summaryrefslogtreecommitdiffstats
path: root/man
diff options
context:
space:
mode:
authorFrantisek Sumsal <frantisek@sumsal.cz>2023-06-19 16:41:16 +0200
committerGitHub <noreply@github.com>2023-06-19 16:41:16 +0200
commited8f65c72960d92d61dbd99898e507a3adba3529 (patch)
tree9b485467c01ed9d7e05541f416dedb3ae36cddbf /man
parentMerge pull request #28056 from dtardon/polkit-cleanup (diff)
parentmachinectl: fix message (diff)
downloadsystemd-ed8f65c72960d92d61dbd99898e507a3adba3529.tar.xz
systemd-ed8f65c72960d92d61dbd99898e507a3adba3529.zip
Merge pull request #28078 from keszybz/trivial-syntax-and-wording-fixes
Trivial syntax and wording fixes
Diffstat (limited to 'man')
-rw-r--r--man/systemd-nspawn.xml103
-rw-r--r--man/systemd-stub.xml4
-rw-r--r--man/systemd.exec.xml2
3 files changed, 55 insertions, 54 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 847a11f0e0..e4537a5c13 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -1545,8 +1545,9 @@ After=sys-subsystem-net-devices-ens1.device</programlisting>
with a focus on implementing stateless operating system images.</para></listitem>
</varlistentry>
</variablelist>
+ </refsect2>
- </refsect2><refsect2>
+ <refsect2>
<title>Input/Output Options</title>
<variablelist>
@@ -1592,57 +1593,57 @@ After=sys-subsystem-net-devices-ens1.device</programlisting>
</varlistentry>
</variablelist>
- </refsect2><refsect2>
- <title>Credentials</title>
-
- <variablelist>
- <varlistentry>
- <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term>
- <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term>
-
- <listitem><para>Pass a credential to the container. These two options correspond to the
- <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See
- <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
- details about these concepts, as well as the syntax of the option's arguments.</para>
-
- <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate
- the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
- to the container payload. A systemd service manager running as PID 1 in the container can further
- propagate them to the services it itself starts. It is thus possible to easily propagate credentials
- from a parent service manager to a container manager service and from there into its payload. This
- can even be done recursively.</para>
-
- <para>In order to embed binary data into the credential data for <option>--set-credential=</option>
- use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to
- embed a <constant>NUL</constant> byte. Note that the invoking shell might already apply unescaping
- once, hence this might require double escaping!).</para>
-
- <para>The
- <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- and
- <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- services read credentials configured this way for the purpose of configuring the container's root
- user's password and shell, as well as system locale, keymap and timezone during the first boot
- process of the container. This is particularly useful in combination with
- <option>--volatile=yes</option> where every single boot appears as first boot, since configuration
- applied to <filename>/etc/</filename> is lost on container reboot cycles. See the respective man
- pages for details. Example:</para>
-
- <programlisting># systemd-nspawn -i image.raw \
- --volatile=yes \
- --set-credential=firstboot.locale:de_DE.UTF-8 \
- --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' \
- -b</programlisting>
-
- <para>The above command line will invoke the specified image file <filename>image.raw</filename> in
- volatile mode, i.e. with empty <filename>/etc/</filename> and <filename>/var/</filename>. The
- container payload will recognize this as a first boot, and will invoke
- <filename>systemd-firstboot.service</filename>, which then reads the two passed credentials to
- configure the system's initial locale and root password.</para>
- </listitem>
+ </refsect2>
+ <refsect2>
+ <title>Credentials</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term>
+ <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term>
+
+ <listitem><para>Pass a credential to the container. These two options correspond to the
+ <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+ details about these concepts, as well as the syntax of the option's arguments.</para>
+
+ <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate
+ the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
+ to the container payload. A systemd service manager running as PID 1 in the container can further
+ propagate them to the services it itself starts. It is thus possible to easily propagate credentials
+ from a parent service manager to a container manager service and from there into its payload. This
+ can even be done recursively.</para>
+
+ <para>In order to embed binary data into the credential data for <option>--set-credential=</option>,
+ use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to
+ embed a <constant>NUL</constant> byte). Note that the invoking shell might already apply unescaping
+ once, hence this might require double escaping!.</para>
+
+ <para>The
+ <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ services read credentials configured this way for the purpose of configuring the container's root
+ user's password and shell, as well as system locale, keymap and timezone during the first boot
+ process of the container. This is particularly useful in combination with
+ <option>--volatile=yes</option> where every single boot appears as first boot, since configuration
+ applied to <filename>/etc/</filename> is lost on container reboot cycles. See the respective man
+ pages for details. Example:</para>
+
+ <programlisting># systemd-nspawn -i image.raw \
+ --volatile=yes \
+ --set-credential=firstboot.locale:de_DE.UTF-8 \
+ --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' \
+ -b</programlisting>
+
+ <para>The above command line will invoke the specified image file <filename>image.raw</filename> in
+ volatile mode, i.e. with empty <filename>/etc/</filename> and <filename>/var/</filename>. The
+ container payload will recognize this as a first boot, and will invoke
+ <filename>systemd-firstboot.service</filename>, which then reads the two passed credentials to
+ configure the system's initial locale and root password.</para>
+ </listitem>
</varlistentry>
-
- </variablelist>
+ </variablelist>
</refsect2><refsect2>
<title>Other</title>
diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index 497f51c4f9..f172de447c 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -160,7 +160,7 @@
revoked with a SBAT policy update, without requiring blocklisting via DBX/MOKX. The
<citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool will
add a SBAT policy by default if none is passed when building addons. For more information on SBAT see
- <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink>
+ <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation</ulink>.
Addons are supposed to be used to pass additional kernel command line parameters, regardless of the
kernel image being booted, for example to allow platform vendors to ship platform-specific
configuration. The loaded command line addon files are sorted, loaded, measured into TPM PCR 12 (if a
@@ -179,7 +179,7 @@
<command>cpio</command> archive and placed in the <filename>/.extra/global_credentials/</filename>
directory of the initrd file hierarchy. This is supposed to be used to pass additional credentials to
the initrd, regardless of the kernel being booted. The generated <command>cpio</command> archive is
- measured into TPM PCR 12 (if a TPM is present)</para></listitem>
+ measured into TPM PCR 12 (if a TPM is present).</para></listitem>
<listitem><para>Additionally, files <filename>/loader/addons/*.addon.efi</filename> are loaded and
verified as PE binaries, and a <literal>.cmdline</literal> section is parsed from them. This is
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index b70b90d667..938a3c87a9 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -3302,7 +3302,7 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
<para>When multiple credentials of the same name are found, credentials found by
<varname>LoadCredential=</varname> and <varname>LoadCredentialEncrypted=</varname> take priority over
- credentials found by <varname>ImportCredential=</varname></para></listitem>.
+ credentials found by <varname>ImportCredential=</varname>.</para></listitem>
</varlistentry>
<varlistentry>