shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-08 21:17:47 +03:00
Code

credentials: document that their path is stable for system services

Browse Source 
(cherry picked from commit cf37171890)
(cherry picked from commit 823216d61f)
This commit is contained in:
Joerg Behrmann 2023-10-20 11:35:04 +02:00 committed by Luca Boccassi
parent b5e10fd566
commit e31805d26a
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/CREDENTIALS.md
View File

@ -422,7 +422,12 @@ READY=1
## Relevant Paths
From *service* perspective the runtime path to find loaded credentials in is
provided in the `$CREDENTIALS_DIRECTORY` environment variable.
provided in the `$CREDENTIALS_DIRECTORY` environment variable. For *system
services* the credential directory will be `/run/credentials/<unit name>`, but
hardcoding this path is discouraged, because it does not work for *user
services*. Packagers and system administrators may hardcode the credential path
as a last resort for software that does not yet search for credentials relative
to `$CREDENTIALS_DIRECTORY`.
At runtime, credentials passed to the *system* are placed in
`/run/credentials/@system/` (for regular credentials, such as those passed from

7
man/systemd.exec.xml
View File

@ -3183,7 +3183,12 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
<varname>ExecStart=</varname> command line use <literal>${CREDENTIALS_DIRECTORY}/mycred</literal>,
e.g. <literal>ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred</literal>. In order to reference the path
a credential may be read from within a <varname>Environment=</varname> line use
<literal>%d/mycred</literal>, e.g. <literal>Environment=MYCREDPATH=%d/mycred</literal>.</para>
<literal>%d/mycred</literal>, e.g. <literal>Environment=MYCREDPATH=%d/mycred</literal>. For system
services the path may also be referenced as
<literal>/run/credentials/<replaceable>UNITNAME</replaceable></literal> in cases where no
interpolation is possible, e.g. configuration files of software that does not yet support credentials
natively. <varname>$CREDENTIALS_DIRECTORY</varname> is considered the primary interface to look for
credentials, though, since it also works for user services.</para>
<para>Currently, an accumulated credential size limit of 1 MB per unit is enforced.</para>