diff options
author | Frantisek Sumsal <frantisek@sumsal.cz> | 2023-06-19 16:41:16 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-19 16:41:16 +0200 |
commit | ed8f65c72960d92d61dbd99898e507a3adba3529 (patch) | |
tree | 9b485467c01ed9d7e05541f416dedb3ae36cddbf /man | |
parent | Merge pull request #28056 from dtardon/polkit-cleanup (diff) | |
parent | machinectl: fix message (diff) | |
download | systemd-ed8f65c72960d92d61dbd99898e507a3adba3529.tar.xz systemd-ed8f65c72960d92d61dbd99898e507a3adba3529.zip |
Merge pull request #28078 from keszybz/trivial-syntax-and-wording-fixes
Trivial syntax and wording fixes
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd-nspawn.xml | 103 | ||||
-rw-r--r-- | man/systemd-stub.xml | 4 | ||||
-rw-r--r-- | man/systemd.exec.xml | 2 |
3 files changed, 55 insertions, 54 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 847a11f0e0..e4537a5c13 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -1545,8 +1545,9 @@ After=sys-subsystem-net-devices-ens1.device</programlisting> with a focus on implementing stateless operating system images.</para></listitem> </varlistentry> </variablelist> + </refsect2> - </refsect2><refsect2> + <refsect2> <title>Input/Output Options</title> <variablelist> @@ -1592,57 +1593,57 @@ After=sys-subsystem-net-devices-ens1.device</programlisting> </varlistentry> </variablelist> - </refsect2><refsect2> - <title>Credentials</title> - - <variablelist> - <varlistentry> - <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term> - <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term> - - <listitem><para>Pass a credential to the container. These two options correspond to the - <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for - details about these concepts, as well as the syntax of the option's arguments.</para> - - <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate - the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> - to the container payload. A systemd service manager running as PID 1 in the container can further - propagate them to the services it itself starts. It is thus possible to easily propagate credentials - from a parent service manager to a container manager service and from there into its payload. This - can even be done recursively.</para> - - <para>In order to embed binary data into the credential data for <option>--set-credential=</option> - use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to - embed a <constant>NUL</constant> byte. Note that the invoking shell might already apply unescaping - once, hence this might require double escaping!).</para> - - <para>The - <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> - and - <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry> - services read credentials configured this way for the purpose of configuring the container's root - user's password and shell, as well as system locale, keymap and timezone during the first boot - process of the container. This is particularly useful in combination with - <option>--volatile=yes</option> where every single boot appears as first boot, since configuration - applied to <filename>/etc/</filename> is lost on container reboot cycles. See the respective man - pages for details. Example:</para> - - <programlisting># systemd-nspawn -i image.raw \ - --volatile=yes \ - --set-credential=firstboot.locale:de_DE.UTF-8 \ - --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' \ - -b</programlisting> - - <para>The above command line will invoke the specified image file <filename>image.raw</filename> in - volatile mode, i.e. with empty <filename>/etc/</filename> and <filename>/var/</filename>. The - container payload will recognize this as a first boot, and will invoke - <filename>systemd-firstboot.service</filename>, which then reads the two passed credentials to - configure the system's initial locale and root password.</para> - </listitem> + </refsect2> + <refsect2> + <title>Credentials</title> + + <variablelist> + <varlistentry> + <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term> + <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term> + + <listitem><para>Pass a credential to the container. These two options correspond to the + <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for + details about these concepts, as well as the syntax of the option's arguments.</para> + + <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate + the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> + to the container payload. A systemd service manager running as PID 1 in the container can further + propagate them to the services it itself starts. It is thus possible to easily propagate credentials + from a parent service manager to a container manager service and from there into its payload. This + can even be done recursively.</para> + + <para>In order to embed binary data into the credential data for <option>--set-credential=</option>, + use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to + embed a <constant>NUL</constant> byte). Note that the invoking shell might already apply unescaping + once, hence this might require double escaping!.</para> + + <para>The + <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + and + <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry> + services read credentials configured this way for the purpose of configuring the container's root + user's password and shell, as well as system locale, keymap and timezone during the first boot + process of the container. This is particularly useful in combination with + <option>--volatile=yes</option> where every single boot appears as first boot, since configuration + applied to <filename>/etc/</filename> is lost on container reboot cycles. See the respective man + pages for details. Example:</para> + + <programlisting># systemd-nspawn -i image.raw \ + --volatile=yes \ + --set-credential=firstboot.locale:de_DE.UTF-8 \ + --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' \ + -b</programlisting> + + <para>The above command line will invoke the specified image file <filename>image.raw</filename> in + volatile mode, i.e. with empty <filename>/etc/</filename> and <filename>/var/</filename>. The + container payload will recognize this as a first boot, and will invoke + <filename>systemd-firstboot.service</filename>, which then reads the two passed credentials to + configure the system's initial locale and root password.</para> + </listitem> </varlistentry> - - </variablelist> + </variablelist> </refsect2><refsect2> <title>Other</title> diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml index 497f51c4f9..f172de447c 100644 --- a/man/systemd-stub.xml +++ b/man/systemd-stub.xml @@ -160,7 +160,7 @@ revoked with a SBAT policy update, without requiring blocklisting via DBX/MOKX. The <citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool will add a SBAT policy by default if none is passed when building addons. For more information on SBAT see - <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink> + <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation</ulink>. Addons are supposed to be used to pass additional kernel command line parameters, regardless of the kernel image being booted, for example to allow platform vendors to ship platform-specific configuration. The loaded command line addon files are sorted, loaded, measured into TPM PCR 12 (if a @@ -179,7 +179,7 @@ <command>cpio</command> archive and placed in the <filename>/.extra/global_credentials/</filename> directory of the initrd file hierarchy. This is supposed to be used to pass additional credentials to the initrd, regardless of the kernel being booted. The generated <command>cpio</command> archive is - measured into TPM PCR 12 (if a TPM is present)</para></listitem> + measured into TPM PCR 12 (if a TPM is present).</para></listitem> <listitem><para>Additionally, files <filename>/loader/addons/*.addon.efi</filename> are loaded and verified as PE binaries, and a <literal>.cmdline</literal> section is parsed from them. This is diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index b70b90d667..938a3c87a9 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -3302,7 +3302,7 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX <para>When multiple credentials of the same name are found, credentials found by <varname>LoadCredential=</varname> and <varname>LoadCredentialEncrypted=</varname> take priority over - credentials found by <varname>ImportCredential=</varname></para></listitem>. + credentials found by <varname>ImportCredential=</varname>.</para></listitem> </varlistentry> <varlistentry> |