayisha ama-partitions ediski alandelanayo, kwengeza amandla ukuxhumanisa izinhlelo ze-BPF namasevisi, futhi kusebenzisa abasebenzisi bokwenza imephu yenkomba kuma-partitions agibelelisiwe, ingxenye enkulu yezilungiselelo zenethiwekhi entsha namathuba okwethula iziqukathi anikezwayo.

Izinguquko eziyinhloko:

  • Iphrothokholi yejenali ibhaliwe futhi ingasetshenziswa kumakhasimende esikhundleni sephrothokholi ye-syslog yokulethwa kwasendaweni kwamarekhodi okungena. I-Journal protocol isisetshenziswe isikhathi eside futhi isivele isetshenziswa kweminye imitapo yolwazi yamakhasimende, nokho, ukwesekwa kwayo okusemthethweni kusanda kumenyezelwa.
  • I-Userdb ne-nss-systemd ihlinzeka ngosekelo lokufunda izincazelo ezengeziwe zabasebenzisi ezitholakala kuhlu lwemibhalo /etc/userb/, /run/userb/, /run/host/userb/ kanye /usr/lib/userb/, olucaciswe ngefomethi ye-JSON. Kuyaphawulwa ukuthi lesi sici sizohlinzeka ngendlela eyengeziwe yokudala abasebenzisi kusistimu, inikeze ukuhlanganiswa okugcwele ne-NSS kanye /etc/shadow. Ukusekelwa kwe-JSON kokufakiwe komsebenzisi/kweqembu kuzovumela nokuphathwa kwezinsiza ezahlukahlukene nezinye izilungiselelo ukuthi zinamathiselwe kubasebenzisi ababonwa yi-pam_systemd ne-systemd-logind.
  • I-nss-systemd inikeza ukuhlanganiswa kokufakiwe komsebenzisi/kweqembu ku-/etc/shadow kusetshenziswa amagama ayimfihlo asheshayo asuka ku-systemd-homed.
  • Kusetshenziswe indlela eyenza kube lula ukuhleleka kwezibuyekezo kusetshenziswa izingxenye zediski ezithatha indawo yomunye (ingxenye eyodwa iyasebenza, kanti eyesibili ayisebenzi - isibuyekezo sikopishwa ku-spare partition, emva kwalokho sisebenza). Uma kunempande emibili noma/usr partitions emfanekisweni wediski, futhi i-udev ayikabuboni ubukhona bepharamitha ethi 'root=', noma icubungula izithombe zediski ezicaciswe ngenketho ethi "--image" ku-systemd-nspawn ne-systemd. -hlukanisa izinsiza, ukuhlukaniswa kwe-boot kungase kubalwe ngokuqhathanisa amalebula e-GPT (kucatshangwa ukuthi ilebula ye-GPT ikhuluma ngenombolo yenguqulo yokuqukethwe kwengxenye futhi i-systemd izokhetha ukwahlukanisa ngezinguquko zakamuva).
  • Isilungiselelo se-BPFProgram sengeziwe kumafayela wesevisi, ongahlela ngawo ukulayishwa kwezinhlelo ze-BPF ku-kernel futhi uzilawule ngokubophezela kumasevisi athile esistimu.
  • I-Systemd-fstab-generator kanye ne-systemd-repart yengeza ikhono lokuqalisa kusuka kumadiski ane-/usr partition kuphela futhi angenayo i-root partition (i-root partition izokwenziwa yi-systemd-repart ngesikhathi sokuqalisa kokuqala).
  • Ku-systemd-nspawn, inketho ethi "--private-user-chown" ithathelwe indawo inketho evamile "--yangasese-ubunikazi bomsebenzisi", engamukela amanani "okuchotshiwe" njengokulingana nokuthi "-- ukukhethwa komsebenzisi okuyimfihlo", "cisha" ukuze ukhubaze isilungiselelo esidala, "imephu" ukuze wenze kumephu ama-ID omsebenzisi ezinhlelweni zamafayela afakwe futhi "okuzenzakalelayo" ukuze ukhethe "imephu" uma umsebenzi odingekayo ukhona ku-kernel (5.12+) noma buyela emuva ocingweni oluphindaphindayo kokuthi "chown" ngenye indlela. Ngokusebenzisa imephu, ungakwazi ukufaka kumephu amafayela omsebenzisi oyedwa endaweni egxunyekiwe yangaphandle uye komunye umsebenzisi ohlelweni lwamanje, okwenza kube lula ukwabelana ngamafayela phakathi kwabasebenzisi abahlukene. Endleleni yohla lwemibhalo lwasekhaya oluphathwayo lwe-systemd, ukwenza imephu kuzovumela abasebenzisi ukuthi bahambise uhlu lwemibhalo lwasekhaya baye kumidiya yangaphandle futhi bawasebenzise kumakhompyutha ahlukene angenaso isakhiwo se-ID yomsebenzisi.
  • Ku-systemd-nspawn, inketho ethi "--private-user" manje ingasebenzisa inani elithi "identity" ukuze ibonise ngokuqondile ama-ID omsebenzisi lapho kusethwa indawo yegama lomsebenzisi, i.e. I-UID 0 ne-UID 1 kusiqukathi izoboniswa ku-UID 0 kanye ne-UID 1 ohlangothini lomsingathi, ukuze kuncishiswe ama-vectors okuhlasela (isiqukathi sizothola kuphela amakhono enqubo endaweni yaso yamagama).
  • Inketho ethi “--bind-user” yengezwe ku-systemd-spawn ukuze kudluliselwe phambili i-akhawunti yomsebenzisi ekhona endaweni yokusingatha esitsheni (uhlu lwasekhaya lufakwe esitsheni, kufakwe umsebenzisi/iqembu, kanye nemephu ye-UID yenziwa phakathi kwesitsha nendawo yokusingatha).
  • Ukwesekwa okungeziwe kokucela amaphasiwedi asethiwe ku-systemd-ask-password kanye ne-systemd-sysusers (passwd.hashed-password. kanye ne-passwd.plaintext-password. ) kusetshenziswa indlela eyethulwe ku-systemd 247 ukuze kudluliswe ngokuphephile idatha ebucayi kusetshenziswa amafayela amaphakathi ohlwini lwemibhalo oluhlukile. Ngokuzenzakalelayo, izifakazo zamukelwa kusukela kunqubo nge-PID1, ezitholayo, isibonelo, kumphathi wokuphatha iziqukathi, okuvumela ukuthi ulungiselele iphasiwedi yomsebenzisi ekuqaliseni kokuqala.
  • i-systemd-firstboot yengeza usekelo lokusebenzisa ukudluliswa okuvikelekile kwendlela yedatha ebucayi ukuze ubuze ngemingcele yesistimu ehlukahlukene, engasetshenziswa ukuqalisa izilungiselelo zesistimu lapho kuqala kuqalwa isithombe sesitsha esingenazo izilungiselelo ezidingekayo kuhla lwemibhalo / njll.
  • Inqubo ye-PID 1 iqinisekisa ukuthi kokubili igama leyunithi nencazelo kuyaboniswa ngesikhathi sokuqalisa. Ungashintsha okukhiphayo usebenzisa ipharamitha ye-“StatusUnitFormat=combined” ku-system.conf noma inketho yomugqa womyalo we-kernel “systemd.status-unit-format=combined”
  • Inketho ethi "--image" yengezwe ku-systemd-machine-id-setup kanye nezinsiza ze-systemd-repart ukuze kudluliswe ifayela eline-id yomshini esithombeni sediski noma ukwandisa usayizi wesithombe sediski.
  • Ipharamitha ye-MakeDirectories yengezwe efayeleni lokumisa lokuhlukanisa elisetshenziswa insiza ye-systemd-repart, engasetshenziswa ukudala uhla lwemibhalo kusistimu yefayela edaliwe ngaphambi kokuthi ikhonjiswe kuthebula lokuhlukanisa (isibonelo, ukudala izinkomba zamaphoyinti okukhweza ku- ukwahlukanisa impande ukuze ukwazi ukukhweza ngokushesha ukwahlukanisa kumodi yokufunda kuphela). Ukuze ulawule amafulegi e-GPT ezigabeni ezidaliwe, amapharamitha ahambisanayo Amafulegi, i-ReadOnly kanye ne-NoAuto angeziwe. Ipharamitha ye-CopyBlocks inenani elithi "okuzenzakalelayo" ukuze ukhethe ngokuzenzakalelayo ukwahlukanisa kwamanje kwe-boot njengomthombo lapho ukopisha amabhulokhi (isibonelo, uma udinga ukudlulisa ukwahlukanisa kwezimpande zakho kumidiya entsha).
  • I-GPT isebenzisa ifulegi elithi “grow-file-system”, elifana nenketho yokukhweza ye-x-systemd.growfs futhi inikeza ukunwetshwa okuzenzakalelayo kosayizi we-FS kumingcele yedivayisi evinjiwe uma usayizi we-FS emncane kunesihlukanisi. Ifulegi lisebenza kumasistimu wefayela we-Ext3, XFS kanye ne-Btrfs, futhi lingasetshenziswa kuma-partitions atholwe ngokuzenzakalelayo. Ifulegi linikwe amandla ngokuzenzakalela kuma-partitions abhalekayo adalwe ngokuzenzakalelayo nge-systemd-repart. Inketho ye-GrowFileSystem yengeziwe ukuze kulungiswe ifulegi ku-systemd-repart.
  • Ifayela elithi /etc/os-release lihlinzeka ngokusekela kokuhluka okusha kwe-IMAGE_VERSION kanye ne-IMAGE_ID ukuze kunqunywe inguqulo ne-ID yezithombe ezibuyekezwe nge-athomu. Izicacisi ze-%M ne-%A zihlongozwa ukuthi zifake amanani ashiwo esikhundleni semiyalo ehlukahlukene.
  • Ipharamitha ethi “--extension” yengezwe kunsizakalo ye-portablectl ukuze uvule izithombe zesandiso sesistimu ephathekayo (isibonelo, ngazo ungasabalalisa izithombe ngamasevisi angeziwe ahlanganiswe ekuhlukaniseni impande).
  • Isisetshenziswa se-systemd-coredump sinikeza ukukhishwa kolwazi lwe-ELF yokwakha-id lapho kukhiqizwa ukulahlwa okuyinhloko kwenqubo, okungaba usizo ekunqumeni ukuthi iyiphi iphakheji inqubo ehlulekayo engekayo uma ulwazi olumayelana negama nenguqulo ye-deb noma iphakheji ye-rpm yakhiwe. kumafayela e-ELF.
  • Isisekelo sehadiwe esisha samadivayisi we-FireWire (IEEE 1394) sengezwe ku-udev.
  • Ku-udev, izinguquko ezintathu zengeziwe kuhlelo lokukhetha igama lenethiwekhi ye-“net_id” ezephula ukusebenzisana okusemuva: izinhlamvu ezingalungile emagameni okusetshenziswa kubonwa manje sezithathelwa indawo “_”; Amagama we-PCI hotplug wezinhlelo ze-s390 acutshungulwa ngefomu le-hexadecimal; Ukusetshenziswa kwamadivayisi e-PCI akhelwe ngaphakathi angafika ku-65535 kuvunyelwe (ngaphambili izinombolo ezingaphezulu kuka-16383 bezivinjiwe).
  • i-systemd-resolved yengeza isizinda se-“home.arpa” ohlwini lwe-NTA (Negative Trust Anchors), olunconyelwe amanethiwekhi asekhaya endawo, kodwa angasetshenziswa ku-DNSSEC.
  • Ipharamitha ye-CPUAffinity inikeza ukuhlukaniswa kwezicacisi ze-“%”.
  • Ipharamitha ye-ManageForeignRoutingPolicyRules yengezwe kumafayela e-.network, angasetshenziswa ukuze akhiphe i-systemd-networkd ekucubunguleni izinqubomgomo zomzila zezinkampani zangaphandle.
  • Ipharamitha i-RequiredFamilyForOnline yengezwe kumafayela ".network" ukuze kunqunywe ukuba khona kwekheli le-IPv4 noma le-IPv6 njengophawu lokuthi inethiwekhi isesimweni "soku-inthanethi". I-Networkctl inikeza isibonisi sesimo "se-inthanethi" sesixhumanisi ngasinye.
  • Kwengezwe ipharamitha ye-OutgoingInterface kumafayela enethiwekhi ukuze kuchazwe izixhumanisi eziphumayo lapho kulungiswa amabhuloho enethiwekhi.
  • Ipharamitha Yeqembu yengezwe kumafayela okuthi “.network”, okukuvumela ukuthi ulungiselele iqembu le-Multipath ukuze lifakwe esigabeni esithi “[NextHop]”.
  • Izinketho ezingeziwe "-4" kanye "-6" ku-systemd-network-wait-online ukuze ukhawule ukuxhumana okulindile ku-IPv4 noma i-IPv6 kuphela.
  • Ipharamitha ye-RelayTarget yengezwe kuzilungiselelo zeseva ye-DHCP, eshintsha iseva iye kumodi ye-DHCP Ralay. Ukuze uthole ukulungiselelwa okwengeziwe kwe-DHCP edluliselwe, izinketho ze-RelayAgentCircuitId kanye ne-RelayAgentRemoteId ziyanikezwa.
  • Ipharamitha ye-ServerAddress yengezwe kuseva ye-DHCP, okukuvumela ukuthi usethe ngokusobala ikheli le-IP leseva (uma kungenjalo ikheli likhethwa ngokuzenzakalelayo).
  • Iseva ye-DHCP isebenzisa isigaba esithi [DHCPServerStaticLease], esikuvumela ukuthi ulungiselele ukubophezela kwekheli elimile (ukuqashwa kwe-DHCP), ucacise ukubophezela kwe-IP okungaguquki kumakheli e-MAC futhi ngokuphambene nalokho.
  • Isilungiselelo se-RestrictAddressFamilies sisekela inani elithi "akekho", okusho ukuthi isevisi ngeke ibe nokufinyelela kumasokhethi anoma yimuphi umndeni wamakheli.
  • Kumafayela athi “.network” ezigabeni ze-[Ikheli], [DHCPv6PrefixDelegation] kanye [ne-IPv6Prefix], kusetshenziswe ukusekelwa kwesilungiselelo se-RouteMetric, okukuvumela ukuba ucacise imethrikhi yesiqalo somzila esidalelwe ikheli elishiwo.
  • I-nss-myhostname ne-systemd-resolved inikeza ukuhlanganiswa kwamarekhodi e-DNS namakheli ababungazi abanegama elikhethekile elithi “_outbound”, lapho i-IP yendawo ihlale ikhishelwa khona, ekhethwa ngokuhambisana nemizila ezenzakalelayo esetshenziselwa ukuxhumana okuphumayo.
  • Kumafayela .network, esigabeni "[DHCPv4]", isilungiselelo esizenzakalelayo esisebenzayo se-RoutesToNTP sengeziwe, esidinga ukungeza umzila ohlukile ngoxhumano lwenethiwekhi lwamanje ukuze ufinyelele ikheli leseva ye-NTP etholwe kulesi sixhumanisi kusetshenziswa i-DHCP (elifana ne-DNS , isilungiselelo sikuvumela ukuthi uqinisekise ukuthi ithrafikhi eya kuseva ye-NTP izodluliswa ku-interface okwamukelwe ngayo leli kheli).
  • Kwengezwe izilungiselelo ze-SocketBindAllow kanye ne-SocketBindDeny ukuze ulawule ukufinyelela kumasokhethi ahlanganiswe nesevisi yamanje.
  • Kumafayela eyunithi, isilungiselelo esinemibandela esibizwa ngokuthi i-ConditionFirmware senziwe, esikuvumela ukuthi udale amasheke ahlola imisebenzi ye-firmware, efana nokusebenza ku-UEFI nezinhlelo ze-device.tree, kanye nokuhlola ukuhambisana namandla athile esihlahla sedivayisi.
  • Kusetshenziswe inketho ye-ConditionOSRelease ukuhlola izinkambu kufayela /etc/os-release. Lapho uchaza izimo zokuhlola amanani enkambu, abasebenzisi “=", “!=”, “<“, “<=”, “>=”, “>” bamukelekile.
  • Kumsebenzi we-hostnamectl, imiyalo efana ne-“get-xyz” kanye ne-“set-xyz” ikhululiwe kuziqalo ze-“get” ne-“set”, isibonelo, esikhundleni se-“hostnamectl get-hostname” kanye ne-“hostnamectl “set-hostname” ungasebenzisa umyalo othi “hostnamectl hostname” ”, isabelo senani esinqunywa ngokucacisa impikiswano eyengeziwe (“inani legama lomethuleli wegama lomsingathi”). Usekelo lwemiyalo emidala lugciniwe ukuze kuqinisekiswe ukuhambisana.
  • Isisetshenziswa se-systemd-detect-virt kanye nesilungiselelo se-ConditionVirtualization siqinisekisa ukukhonjwa okulungile kwezindawo ze-Amazon EC2.
  • Ukulungiselelwa kwe-LogLevelMax kumafayela eyunithi manje akusebenzi nje kuphela emilayezweni yokungena ekhiqizwe isevisi, kodwa nakumilayezo yenqubo ye-PID 1 ekhuluma ngesevisi.
  • Kunikezwe amandla okufaka idatha ye-SBAT (UEFI Secure Boot Advanced Targeting) kumafayela e-systemd-boot EFI PE.
  • /etc/crypttab isebenzisa izinketho ezintsha “ezingenakhanda” kanye “ne-password-echo” - eyokuqala ikuvumela ukuthi weqe yonke imisebenzi ehlobene nokwazisa ngokuxhumana kwamaphasiwedi nama-PIN avela kumsebenzisi, kanti eyesibili ikuvumela ukuthi ulungise indlela yokubonisa ukufaka iphasiwedi. (ungabonisi lutho, khombisa uhlamvu ngohlamvu futhi ubonise izinkanyezi). Inketho ethi “--echo” yengezwe ku-systemd-ask-password ngezinjongo ezifanayo.
  • i-systemd-cryptenroll, systemd-cryptsetup, kanye ne-systemd-homed baye banweba ukwesekwa kokuvula izingxenye ezibethelwe ze-LUKS2 kusetshenziswa amathokheni e-FIDO2. Kungezwe izinketho ezintsha “--fido2-with-user-presence”, “--fido2-with-user-verification” kanye “-fido2-with-client-pin” ukuze ulawule ukuqinisekiswa kobukhona komsebenzisi, ukuqinisekiswa kanye nesidingo sokungena. ikhodi ye-PIN.
  • Kwengezwe izinketho ze-“--user”, “--system”, “--merge” kanye ne-“--file” ku-systemd-journal-gatewayd, efana nezinketho zejenalictl.
  • Ngaphezu kokuncika okuqondile phakathi kwamayunithi acaciswe ngepharamitha ye-OnFailure ne-Slice, ukusekela kokuncike okusobala okuphambene ku-OnFailureOf ne-SliceOf kungeziwe, okungaba usizo, isibonelo, ekunqumeni wonke amayunithi afakwe ocezwini.
  • Kwengezwe izinhlobo ezintsha zokuncika phakathi kwamayunithi: I-OnSuccess ne-OnSuccessOf (okuphambene ne-OnFailure, okubizelwe ukuqedwa ngempumelelo); I-PropagatesStopTo kanye ne-StopPropagatedFrom (ikuvumela ukuthi usakaze umcimbi wokuma kweyunithi kwenye iyunithi); I-Uphelds kanye ne-UpheldBy (okunye Ukuqalisa kabusha).
  • Insiza ye-systemd-ask-password manje inenketho ethi “--emoji” yokulawula ukubonakala kophawu lwengidi (🔐) emugqeni wokufaka iphasiwedi.
  • Kwengezwe amadokhumenti esakhiweni sesihlahla somthombo wesistimu.
  • Kumayunithi, kungezwe indawo ekhona i-MemoryAvailable, ebonisa ukuthi iyunithi isele nenkumbulo engakanani ngaphambi kokufinyelela umkhawulo obekwe ngemingcele ye-MemoryMax, MemoryHigh noma MemoryAvailable.

Source: opennet.ru

Engeza amazwana