RHEL8 Systemd

Share this link

Anniversary

Systemd is 10-year old: project started on Nov 18th 2009!

socket

Recent history

  • RHEL 7.0 -> v208
  • RHEL 7.2 -> v219
  • RHEL 8.0 -> v239

Project stats

  • 39776 Commits
  • 1129 Contributors
  • 181 Systemd releases
  • 20 Releases since RHEL 7

Highlights

  • Security
    • Improved sandboxing and isolation options for services
    • Unprivileged unit files (systemd –user)
    • Additional hardening of systemd services
  • Usability
    • Many improvements to systemctl, journalctl, etc.
    • Additional service & unit files settings
    • Resource management using cgroups v2 (tech preview, GA 8.1 or 8.2)
    • Better journal compression and performance
  • New technology previews
    • IP accounting and filtering
    • Portable system services

Security

Securing Units

Objectives: Reduce system attack surface per unit and provide container-style isolation for traditional services, simple to apply as another layer of security for systems.

  • Namespace isolation:
    • PrivateTmp=1
      • Creates a FS namespace and mount private /tmp & /var/tmp directories inside it
    • PrivateNetwork=1
      • Creates a network namespace with a single loopback device
  • Syscall filters:
    • SystemCallFilter=@system-service
      • Whitelist/blacklist individual or groups of syscalls
  • Linux capabilities:
    • CapabilityBoundingSet=~CAP_NET_ADMIN
      • Forbids any network-related operations

New Security Features

  • ProtectKernelTunables=1
    • Disable modification to /proc & /sys
  • ProtectKernelModules=1
    • Prohibit load/unload of modules
    • Mask /usr/lib/modules
  • ProtectControlGroups=1
    • Disable write access to /sys/fs/cgroup
  • RestrictNamespaces=1
    • Restrict all or a subset of namespaces cgroup ipc net mnt pid user uts
  • MemoryDenyWriteExecute=1
    • Disable memory mapping that is simultaneously writable & executable
  • DynamicUser=1
    • Dynamically allocated UID/GID (61184-65519)
    • /etc/[passwd, group] are not altered and   users are removed when the service stops
  • PrivateMounts=1
    • Service is run in a private mount namespace
  • RestrictRealtime=1
    • Prohibit real-time scheduling
  • RemoveIPC=1
    • Remove semaphores, shared memory &   messages queues when the service stops

Systemd-analyze

The systemd-analyze command will get some new feature with RHEL 8.1 to analyze risks.

systemd-analyze

Control Groups

CGroups V1: the default in RHEL 8

  • Well supported in the Linux   ecosystem for over a decade
  • Same basic behavior as RHEL 7
    • Systemd uses cgroups labels by default
    • Accounting is opt-in for CPU & BlockIO
  • Memory and Tasks accounting are now enabled by default (almost no overhead)
  • Same unit file options available: (*=deprecated)
    • CPUAccounting=, *CPUShares=, CPUQuota=
    • MemoryAccounting=, *MemoryLimit=
    • *BlockIOAccounting=, *BlockIOWeight=, *BlockIODeviceWeight=
    • TasksAccounting=, TasksMax=

CGroups V2: tech preview in RHEL 8

  • Unified hierarchy with vastly improved controllers
    • Delivers more coherent and holistic resource management
  • Perfectly integrated with systemd
    • Ecosystem in-progress (virt & containers work remains)
    • Support planned for 8.1 or 8.2
  • Append systemd.unified_cgroup_hierarchy to kernel
  • Best effort translation for relevant controllers:
    • CPUWeight= replaces CPUShares=
    • MemoryMax= replaces MemoryLimit=
    • IO*= replaces BlockIO*=

Reference: CGroup v2.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Upcoming Events (Local Time)

  1. Jan
    31
    Fri

    1. 9:00 am - View Details
      CentOS: Dojo, Brussels, Belgium.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Set up time services pointing to default time servers.

RHCE7: Task of the day

Allowed time: 5 minutes.
Set up time synchronization with default configuration.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...