mirror of
https://github.com/systemd/systemd.git
synced 2024-10-29 21:55:36 +03:00
Merge pull request #24608 from bluca/example
docs: mention tmpfiles.d in CREDENTIALS.md and add example for ssh provisioning (to manpage too)
This commit is contained in:
commit
90235a3df2
@ -342,6 +342,10 @@ Various services shipped with `systemd` consume credentials for tweaking behavio
|
||||
`firstboot.keymap`, `firstboot.timezone`, that configure locale, keymap or
|
||||
timezone settings in case the data is not yet set in `/etc/`.
|
||||
|
||||
* [`tmpfiles.d(5)`](https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html)
|
||||
will look for the credentials `tmpfiles.extra` with arbitrary tmpfiles.d lines.
|
||||
Can be encoded in base64 to allow easily passing it on the command line.
|
||||
|
||||
In future more services are likely to gain support for consuming credentials.
|
||||
|
||||
Example:
|
||||
@ -377,6 +381,23 @@ qemu-system-x86_64 \
|
||||
-smbios type=11,value=io.systemd.credential:firstboot.locale=C.UTF-8
|
||||
```
|
||||
|
||||
This boots the specified disk image via qemu, provisioning public key SSH access
|
||||
for the root user from the caller's key:
|
||||
|
||||
```
|
||||
qemu-system-x86_64 \
|
||||
-machine type=q35,accel=kvm,smm=on \
|
||||
-smp 2 \
|
||||
-m 1G \
|
||||
-cpu host \
|
||||
-nographic \
|
||||
-nodefaults \
|
||||
-serial mon:stdio \
|
||||
-drive if=none,id=hd,file=test.raw,format=raw \
|
||||
-device virtio-scsi-pci,id=scsi \
|
||||
-device scsi-hd,drive=hd,bootindex=1 \
|
||||
-smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=$(echo "f~ /root/.ssh/authorized_keys 700 root root - $(ssh-add -L | base64 -w 0)" | base64 -w 0)
|
||||
```
|
||||
## Relevant Paths
|
||||
|
||||
From *service* perspective the runtime path to find loaded credentials in is
|
||||
|
@ -826,6 +826,19 @@ e! /var/cache/krb5rcache - - - 0
|
||||
will be removed on boot. The directory will not be created.
|
||||
</para>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<title>Provision SSH public key access for root user via Credentials in QEMU</title>
|
||||
|
||||
<programlisting>-smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=$(echo "f~ /root/.ssh/authorized_keys 700 root root - $(ssh-add -L | base64 -w 0)" | base64 -w 0)
|
||||
</programlisting>
|
||||
|
||||
<para>By passing this line to QEMU, the public key of the current user will be encoded in
|
||||
base64, added to a tmpfiles.d line that tells systemd-tmpfiles to decode it into
|
||||
<filename>/root/.ssh/authorized_keys</filename>, encode that line itself in base64 and
|
||||
pass it as a Credential that will be picked up by systemd from SMBIOS on boot.
|
||||
</para>
|
||||
</example>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
Loading…
Reference in New Issue
Block a user