RHEL8 Systemd

Anniversary

Systemd is 10-year old: project started on Nov 18th 2009!

Recent history

• RHEL 7.0 -> v208
• RHEL 7.2 -> v219
• RHEL 8.0 -> v239

Project stats

• 39776 Commits
• 1129 Contributors
• 181 Systemd releases
• 20 Releases since RHEL 7

Highlights

• Security
  • Improved sandboxing and isolation options for services
  • Unprivileged unit files (systemd –user)
  • Additional hardening of systemd services
• Usability
  • Many improvements to systemctl, journalctl, etc.
  • Additional service & unit files settings
  • Resource management using cgroups v2 (tech preview, GA 8.1 or 8.2)
  • Better journal compression and performance
• New technology previews
  • IP accounting and filtering
  • Portable system services

Security

Securing Units

Objectives: Reduce system attack surface per unit and provide container-style isolation for traditional services, simple to apply as another layer of security for systems.

• Namespace isolation:
  • PrivateTmp=1
    • Creates a FS namespace and mount private /tmp & /var/tmp directories inside it
  • PrivateNetwork=1
    • Creates a network namespace with a single loopback device
• Syscall filters:
  • SystemCallFilter=@system-service
    • Whitelist/blacklist individual or groups of syscalls
• Linux capabilities:
  • CapabilityBoundingSet=~CAP_NET_ADMIN
    • Forbids any network-related operations

New Security Features

• ProtectKernelTunables=1
  • Disable modification to /proc & /sys
• ProtectKernelModules=1
  • Prohibit load/unload of modules
  • Mask /usr/lib/modules
• ProtectControlGroups=1
  • Disable write access to /sys/fs/cgroup
• RestrictNamespaces=1
  • Restrict all or a subset of namespaces cgroup ipc net mnt pid user uts
• MemoryDenyWriteExecute=1
  • Disable memory mapping that is simultaneously writable & executable
• DynamicUser=1
  • Dynamically allocated UID/GID (61184-65519)
  • /etc/[passwd, group] are not altered and   users are removed when the service stops
• PrivateMounts=1
  • Service is run in a private mount namespace
• RestrictRealtime=1
  • Prohibit real-time scheduling
• RemoveIPC=1
  • Remove semaphores, shared memory &   messages queues when the service stops

Systemd-analyze

The systemd-analyze command will get some new feature with RHEL 8.1 to analyze risks.

Control Groups

CGroups V1: the default in RHEL 8

• Well supported in the Linux   ecosystem for over a decade
• Same basic behavior as RHEL 7
  • Systemd uses cgroups labels by default
  • Accounting is opt-in for CPU & BlockIO
• Memory and Tasks accounting are now enabled by default (almost no overhead)
• Same unit file options available: (*=deprecated)
  • CPUAccounting=, *CPUShares=, CPUQuota=
  • MemoryAccounting=, *MemoryLimit=
  • *BlockIOAccounting=, *BlockIOWeight=, *BlockIODeviceWeight=
  • TasksAccounting=, TasksMax=

CGroups V2: tech preview in RHEL 8

• Unified hierarchy with vastly improved controllers
  • Delivers more coherent and holistic resource management
• Perfectly integrated with systemd
  • Ecosystem in-progress (virt & containers work remains)
  • Support planned for 8.1 or 8.2
• Append systemd.unified_cgroup_hierarchy to kernel
• Best effort translation for relevant controllers:
  • CPUWeight= replaces CPUShares=
  • MemoryMax= replaces MemoryLimit=
  • IO*= replaces BlockIO*=

Reference: CGroup v2.