From 0bbc5a5674eb9c99580388390f2a4b34776881aa Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 16 Sep 2022 15:58:00 +0100 Subject: [PATCH] man: add man page decribing well known system credentials --- man/rules/meson.build | 1 + man/systemd.system-credentials.xml | 192 +++++++++++++++++++++++++++++ 2 files changed, 193 insertions(+) create mode 100644 man/systemd.system-credentials.xml diff --git a/man/rules/meson.build b/man/rules/meson.build index a250326a4d3..2925dadc1e1 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -1086,6 +1086,7 @@ manpages = [ ['systemd.special', '7', [], ''], ['systemd.swap', '5', [], ''], ['systemd.syntax', '7', [], ''], + ['systemd.system-credentials', '7', [], ''], ['systemd.target', '5', [], ''], ['systemd.time', '7', [], ''], ['systemd.timer', '5', [], ''], diff --git a/man/systemd.system-credentials.xml b/man/systemd.system-credentials.xml new file mode 100644 index 00000000000..3ec7ae8d4f4 --- /dev/null +++ b/man/systemd.system-credentials.xml @@ -0,0 +1,192 @@ + + + + + + + + systemd.system-credentials + systemd + + + + systemd.system-credentials + 7 + + + + systemd.system-credentials + System Credentials + + + + Description + + System and Service Credentials are data objects + that may be passed into booted systems or system services as they are invoked. They can be acquired from + various external sources, and propagated into the system and from there into system services. Credentials + may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are + only decrypted when the consuming service is invoked. + + System credentials may be used to provision and configure various aspects of the system. Depending + on the consuming component credentials are only used on initial invocations or are needed for all + invocations. + + Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets, + certificates, cryptographic key material, identity information, configuration, and more. + + + + Well known system credentials + + + + firstboot.keymap + + The console key mapping to set (e.g. de). Read by + systemd-firstboot1, + and only honoured if no console keymap has been configured before. + + + + + firstboot.locale + firstboot.locale-message + + The system locale to set (e.g. de_DE.UTF-8). Read by + systemd-firstboot1, + and only honoured if no locale has been configured before. firstboot.locale sets + LANG, while firstboot.locale-message sets + LC_MESSAGES. + + + + + firstboot.timezone + + The system timezone to set (e.g. Europe/Berlin). Read by + systemd-firstboot1, + and only honoured if no system timezone has been configured before. + + + + + login.issue + + The data of this credential is written to + /etc/issue.d/50-provision.conf, if the file doesn't exist + yet. agetty8 + reads this file and shows its contents at the login prompt of terminal logins. See issue5 for + details. + + Consumed by /usr/lib/tmpfiles.d/provision.conf, see + tmpfiles.d5. + + + + + login.motd + + The data of this credential is written to /etc/motd.d/50-provision.conf, + if the file doesn't exist + yet. pam_motd8 + reads this file and shows its contents as "message of the day" during terminal logins. See + motd5 for + details. + + Consumed by /usr/lib/tmpfiles.d/provision.conf, see + tmpfiles.d5. + + + + + network.hosts + + The data of this credential is written to /etc/hosts, if the file + doesn't exist yet. See hosts5 for + details. + + Consumed by /usr/lib/tmpfiles.d/provision.conf, see + tmpfiles.d5. + + + + + passwd.hashed-password.root + passwd.plaintext-password.root + + May contain the password (either in UNIX hashed format, or in plaintext) for the root users. + Read by both + systemd-firstboot1 + and + systemd-sysusers1, + and only honoured if no root password has been configured before. + + + + + passwd.shell.root + + The path to the shell program (e.g. /bin/bash) for the root user. Read by + both + systemd-firstboot1 + and + systemd-sysusers1, + and only honoured if no root shell has been configured before. + + + + + ssh.authorized_keys.root + + The data of this credential is written to /root/.ssh/authorized_keys, if + the file doesn't exist yet. This allows provisioning SSH access for the system's root user. + + Consumed by /usr/lib/tmpfiles.d/provision.conf, see + tmpfiles.d5. + + + + + sysusers.extra + + Additional + sysusers.d5 + lines to process during boot. + + + + + sysctl.extra + + Additional + sysctl.d5 lines + to process during boot. + + + + + tmpfiles.extra + + Additional + tmpfiles.d5 + lines to process during boot. + + + + + + + + See Also + + systemd1, + kernel-command-line7 + + + +