i-systemd 259: Ukusekela kwe-Musl, ukunika amandla i-run0, kanye nokuvalelisa kuSistimu V

Amaphuzu abalulekile:
  • Usekelo oluyingxenye lwe-Musl libc (ludinga ukucushwa ngesandla ku-Meson).
  • run0 --empower ivumela izenzo ezinelungelo ngaphandle kokushintsha i-UID yomsebenzisi.
  • Ukuqinisekiswa kokuhoxiswa kwezikripthi zeSistimu V kanye nezidingo ezengeziwe (i-Kernel 5.10+).
  • i-libsystemd manje ilayisha amalabhulali angaphandle isebenzisa i-dlopen() ukunciphisa ukuncika.
  • Isitoreji sejenali manje 'siyaqhubeka' ngokuzenzakalelayo.
David Y. NaranjoKubuyekezwe ngomhla ka-

Imizuzu ye-4

i-systemd

Ngemva kwezinyanga ezingaphezu kwezintathu zokuthuthukiswa, ukwethulwa kwe- inguqulo entsha ye uhlelo 259. Lokhu kubuyekezwa kwethula izinguquko ekwakhiweni kwesistimu, kugqamisa ukuvuleleka kweminye imitapo yolwazi ejwayelekile, ukuphathwa kwamalungelo okusebenza okuqinile, kanye nezidingo zobuchwepheshe eziqinile zezinguqulo zesikhathi esizayo.

Enye yezinyathelo okukhulunywa ngazo kakhulu kulo mjikelezo ukushintshela ekuguqukeni okukhulu kanye nokususwa kokuxhomekeka kwefa, okuvula indlela ye-ecosystem ye-Linux eshintsha ngokuphelele ezindinganisweni zamashumi eminyaka adlule.

Izici ezintsha eziyinhloko ze-systemd 259

Inguqulo entsha ye-systemd 259 ivelele ngokuba yi- inguqulo yokuqala yokwengeza ukuhambisana okungaphelele ne-Musl, umtapo wolwazi ojwayelekile we-C odumile ekusakazweni okulula nasezindaweni ezifakiwe. Lokhu kuhlanganiswa Iphathwa ngenketho ye-libc ohlelweni lokwakha lwe-Meson. Kodwa-ke, ngenxa yokuthi i-Musl ayisebenzisi ukusebenza kwe-NSS (Name Service Switch), izingxenye eziningana ze-systemd zihlala zikhutshaziwe kulokhu kulungiselelwa.

Phakathi kwe-aukungabikho okuphawulekayo lapho kuhlanganiswa ne-Musl kunjalo i-nss-systemd, i-nss-resolve, i-systemd-homed, i-systemd-userdbd kanye nepharamitha ye-DynamicUserNgaphezu kwalokho, akunakwenzeka ukusebenzisa i-systemd-nspawn ngaphandle kwamalungelo ngaphansi kwale layibrari. Abathuthukisi baxwayise ngokuthi ukugcina lokhu kusekelwa ezinguqulweni zesikhathi esizayo kuzoncika ekufunweni komphakathi kanye nokuzinza kwanoma yiziphi izendlalelo ezengeziwe zokuhambisana ezithuthukisiwe.

Esinye isici esisha sale nguqulo entsha ukuthi kuhlelo lokusebenza lwe-run0, eklanyelwe njengendlela yesimanje nephephile esikhundleni se-sudo, ethole inketho entsha – amandla. Lo msebenzi Ikuvumela ukuthi ungene ngemvume ngamalungelo aphezulu. ngaphandle kwesidingo sokushintsha isihlonzi somsebenzisi (i-UID) sibe yimpande.

Ngaphandle kwalokho, esikhundleni sokunikeza amandla okulawula okuphelele ngokushintsha komsebenzisi, i- –empower isebenzisa izinkomba zamandla e-kernel, njenge-CAP_SYS_ADMIN, ukunikeza izimvume ezidingekayo ngokuphelele ukwenza izingcingo zesistimu ezinelungelo. Ngaphezu kwalokho, izinqubo ezitholakalayo zihlanganiswe eqenjini elithile elibanika ukufinyelela ezenzweni ze-Polkit, okugcina ukuhlukaniswa kwamalungelo okuqinile kunemodeli ye-sudo yendabuko.

Ukuphela kwesikhathi: Sala kahle ohlelweni V kanye nezidingo ezintsha

uhlelo 259 luphawula ukuqala kokuphela kwe- ukuhambisana ne- Izikripthi zesevisi yesistimu VKumenyezelwe ukuthi enguqulweni elandelayo, izingxenye ezindala ezifana ne-systemd-sysv-generator, i-systemd-rc-local-generator, kanye ne-systemd-sysv-install zizosuswa unomphela.

Kanye nalokhu kuhlanzwa kwekhodi endala, izidingo zesofthiwe ezincane kakhulu zesistimu ye-systemd ziphakanyiswe kakhulu:

  • I-Linux Kernel: Inguqulo encane engu-5.10.
  • I-Glibc: 2.34.
  • I-OpenSSL: 3.0.0.
  • I-Utilit-linux: 2.37.
  • Okunye: I-Python 3.9.0, i-cryptsetup 2.4.0 kanye ne-libseccomp 2.4.0.

Ukuguquguquka kanye nokulayisha okunamandla ku-libsystemd

Como ingxenye yesinyathelo sokunciphisa ukuncika ngqo ekuqaleni, i-libsystemd manje isebenzisa ukulayisha okunamandla nge-dlopen() Kumalabhulali afana ne-libacl, i-liblblkid, i-libseccomp, i-libselinux, kanye ne-libmount, uhlelo luzolayisha lawa malabhulali kwimemori kuphela uma imisebenzi yawo ethile idingeka ngenqubo ethile, okwenza ngcono ukusetshenziswa kwezinsizakusebenza. Ngaphezu kwalokho, ukusebenza kwe-libcap kuhlanganiswe ngqo ku-libsystemd, okwenza kube lula uchungechunge lokuncika.

El Ukuphathwa kwelogi kushintshe ukucushwa kwayo okuzenzakalelayo: imodi yokugcina ijenali (Journal) izinguquko kusukela ku-"othomathikhi" kuya ku-"persistent", kungakhathaliseki ukuthi isiqondisi se-/var/log/journal sasikhona yini ngaphambilini.

Emkhakheni wamanethiwekhi kanye nokwenza izinto zibe yi-virtualization:

  • i-systemd-networkd kanye ne-systemd-nspawn: Ukusekelwa kwemithetho ye-NAT esebenzisa ama-iptables kuyasuswa, okushiya ama-nftables njengokuphela kwenketho ehambisanayo.
  • i-systemd-resolved: Manje ivumela ukusetshenziswa kwama-hook endawo (ama-hook) ku-/run/systemd/resolve.hook/ ukungenelela ezicelweni zokuxazulula amagama.
  • i-systemd-importd: I-logic yokusebenza ngamafayela e-TAR ihlanganiswe ngokomdabu. Ngaphezu kwalokho, kokubili i-`importd` kanye ne-`machined` manje ingasebenza ezingeni lomsebenzisi, okuvumela ukuphathwa kwesithombe kufolda yendawo yomsebenzisi (`~/.local/state/machines/`).

Okunye okusha

I-API esekelwe kuphrothokholi I-Varlink ithole izithuthukisi ukuze ivumele ukufinyelela kuzilungiselelo zesevisi kanye nokwenza izingcingo ze-IPC njenge-Reload() kanye ne-Reexecute(). Kubaphathi besistimu, ukufakwa kwempahla ye-OOMKills kumasevisi kuzoba usizo kakhulu, njengoba kuzobavumela ukuthi balandelele ukuthi inqubo iqedwe kangaki ngenxa yokuntuleka kwememori ngqo kusuka kumathuluzi e-systemd.

Ekugcineni, inqubo yokuqalisa uhlelo iba yesimanje ngokususwa kokusekelwa kwe-TPM 1.2 ku-systemd-boot, kugxilwe yonke imizamo yokuphepha ku-TPM 2.0 standard.

Uma ungathanda ukwazi okwengeziwe ngayo, ungathintana ne- imininingwane kusixhumanisi esilandelayo.