Anniversary
Systemd is 10-year old: project started on Nov 18th 2009!
Recent history
- RHEL 7.0 -> v208
- RHEL 7.2 -> v219
- RHEL 8.0 -> v239
Project stats
- 39776 Commits
- 1129 Contributors
- 181 Systemd releases
- 20 Releases since RHEL 7
Highlights
- Security
- Improved sandboxing and isolation options for services
- Unprivileged unit files (systemd –user)
- Additional hardening of systemd services
- Usability
- Many improvements to systemctl, journalctl, etc.
- Additional service & unit files settings
- Resource management using cgroups v2 (tech preview, GA 8.1 or 8.2)
- Better journal compression and performance
- New technology previews
- IP accounting and filtering
- Portable system services
Security
Securing Units
Objectives: Reduce system attack surface per unit and provide container-style isolation for traditional services, simple to apply as another layer of security for systems.
- Namespace isolation:
- PrivateTmp=1
- Creates a FS namespace and mount private /tmp & /var/tmp directories inside it
- PrivateNetwork=1
- Creates a network namespace with a single loopback device
- PrivateTmp=1
- Syscall filters:
- SystemCallFilter=@system-service
- Whitelist/blacklist individual or groups of syscalls
- SystemCallFilter=@system-service
- Linux capabilities:
- CapabilityBoundingSet=~CAP_NET_ADMIN
- Forbids any network-related operations
- CapabilityBoundingSet=~CAP_NET_ADMIN
New Security Features
- ProtectKernelTunables=1
- Disable modification to /proc & /sys
- ProtectKernelModules=1
- Prohibit load/unload of modules
- Mask /usr/lib/modules
- ProtectControlGroups=1
- Disable write access to /sys/fs/cgroup
- RestrictNamespaces=1
- Restrict all or a subset of namespaces cgroup ipc net mnt pid user uts
- MemoryDenyWriteExecute=1
- Disable memory mapping that is simultaneously writable & executable
- DynamicUser=1
- Dynamically allocated UID/GID (61184-65519)
- /etc/[passwd, group] are not altered and users are removed when the service stops
- PrivateMounts=1
- Service is run in a private mount namespace
- RestrictRealtime=1
- Prohibit real-time scheduling
- RemoveIPC=1
- Remove semaphores, shared memory & messages queues when the service stops
Systemd-analyze
The systemd-analyze command will get some new feature with RHEL 8.1 to analyze risks.
Control Groups
CGroups V1: the default in RHEL 8
- Well supported in the Linux ecosystem for over a decade
- Same basic behavior as RHEL 7
- Systemd uses cgroups labels by default
- Accounting is opt-in for CPU & BlockIO
- Memory and Tasks accounting are now enabled by default (almost no overhead)
- Same unit file options available: (*=deprecated)
- CPUAccounting=, *CPUShares=, CPUQuota=
- MemoryAccounting=, *MemoryLimit=
- *BlockIOAccounting=, *BlockIOWeight=, *BlockIODeviceWeight=
- TasksAccounting=, TasksMax=
CGroups V2: tech preview in RHEL 8
- Unified hierarchy with vastly improved controllers
- Delivers more coherent and holistic resource management
- Perfectly integrated with systemd
- Ecosystem in-progress (virt & containers work remains)
- Support planned for 8.1 or 8.2
- Append systemd.unified_cgroup_hierarchy to kernel
- Best effort translation for relevant controllers:
- CPUWeight= replaces CPUShares=
- MemoryMax= replaces MemoryLimit=
- IO*= replaces BlockIO*=
Reference: CGroup v2.
Recent Comments