Ngemuva kwezinyanga ezinhlanu zokuthuthukiswa, kwethulwa ukukhululwa komphathi wesistimu systemd 252. Ushintsho olubalulekile enguqulweni entsha kwaba ukuhlanganiswa kokusekelwa kwenqubo ye-boot yesimanje, okuvumela ukuthi uqinisekise hhayi kuphela i-kernel ne-bootloader, kodwa futhi izingxenye. yemvelo yesistimu eyisisekelo kusetshenziswa amasignesha edijithali.
Indlela ehlongozwayo ihlanganisa ukusetshenziswa kwesithombe se-kernel esihlanganisiwe i-UKI (Isithombe Se-kernel Ehlanganisiwe) lapho ilayishwa, esihlanganisa isibambi sokulayisha i-kernel kusuka ku-UEFI (UEFI boot stub), isithombe se-Linux kernel nendawo yesistimu ye-initrd elayishwe kumemori, esetshenzisiwe. ukuqaliswa kokuqala esiteji ngaphambi kokukhweza impande FS . Isithombe se-UKI sipakishwe njengefayela elilodwa elisebenzisekayo ngefomethi ye-PE, elingalayishwa kusetshenziswa ama-bootloader endabuko noma libizwe ngokuqondile ku-firmware ye-UEFI. Uma ubizwa kusuka ku-UEFI, kungenzeka ukuqinisekisa ubuqotho nokuthembeka kwesiginesha yedijithali hhayi kuphela i-kernel, kodwa futhi nokuqukethwe kwe-initrd.
Ukuze ubale amapharamitha werejista ye-TPM PCR (I-Trusted Platform Module Configuration Register) esetshenziselwa ukuqapha ubuqotho nokukhiqiza isiginesha yedijithali yesithombe se-UKI, kufakwe i-systemd-measure entsha yokusetshenziswayo. Ukhiye osesidlangalaleni nolwazi oluhambisana ne-PCR olusetshenziswe kusiginesha lungashumekwa ngokuqondile esithombeni sokuqala se-UKI (ukhiye nesiginesha zilondolozwa kufayela le-PE ezinkambini ze-'.pcrsig' kanye ne-'.pcrkey') futhi zikhishwe kulo noma izinsiza zangaphakathi.
Ikakhulukazi, izinsiza ze-systemd-cryptsetup, systemd-cryptenroll kanye ne-systemd-creds ziguqulelwe ukusebenzisa lolu lwazi, ongaqinisekisa ngalo ukuthi ukuhlukaniswa kwediski okubethelwe kuboshelwe ku-kernel esayiniwe ngedijithali (kulokhu, ukufinyelela ukwahlukanisa okubethelwe inikezwa kuphela uma isithombe se-UKI siphumelele ukuqinisekiswa ngesiginesha yedijithali ngokusekelwe kumapharamitha aku-TPM).
Ukwengeza, insiza ye-systemd-pcrphase ifakiwe, ekuvumela ukuthi ulawule ukuboshwa kwezigaba zokuqalisa ezahlukahlukene kumapharamitha atholakala kumemori yama-cryptoprocessors asekela ukucaciswa kwe-TPM 2.0 (ngokwesibonelo, ungenza ukhiye wokuhlukanisa we-LUKS2 utholakale kuphela isithombe se-initrd futhi uvimbele ukufinyelela kuso ngezigaba zakamuva ukulanda).
Ezinye izinguquko:
- Iqinisekisa ukuthi indawo emisiwe ithi C.UTF-8 ngaphandle kwalapho kucaciswe indawo ehlukile kuzilungiselelo.
- Manje kungenzeka ukwenza umsebenzi ophelele wokusetha kabusha isevisi (“systemctl preset”) ngesikhathi sokuqalisa kokuqala. Ukunika amandla ukusetha ngaphambilini ngesikhathi sokuqalisa kudinga ukwakha ngenketho ethi "-Dfirst-boot-full-preset", kodwa kuhlelwe ukuthi kunikwe amandla ngokuzenzakalela ekukhishweni okuzayo.
- Amayunithi okuphatha omsebenzisi abandakanya isilawuli sensiza ye-CPU, esenze kwaba nokwenzeka ukuqinisekisa ukuthi izilungiselelo ze-CPUWeight zisetshenziswa kuwo wonke amayunithi ocezu asetshenziselwa ukuhlukanisa isistimu ibe izingxenye (app.slice, background.slice, session.slice) ukuze uhlukanise izinsiza phakathi izinsiza ezahlukene zabasebenzisi, eziqhudelana ngezinsiza ze-CPU. I-CPUWeight iphinde isekele inani “lokungenzi lutho” ukuze kusebenze imodi yokunikeza insiza efanele.
- Kumayunithi esikhashana (“okwesikhashana”) kanye nakuhlelo lwe-systemd-repart, izilungiselelo zokweqa zivunyelwe ngokudala amafayela okudonsela kunkomba /etc/systemd/system/name.d/.
- Ezithombeni zesistimu, ifulegi elinesiphetho sosekelo liyasethwa, okunquma leli qiniso ngokusekelwe kunani lepharamitha entsha "SUPPORT_END=" kufayela /etc/os-release.
- Kwengezwe izilungiselelo ze-“ConditionCredential=" kanye ne-“AssertCredential=", ezingasetshenziswa ukuziba noma ukuphahlazeka amayunithi uma izifakazelo ezithile zingekho ohlelweni.
- Kwengezwe izilungiselelo ze-“DefaultSmackProcessLabel=” kanye ne-“DefaultDeviceTimeoutSec=” ku-system.conf kanye ne-user.conf ukuze kuchazwe izinga lokuvikeleka le-SMACK elizenzakalelayo kanye nesikhathi sokuvala seyunithi.
- Kuzilungiselelo ze-“ConditionFirmware=” kanye “ne-“AssertFirmware=”, ikhono lokucacisa izinkambu ze-SMBIOS lengeziwe, ngokwesibonelo, ukuqalisa iyunithi kuphela uma inkambu ethi /sys/class/dmi/id/board_name iqukethe inani “Custom. Ibhodi”, ungacacisa “ConditionFirmware=smbios” -field(board_name = "Custom Board").
- Phakathi nenqubo yokuqalisa (i-PID 1), ikhono lokungenisa izifakazelo kusuka ezinkambini ze-SMBIOS (Uhlobo 11, “izintambo zomdayisi we-OEM”) lingeziwe ngaphezu kwencazelo yabo nge-qemu_fwcfg, eyenza kube lula ukunikezwa kwemininingwane emishinini ebonakalayo futhi esusa isidingo samathuluzi ezinkampani zangaphandle njenge-cloud -init kanye nokuthungela.
- Ngesikhathi sokuvala shaqa, ingqondo yokwehliswa kwezinhlelo zamafayela abonakalayo (i-proc, i-sys) ishintshiwe futhi ulwazi mayelana nezinqubo ezivimba ukwehliswa kwezinhlelo zamafayela lugcinwa kulogi.
- Isihlungi sekholi yesistimu (SystemCallFilter) sivumela ukufinyelela ocingweni lwesistimu ye-riscv_flush_icache ngokuzenzakalelayo.
- I-sd-boot bootloader yengeza amandla okuqalisa kwimodi exubile, lapho i-64-bit Linux kernel iqala ku-32-bit UEFI firmware. Kwengezwe amandla okuhlola ukuze usebenzise ngokuzenzakalelayo okhiye be-SecureBoot kusukela kumafayela atholwe ku-ESP (i-EFI system partition).
- Izinketho ezintsha zengeziwe kunsiza ye-bootctl: "-all-architectures" yokufaka amabhinari kuwo wonke ama-EFI architectures asekelwayo, "-root=" kanye "-image=" yokusebenza nge-directory noma isithombe sediski, "-install-source =” ngokuchaza umthombo wokufakwa, "-efi-boot-option-description=" ukulawula amagama okufakwa ebhuthini.
- Umyalo we-'list-automounts' ungeziwe kunsizakalo ye-systemctl ukuze ubonise uhlu lwemibhalo efakwe ngokuzenzakalelayo kanye "--image=" inketho yokukhipha imiyalo ngokuhlobene nesithombe sediski esishiwo. Kwengezwe "--state=" kanye "--type=" izinketho emiyalweni 'yombukiso' kanye 'nesimo'.
- i-systemd-networkd ingeze izinketho ezithi “TCPCongestionControlAlgorithm=” ukuze ukhethe i-algorithm yokulawula ukuminyana kwe-TCP, “KeepFileDescriptor=” ukuze ulondoloze isichazamazwi sefayela se-TUN/TAP interface, “NetLabel=” ukuze usethe i-NetLabels, “RapidCommit=” ukuze usheshise ukulungiselelwa nge-DHCPv6 (RFC 3315). Ipharamitha ethi “RouteTable=” ivumela ukucacisa amagama amathebula omzila.
- i-systemd-nspawn ivumela ukusetshenziswa kwemizila yefayela ehlobene kokuthi "--bind=" kanye nezinketho "--overlay=". Kwengezwe usekelo lwepharamitha ye-'rootidmap' kunketho ethi "--bind=" ukuze ubophe i-ID yomsebenzisi oyimpande esitsheni kumnikazi wohla lwemibhalo olufakwe kuhlangothi losokhaya.
- i-systemd-resolved isebenzisa i-OpenSSL njengesipele sayo sokubethela ngokuzenzakalelayo (usekelo lwe-gnutls lugcinwa njengenketho). Ama-algorithms we-DNSSEC angasekelwe manje athathwa njengangaphephile esikhundleni sokubuyisela iphutha (SERVFAIL).
- ama-systemd-sysusers, ama-systemd-tmpfiles kanye ne-systemd-sysctl asebenzisa amandla okudlulisa izilungiselelo ngendlela yokugcina imininingwane yokuqinisekisa.
- Kwengezwe umyalo 'wokuqhathanisa-izinguqulo' ukuze kuhlaziywe i-systemd ukuze kuqhathaniswe uchungechunge nezinombolo zenguqulo (ezifana ne-'rpmdev-vercmp' kanye ne-'dpkg --compare-versions'). Kwengezwe amandla okuhlunga amayunithi ngemaski kumyalo we-'systemd-analyze dump'.
- Uma ukhetha imodi yokulala yezigaba eziningi (misa-bese-hibernate), isikhathi esichithwe kumodi yokulinda manje sesikhethiwe ngokusekelwe kwisibikezelo sempilo yebhethri esele. Ukushintshela kumodi yokulala ngokushesha kwenzeka uma ibhethri lishajwa ngaphansi kuka-5%.
- Imodi entsha yokuphumayo "-o short-delta" yengezwe ku-'journalctl', ebonisa umehluko wesikhathi phakathi kwemilayezo ehlukene kulogi.
- i-systemd-repart yengeza usekelo lokudala ukwahlukanisa ngohlelo lwefayela le-Squashfs kanye nokuhlukaniswa kwe-dm-verity, okuhlanganisa namasignesha edijithali.
- Kwengezwe "StopIdleSessionSec=" ukulungiselelwa ku-systemd-logind ukuze kuqedwe iseshini engasebenzi ngemva kwesikhathi esibekiwe sokuvala.
- I-Systemd-cryptenroll yengeze "--unlock-key-file=" inketho yokukhipha ukhiye wokukhipha ukubethela efayeleni kunokuba utshele umsebenzisi.
- Manje sekungenzeka ukusebenzisa insiza ye-systemd-growfs ezindaweni ngaphandle kwe-udev.
- I-systemd-backlight ithuthukise ukusekelwa kwamasistimu anamakhadi amaningi wezithombe.
- Ilayisense yezibonelo zekhodi enikeziwe embhalweni ishintshiwe isuka ku-CC0 yayiswa ku-MIT-0.
Izinguquko ezinqamula ukuhambisana:
- Lapho kuhlolwa inombolo yenguqulo ye-kernel kusetshenziswa isiyalelo se-ConditionKernelVersion, isiqhathaniso seyunithi yezinhlamvu esilula manje sisetshenziswa ku-opharetha '=' kanye ne-'!=', futhi uma u-opharetha wesiqhathaniso engashiwongo nhlobo, ukufanisa i-glob-mask kungasetshenziswa kusetshenziswa i- izinhlamvu '*', '?' Futhi '[', ']'. Ukuze uqhathanise izinguqulo zesitayela se-stverscmp(), sebenzisa i-'<', '>', '<=' kanye ne-'>=' opharetha.
- Ithegi ye-SELinux esetshenziswa ukuhlola ukufinyelela efayeleni leyunithi manje isifundwa ngesikhathi ifayela lilayishwa, kunangesikhathi sokuhlola ukufinyelela.
- Isimo se-"ConditionFirstBoot" manje sicushwa ebhuthini yokuqala yesistimu ngokuqondile kuphela esigabeni sokuqalisa futhi sibuyisela "amanga" lapho kubizwa amayunithi ngemva kokuthi ukuqalisa sekuqediwe.
- Ngo-2024, i-systemd ihlela ukuyeka ukusekela i-cgroup v1 resource limiting mechanism, eyehliswa ekukhishweni kwe-systemd 248. Abalawuli bayelulekwa ukuthi banakekele kusengaphambili ukufuduka kwezinsizakalo ezisekelwe ku-cgroup v2 ku-cgroup v1. Umehluko oyinhloko phakathi kwamaqoqo v2 kanye ne-v1 ukusetshenziswa kwesigaba samaqembu esivamile kuzo zonke izinhlobo zezinsiza, esikhundleni sezigaba ezihlukene zokwaba izinsiza ze-CPU, zokulawula ukusetshenziswa kwememori, kanye ne-I/O. Izigaba ezihlukene ziholela ebunzimeni ekuhleleni ukusebenzelana phakathi kwabaphathi kanye nasezindlekweni ezengeziwe zensiza ye-kernel lapho kusetshenziswa imithetho yenqubo ebalulwe ezigabeni ezihlukene.
- Engxenyeni yesibili ka-2023, sihlela ukuqeda ukusekelwa kwezigaba zohlu lwemibhalo ezihlukanisiwe, lapho /usr efakwe ngokuhlukile kusuka empandeni, noma /bin kanye /usr/bin, /lib kanye /usr/lib bahlukaniswa.
Source: opennet.ru