ProHoster > Блог > izindaba ze-inthanethi > ukukhishwa komphathi wesistimu ye-250

ukukhishwa komphathi wesistimu ye-250

Ngemuva kwezinyanga ezinhlanu zokuthuthukiswa, umphathi wesistimu u-systemd 250 ukhululiwe. Ukukhishwa okusha kungeza amandla okugcina imininingwane ebethelwe, kusebenzisa ukuqinisekiswa kwesiginesha yedijithali kwezingxenye ze-GPT ezitholwe ngokuzenzakalelayo, kuthuthukisa ukubika kokubambezeleka kokuqaliswa kwesevisi, kunezela izinketho zokukhawulela ukufinyelela kwesevisi kumasistimu athile wefayela kanye nokuxhumana kwenethiwekhi, kusekela ukuqapha kobuqotho kusetshenziswa imojula ye-dm-integrity, futhi yengeza ukusekela kokuvuselela okuzenzakalelayo kwe-sd-boot.

Izinguquko eziyinhloko:

  • Ukwesekwa okwengeziwe kweziqinisekiso ezibethelwe neziqinisekisiwe, okungaba usizo ekugcineni ngokuphephile izinto ezibucayi ezifana I-SSL- okhiye bokufinyelela namaphasiwedi. Ukususwa kokubethela kwemininingwane kwenziwa kuphela uma kudingeka futhi kuqondile ekufakweni kwendawo noma kwihadiwe. Idatha ibethelwa ngokuzenzakalelayo kusetshenziswa ama-algorithm okubethela alinganayo, ukhiye ongatholakala ohlelweni lwefayela, ku-chip ye-TPM2, noma kusetshenziswa uhlelo oluhlanganisiwe. Lapho isevisi iqala, iziqinisekiso zisuswa ngokubethela ngokuzenzakalelayo futhi zenziwe zitholakale kusevisi ngombhalo ocacile. Usizo lwe-'systemd-creds' lungeziwe ukuze lusebenze ngeziqinisekiso ezifihliwe, futhi izilungiselelo ze-LoadCredentialEncrypted kanye ne-SetCredentialEncrypted ziyatholakala kumasevisi.
  • Ku-sd-stub, ifayela elisebenzisekayo le-EFI, lapho i-firmware ye-EFI ilayisha khona i-kernel LinuxUsekelo lokuqalisa kabusha i-kernel usebenzisa i-LINUX_EFI_INITRD_MEDIA_GUID Iphrothokholi ye-EFI ingeziwe. Okunye okungeziwe ku-sd-stub yikhono lokupakisha iziqinisekiso namafayela e-sysext ku-cpio archive bese udlulisela le archive ku-kernel kanye ne-initrd (amafayela engeziwe abekwe ku-/.extra/ directory). Lesi sici senza ukusetshenziswa kwendawo ye-initrd engaqinisekiswa, engaguquki, ekhuliswe nge-sysexts kanye nedatha yokuqinisekisa ebethelwe.
  • Ukucaciswa kwe-Discoverable Partitions kuye kwanwetshwa kakhulu, kuhlinzeka ngamathuluzi okuhlonza, ukukhwezwa, nokwenza kusebenze izingxenye zesistimu kusetshenziswa i-GPT (GUID Partition Tables). Uma kuqhathaniswa nokukhishwa kwangaphambilini, ukucaciswa manje kusekela ukuhlukaniswa kwezimpande kanye ne-/usr partition yezakhiwo eziningi, okuhlanganisa amapulatifomu angasebenzisi i-UEFI.

    I-Discoverable Partitions futhi yengeza ukusekelwa kwama-partitions ubuqotho bawo buqinisekiswa yimojuli ye-dm-verrity kusetshenziswa amasiginesha edijithali ye-PKCS#7, okwenza kube lula ukudalwa kwezithombe zediski ezigunyazwe ngokugcwele. Ukusekelwa kokuqinisekisa kuhlanganiswe ezinsizeni ezihlukahlukene ezikhohlisa izithombe zediski, okuhlanganisa i-systemd-nspawn, i-systemd-sysext, i-systemd-dissect, izinsizakalo ezine-RootImage, i-systemd-tmpfiles, ne-systemd-sysusers.

  • Kumayunithi athatha isikhathi eside ukuthi aqale noma ame, ngaphezu kokubonisa ibha yenqubekelaphambili egqwayizayo, ikhono lokubonisa ulwazi lwesimo linikeziwe, elikuvumela ukuthi uqonde ukuthi yini ngempela eyenzekayo ngesevisi okwamanje nokuthi iyiphi insizakalo umphathi wesistimu ayilindile okwamanje ukuze ayiqedele.
  • Ipharamitha ye-DefaultOOMScoreAdjust yengezwe ku-/etc/systemd/system.conf kanye /etc/systemd/user.conf . Le pharamitha ilungisa i-OOM-killer threshold yezimo zenkumbulo ephansi, esebenza ezinqubweni eziqalwe yi-systemd yesistimu nabasebenzisi. Ngokuzenzakalela, amasevisi esistimu anesisindo esiphezulu kunamasevisi omsebenzisi, okusho ukuthi amasevisi omsebenzisi maningi amathuba okuthi aqedwe ngaphansi kwezimo zememori ephansi kunamasevisi esistimu.
  • Ukulungiselelwa kwe-RestrictFileSystems kungeziwe, okukuvumela ukuthi ukhawulele ukufinyelela kwesevisi ezinhlotsheni ezithile zesistimu yamafayela. Ungasebenzisa umyalo othi "systemd-analyze filesystems" ukuze ubuke izinhlobo zesistimu yamafayela atholakalayo. Ngokufanayo, inketho ye-RestrictNetworkInterfaces isetshenzisiwe, okukuvumela ukuthi ubeke umkhawulo ekufinyeleleni ezindaweni ezithile zenethiwekhi. Lokhu kuqaliswa kusekelwe kumojula ye-LSM BPF, ekhawulela ukufinyelela ezintweni ze-kernel zeqembu lezinqubo.
  • Ifayela elisha lokumisa, /etc/integritytab, kanye nensizakalo ye-systemd-integritysetup yengeziwe. Lokhu kulungiselela imojula ye-dm-integrity yokuqapha ubuqotho bedatha yezinga lomkhakha, njengokuqinisekisa ukungaguquleki kwedatha ebethelwe (Ukubethela Okuqinisekisiwe kuqinisekisa ukuthi ibhulokhi yedatha ayilungiswanga ngendlela yobufakazi bokuphazamiseka). Ifomethi yefayela /etc/integritytab iyafana ne/etc/crypttab kanye /etc/veritytab, ngaphandle kokuthi dm-integrity isetshenziswa esikhundleni se-dm-crypt kanye ne-dm-verity.
  • Ifayela elisha leyunithi, i-systemd-boot-update.service, lifakiwe. Uma livuliwe futhi i-bootloader ye-sd-boot ifakiwe, i-systemd izobuyekeza ngokuzenzakalelayo inguqulo ye-bootloader ye-sd-boot, igcine ikhodi ye-bootloader isesikhathini njalo. I-sd-boot ngokwayo manje yakhiwe ngokuzenzakalelayo ngokusekelwa kwendlela ye-SBAT (UEFI Secure Boot Advanced Targeting), exazulula izinkinga zokuhoxiswa kwesitifiketi se-UEFI Secure Boot. Ngaphezu kwalokho, i-sd-boot manje isekela ukuhluza izilungiselelo ze-boot ze-Microsoft. Windows ukuze kwakhiwe kahle amagama ezingxenyeni ze-boot nge Windows kanye nenguqulo yokubonisa Windows.

    I-sd-boot iphinde inikeze amandla okucacisa isikimu sombala phakathi nenqubo yokwakha. Usekelo lokushintsha ukulungiswa kwesikrini ngokucindezela inkinobho ethi "r" ngesikhathi sokuqalisa seluyatholakala. I-hotkey, "f," yengeziwe yokufaka isixhumi esibonakalayo sokusetha i-firmware. Imodi yokuqalisa yesistimu ezenzakalelayo yengeziwe, ehambisana nento yemenyu ekhethwe ngesikhathi sokuqalisa kwangaphambilini. Ikhono lokulayisha ngokuzenzakalelayo abashayeli be-EFI abatholakala ku-/EFI/systemd/drivers/ directory ku-ESP (EFI System Partition) lengeziwe.

  • Ifayela leyunithi elisha, i-factory-reset.target, lifakiwe, elicutshungulwa yi-systemd-logind ngendlela efanayo nokuqalisa kabusha, i-poweroff, ukumisa okwesikhashana, nokusebenza kokulala, futhi isetshenziselwa ukudala izibambi zokwenza ukusetha kabusha kwefekthri.
  • Inqubo exazululwe nge-systemd manje idala isokhethi eyengeziwe yokulalela ku-127.0.0.54 ngaphezu kuka-127.0.0.53. Izicelo eziya ku-127.0.0.54 zihlala zidluliselwa kuseva ye-DNS ekhuphuka nomfula futhi azicutshungulwa endaweni.
  • Ikhono lokwakha i-systemd-importd kanye ne-systemd-exazululiwe ngelabhulali ye-OpenSSL esikhundleni se-libgcrypt yethuliwe.
  • Kwengezwe usekelo lokuqala lwezakhiwo ze-LoongArch ezisetshenziswa kuma-Loongson processors.
  • i-systemd-gpt-auto-generator isebenzisa ikhono lokumisa ngokuzenzakalelayo izingxenye zokushintsha ezichazwe ngohlelo olubethelwe ngohlelo olungaphansi lwe-LUKS2.
  • Ikhodi yokuhlaziya yesithombe ye-GPT esetshenziswe ku-systemd-nspawn, systemd-dissect, nasezinsizeni ezifanayo isebenzisa ikhono lokunquma izithombe zezinye izakhiwo, ivumela i-systemd-nspawn ukuthi isetshenziselwe ukusebenzisa izithombe kuzifanisi kwezinye izakhiwo.
  • Lapho ihlola izithombe zediski ku-systemd-dissect, manje ibonisa ulwazi mayelana nenjongo yokuhlukanisa, njengokuthi ingabe ifanele ukuqalisa kwe-UEFI noma isebenza esitsheni.
  • Inkambu ethi "SYSEXT_SCOPE" yengezwe kumafayela e-system-extension.d/, okukuvumela ukuthi ucacise ububanzi besithombe sohlelo - "initrd", "system", noma "portable".
  • Inkambu ethi "PORTABLE_PREFIXES" yengezwe efayeleni le-os-release, elingasetshenziswa ezithombeni eziphathwayo ukuze kuchazwe iziqalo zefayela leyunithi elisekelwayo.
  • i-systemd-logind isebenzisa izilungiselelo ezintsha, i-HandlePowerKeyLongPress, i-HandleRebootKeyLongPress, i-HandleSuspendKeyLongPress, ne-HandleHibernateKeyLongPress, engasetshenziswa ukuchaza izenzo lapho okhiye abathile bebanjelwe phansi imizuzwana engaphezu kwemi-5 (isibonelo, ukucindezela ngokushesha ukhiye wokumisa kungamiswa futhi ubambe ukhiye wokumisa phansi elungiselelwe ukufihla isistimu).
  • Kumayunithi, izilungiselelo ze-StartupAllowedCPUs kanye ne-StartupAllowedMemoryNodes zisetshenzisiwe. Lezi zihluka kuzilungiselelo ezifanayo ngaphandle kwesiqalo Sokuqalisa ngoba zisetshenziswa kuphela ezigabeni zokuqalisa nezokuvala, okukuvumela ukuthi usethe imikhawulo yensiza ehlukile ngesikhathi sokuqalisa.
  • Kwengezwe [Condition|Assert][Memory|CPU|IO]Ukuhlolwa kokucindezela okuvumela ukwenziwa kusebenze kweyunithi ukuthi kweqiwe noma kuqedwe ngephutha uma umthwalo omkhulu kumemori, CPU, kanye ne-I/O ohlelweni kutholwa ngendlela ye-PSI.
  • Umkhawulo we-inode ozenzakalelayo unyusiwe we-partition ye-dev isuka ku-64k iye ku-1M, kanye ne-/tmp isuka ku-400k iye ku-1M.
  • Ngamasevisi, kwethulwe ukulungiselelwa kwe-ExecSearchPath, okukuvumela ukuba uguqule indlela yokusesha amafayela asebenzisekayo aqaliswe ngezilungiselelo ezifana ne-ExecStart.
  • Kwengezwe isilungiselelo se-RuntimeRandomizedExtraSec, esikuvumela ukuthi uthule ukuhluka okungahleliwe ku-timeout ye-RuntimeMaxSec, ekhawulela isikhathi sokwenziwa seyunithi.
  • I-syntax yezilungiselelo ze-RuntimeDirectory, StateDirectory, CacheDirectory, kanye ne-LogsDirectory inwetshiwe. Ngokucacisa inani elingeziwe elihlukaniswe koloni, ungakwazi manje ukudala isixhumanisi esingokomfanekiso sohla lwemibhalo olucacisiwe ukuze unikeze ukufinyelela ngezindlela eziningi.
  • Ngamasevisi, izilungiselelo ze-TTYRows kanye ne-TTYColumns zinikezwa ukuze kucaciswe inani lemigqa namakholomu kudivayisi ye-TTY.
  • Kwengezwe isilungiselelo se-ExitType esikuvumela ukuthi uguqule ingqondo ukuze unqume ukunqanyulwa kwesevisi. Ngokuzenzakalelayo, i-systemd iqapha kuphela ukuphela kwenqubo eyinhloko, kodwa uma i-ExitType=cgroup isethiwe, umphathi wesistimu uzolinda inqubo yokugcina eqenjini ukuze inqamule.
  • Ukuqaliswa kosekelo lwe-TPM2/FIDO2/PKCS11 ku-systemd-cryptsetup manje futhi kwakhiwe njenge-plugin ye-cryptsetup, okuvumela umyalo ovamile we-cryptsetup ukuthi usetshenziselwe ukuvula ukwahlukanisa okubethelwe.
  • Isibambi se-TPM2 ku-systemd-cryptsetup/systemd-cryptsetup sibuyekeziwe ukuze sisekele okhiye abayinhloko be-RSA ngaphezu kokhiye be-ECC ukuze kuthuthukiswe ukusebenzisana nama-chips angasekeli i-ECC.
  • Inketho ye-token-timeout yengezwe ku-/etc/crypttab, okukuvumela ukuthi ucacise isikhathi esiphezulu sokulinda ithokheni ye-PKCS#11/FIDO2 ukuze uxhume, ngemva kwalokho uzocelwa ukuthi ufake iphasiwedi noma ukhiye wokutakula.
  • i-systemd-timesyncd isebenzisa isilungiselelo se-SaveIntervalSec, esivumela ngezikhathi ezithile ukulondoloza isikhathi sesistimu yamanje kudiski, isibonelo, ukusebenzisa iwashi le-monotonic kumasistimu ngaphandle kwe-RTC.
  • Uhlelo lokusebenza lokuhlaziya lubuyekeziwe ngezinketho ezilandelayo: "--image" kanye "--root" ukuhlola amafayela eyunithi ngaphakathi kwesithombe esinikeziwe noma umkhombandlela wezimpande, "--recursive-errors" ukuze kucatshangelwe amayunithi ancike lapho kutholwa iphutha, "--offline" ukuze kuhlolwe amafayela eyunithi agcinwe ngokwehlukana, "--json" yefomethi ye-"---json" yokukhipha ukukhishwa kwe-J-bling "---json" yokukhipha i-J-bling imiyalezo, kanye "--iphrofayili" yokubophezela kuphrofayela ephathekayo. Umyalo we-inspect-elf ungeziwe futhi ekuhlukaniseni amafayela ayinhloko we-ELF kanye nekhono lokuhlola amafayela eyunithi ngegama leyunithi elinikeziwe, kungakhathaliseki ukuthi igama lifana negama lefayela.
  • I-Systemd-networkd manje isekela ibhasi le-Controller Area Network (CAN). Izinketho zokucushwa zokuphatha amamodi e-CAN zengeziwe: I-Loopback, i-OneShot, i-PresumeAck, ne-ClassicDataLengthCode. Okukhethwa kukho okulandelayo kwengezwe esigabeni se-[CAN] samafayela enethiwekhi: TimeQuantaNSec, PropagationSegment, PhaseBufferSegment1, PhaseBufferSegment2, SyncJumpWidth, DataTimeQuantaNSSec, DataPropagationSegment, DataPhaseBufferSegment1, DataPhaseBufferSegment, DataPhaseBufferSegment for DataSegment isixhumi esibonakalayo se-DataSegment ukuvumelanisa.
  • Iklayenti le-DHCPv4 le-systemd-networkd manje selinenketho Yelebula ekuvumela ukuthi ulungiselele ilebula yekheli elisetshenziswa lapho ulungiselela amakheli e-IPv4.
  • i-systemd-udevd isebenzisa usekelo lwamanani akhethekile "obukhulu" be-"ethtool" asetha usayizi webhafa kunani eliphakeme elisekelwa ihadiwe.
  • Kumafayela we-.link we-systemd-udevd, ungakwazi manje ukumisa amapharamitha ahlukahlukene ukuze uhlanganise ama-adaptha enethiwekhi kanye nezibambi zezingxenyekazi zekhompuyutha zokuxhuma (ukukhulula).
  • i-systemd-networkd ihlinzeka ngamafayela enethiwekhi amasha ngokuzenzakalelayo: 80-container-vb.network ukuchaza amabhuloho enethiwekhi adalwe lapho i-systemd-nspawn iqala ngezinketho ze-"--network-bridge" noma "--network-zone"; 80-6rd-tunnel.network ukuchaza amathaneli adalwe ngokuzenzakalelayo lapho impendulo ye-DHCP enenketho ye-6RD yamukelwe.
  • Usekelo lokudlulisela phambili i-IP phezu kwezixhumi ezibonakalayo ze-InfiniBand kwengezwe ku-systemd-networkd naku-systemd-udevd, lapho ingxenye ethi "[IPoIB]" yengezwe kumafayela e-systemd.netdev, futhi inani elithi "ipoib" licutshungulwe kusilungiselelo sohlobo.
  • i-systemd-networkd inikeza ukucushwa okuzenzakalelayo kwemizila yamakheli achazwe kupharamitha ye-AllowedIPs, engacushwa ngepharamitha ye-RouteTable kanye ne-RouteMetric ku-[WireGuard] Futhi [WireGuardUntanga].
  • i-systemd-networkd ikhiqiza ngokuzenzakalelayo amakheli e-MAC angaguquki e-batadv nezixhumanisi zebhuloho. Ukuze ukhubaze lokhu kuziphatha, cacisa i-MACAddress=none kumafayela we-.netdev.
  • Isilungiselelo se-WakeOnLanPassword sengezwe esigabeni esithi “[Xhuma]” samafayela .link ukuze kuchazwe iphasiwedi lapho i-WoL isebenza ngemodi ethi “SecureOn”.
  • Ingxenye ethi "[CAKE]" yamafayela enethiwekhi ibuyekeziwe nge-AutoRateIngress, CompensationMode, FlowIsolationMode, NAT, MPUBytes, PriorityQueueingPreset, FirewallMark, Wash, SplitGSO, kanye nezilungiselelo ze-UseRawPacketSize ukuze kuchazwe amapharamitha we-Kept Ukuphathwa Kwenethiwekhi (Commonced Application)
  • Isilungiselelo se-IgnoreCarrierLoss sengezwe esigabeni "[Inethiwekhi]" yamafayela enethiwekhi, okukuvumela ukuba ucacise ukuthi ulinde isikhathi esingakanani ngaphambi kokusabela ekulahlekelweni kwesignali yenkampani yenethiwekhi.
  • Ku-systemd-nspawn, homectl, machinectl, kanye ne-systemd-run, i-syntax yepharamitha ethi "--setenv" inwetshiwe: uma kuphela igama eliguquguqukayo lishiwo (ngaphandle kokuthi "="), inani lizothathwa kokuguquguqukayo kwemvelo okuhambisanayo (isibonelo, uma ucacisa "--setenv=FOO", inani lizothathwa ku-$FOO esethelwe imvelo endaweni efanayo futhi okuguquguqukayo okufanayo).
  • Kwengezwe inketho ethi "-suppress-sync" ku-systemd-spawn ukuze ukhubaze ukuvumelanisa()/fsync()/fdatasync() amakholi wesistimu lapho udala isiqukathi (kuyasiza uma isivinini sibalulekile futhi ukulondoloza ama-artifact okwakha uma kwenzeka ukwehluleka akubalulekile, njengoba zingaphinda zidalwe noma kunini).
  • I-database entsha ye-hwdb yengeziwe, ehlanganisa izinhlobo ezahlukene zokuhlaziya amasignali (ama-multimeter, abahlaziyi bephrothokholi, ama-oscilloscopes, njll.). Ulwazi lwekhamera ku-hwdb lunwetshiwe ukuze lufake inkambu yohlobo lwekhamera (evamile noma i-infrared) nokubekwa kwelensi (ngaphambili noma ngemuva).
  • Ikhiqiza amagama okusebenzelana kwenethiwekhi aphikelelayo kumadivayisi we-netfront asetshenziswa ku-Xen.
  • Ukuhlaziywa kwamafayela angumongo ngosizo lwe-systemd-coredump okusekelwe kulabhulali ye-libdw/libelf manje sekwenziwa ngenqubo ehlukile ebekwe yodwa endaweni ye-sandbox.
  • i-systemd-importd manje isekela okuguquguqukayo kwemvelo $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA, kanye ne-$SYSTEMD_IMPORT_SYNC, engasetshenziswa ukukhubaza ukukhiqizwa kokhiye abancane be-Btrfs nokumisa ama-quota nokuvumelanisa kwediski.
  • Ku-systemd-journald, kumasistimu wefayela asekela imodi yokukopisha-on-ubhala, imodi ye-COW inikwe amandla kabusha kumajenali afakwe kungobo yomlando, okubavumela ukuthi bacindezelwe ama-Btrfs.
  • i-systemd-journald isebenzisa ukuphindaphinda kwezinkambu ezifanayo kumlayezo owodwa, okwenziwa ngaphambi kokuthi umlayezo ufakwe kujenali.
  • Umyalo wokuvala shaqa manje unenketho ethi "--show" yokubonisa ukuvala shaqa okuhleliwe.

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster