1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-29 21:55:36 +03:00

Merge pull request #24608 from bluca/example

docs: mention tmpfiles.d in CREDENTIALS.md and add example for ssh provisioning (to manpage too)
This commit is contained in:
Luca Boccassi 2022-09-08 17:42:07 +01:00 committed by GitHub
commit 90235a3df2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 0 deletions

View File

@ -342,6 +342,10 @@ Various services shipped with `systemd` consume credentials for tweaking behavio
`firstboot.keymap`, `firstboot.timezone`, that configure locale, keymap or
timezone settings in case the data is not yet set in `/etc/`.
* [`tmpfiles.d(5)`](https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html)
will look for the credentials `tmpfiles.extra` with arbitrary tmpfiles.d lines.
Can be encoded in base64 to allow easily passing it on the command line.
In future more services are likely to gain support for consuming credentials.
Example:
@ -377,6 +381,23 @@ qemu-system-x86_64 \
-smbios type=11,value=io.systemd.credential:firstboot.locale=C.UTF-8
```
This boots the specified disk image via qemu, provisioning public key SSH access
for the root user from the caller's key:
```
qemu-system-x86_64 \
-machine type=q35,accel=kvm,smm=on \
-smp 2 \
-m 1G \
-cpu host \
-nographic \
-nodefaults \
-serial mon:stdio \
-drive if=none,id=hd,file=test.raw,format=raw \
-device virtio-scsi-pci,id=scsi \
-device scsi-hd,drive=hd,bootindex=1 \
-smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=$(echo "f~ /root/.ssh/authorized_keys 700 root root - $(ssh-add -L | base64 -w 0)" | base64 -w 0)
```
## Relevant Paths
From *service* perspective the runtime path to find loaded credentials in is

View File

@ -826,6 +826,19 @@ e! /var/cache/krb5rcache - - - 0
will be removed on boot. The directory will not be created.
</para>
</example>
<example>
<title>Provision SSH public key access for root user via Credentials in QEMU</title>
<programlisting>-smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=$(echo "f~ /root/.ssh/authorized_keys 700 root root - $(ssh-add -L | base64 -w 0)" | base64 -w 0)
</programlisting>
<para>By passing this line to QEMU, the public key of the current user will be encoded in
base64, added to a tmpfiles.d line that tells systemd-tmpfiles to decode it into
<filename>/root/.ssh/authorized_keys</filename>, encode that line itself in base64 and
pass it as a Credential that will be picked up by systemd from SMBIOS on boot.
</para>
</example>
</refsect1>
<refsect1>