From bbfb25f4b923bde7bcff7ef69e6e83e90440e704 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 13 Jan 2023 16:22:46 +0100 Subject: creds: Add ImportCredential= ImportCredential= takes a credential name and searches for a matching credential in all the credential stores we know about it. It supports globs which are expanded so that all matching credentials are loaded. --- docs/CONTAINER_INTERFACE.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'docs/CONTAINER_INTERFACE.md') diff --git a/docs/CONTAINER_INTERFACE.md b/docs/CONTAINER_INTERFACE.md index ddeaf8ea4f..2435d4ae97 100644 --- a/docs/CONTAINER_INTERFACE.md +++ b/docs/CONTAINER_INTERFACE.md @@ -138,15 +138,16 @@ manager, please consider supporting the following interfaces. `$container_host_version_id=10` 5. systemd supports passing immutable binary data blobs with limited size and - restricted access to services via the `LoadCredential=` and `SetCredential=` - settings. The same protocol may be used to pass credentials from the - container manager to systemd itself. The credential data should be placed in - some location (ideally a read-only and non-swappable file system, like - 'ramfs'), and the absolute path to this directory exported in the + restricted access to services via the `ImportCredential=`, `LoadCredential=` + and `SetCredential=` settings. The same protocol may be used to pass credentials + from the container manager to systemd itself. The credential data should be + placed in some location (ideally a read-only and non-swappable file system, + like 'ramfs'), and the absolute path to this directory exported in the `$CREDENTIALS_DIRECTORY` environment variable. If the container managers does this, the credentials passed to the service manager can be propagated - to services via `LoadCredential=` (see ...). The container manager can - choose any path, but `/run/host/credentials` is recommended. + to services via `LoadCredential=` or `ImportCredential=` (see ...). The + container manager can choose any path, but `/run/host/credentials` is + recommended. ## Advanced Integration -- cgit v1.2.3