man: shorten description of recursive credential passing in nspawn

The text suggested that either nspawn or systemd can make use of credentials themselves. In fact they only pass them to children.
2025-03-19 22:50:17 +03:00 · 2020-08-26 10:42:27 +02:00 · 2020-08-26 10:42:27 +02:00 · 508fa02d6f
commit 508fa02d6f
parent b6abc2acb4
1 changed files with 11 additions and 22 deletions
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@ -1412,33 +1412,22 @@
        <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term>
        <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term>

-        <para>Pass a credential to the container. These two options correspond to the
+        <listitem><para>Pass a credential to the container. These two options correspond to the
        <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See
        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
        details about these concepts, as well as the syntax of the option's arguments.</para>

-        <para>Note:</para>
+        <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate
+        the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
+        to the container payload. A systemd service manager running as PID 1 in the container can further
+        propagate them to the services it itself starts. It is thus possible to easily propagate credentials
+        from a parent service manager to a container manager service and from there into its payload. This
+        can even be done recursively.</para>

-        <orderedlist>
-          <listitem><para>When <command>systemd-nspawn</command> runs as systemd system service it can make
-          use and propagate credentials it received via
-          <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> to the container
-          payload.</para></listitem>
-
-          <listitem><para>A systemd service manager running as PID 1 in the container can make use of
-          credentials passed in this way, and propagate them further to services it itself
-          runs.</para></listitem>
-        </orderedlist>
-
-        <para>Thus it is possible to easily propagate credentials from a host service manager to a
-        <command>systemd-nspawn</command> service and from there into its payload and services running within
-        it.</para>
-
-        <para>In order to embed binary data into
-        the credential data for <option>--set-credential=</option> use C-style escaping
-        (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to embed a NUL byte. Note
-        that the invoking shell might already apply unescaping once, hence this might require double
-        escaping!).</para>
+        <para>In order to embed binary data into the credential data for <option>--set-credential=</option>
+        use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to
+        embed a <constant>NUL</constant> byte. Note that the invoking shell might already apply unescaping
+        once, hence this might require double escaping!).</para></listitem>
        </varlistentry>

    </variablelist>