diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-08-26 10:42:27 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-08-26 10:42:27 +0200 |
commit | 508fa02d6f112c323b0ed595da85cc5bcdd2d122 (patch) | |
tree | 074b9a81d91d537f85a995c45de425cbfc1287cc /man/systemd-nspawn.xml | |
parent | b6abc2acb4a56344db90eefa36a989e6b7ded34d (diff) | |
download | systemd-508fa02d6f112c323b0ed595da85cc5bcdd2d122.tar.gz |
man: shorten description of recursive credential passing in nspawn
The text suggested that either nspawn or systemd can make use of credentials
themselves. In fact they only pass them to children.
Diffstat (limited to 'man/systemd-nspawn.xml')
-rw-r--r-- | man/systemd-nspawn.xml | 35 |
1 files changed, 12 insertions, 23 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index e1fec3d7a8..1e7e6a82d5 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -1412,33 +1412,22 @@ <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term> <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term> - <para>Pass a credential to the container. These two options correspond to the + <listitem><para>Pass a credential to the container. These two options correspond to the <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details about these concepts, as well as the syntax of the option's arguments.</para> - <para>Note:</para> - - <orderedlist> - <listitem><para>When <command>systemd-nspawn</command> runs as systemd system service it can make - use and propagate credentials it received via - <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> to the container - payload.</para></listitem> - - <listitem><para>A systemd service manager running as PID 1 in the container can make use of - credentials passed in this way, and propagate them further to services it itself - runs.</para></listitem> - </orderedlist> - - <para>Thus it is possible to easily propagate credentials from a host service manager to a - <command>systemd-nspawn</command> service and from there into its payload and services running within - it.</para> - - <para>In order to embed binary data into - the credential data for <option>--set-credential=</option> use C-style escaping - (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to embed a NUL byte. Note - that the invoking shell might already apply unescaping once, hence this might require double - escaping!).</para> + <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate + the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> + to the container payload. A systemd service manager running as PID 1 in the container can further + propagate them to the services it itself starts. It is thus possible to easily propagate credentials + from a parent service manager to a container manager service and from there into its payload. This + can even be done recursively.</para> + + <para>In order to embed binary data into the credential data for <option>--set-credential=</option> + use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to + embed a <constant>NUL</constant> byte. Note that the invoking shell might already apply unescaping + once, hence this might require double escaping!).</para></listitem> </varlistentry> </variablelist> |