mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
docs/CREDENTIALS: format text
This commit is contained in:
parent
77d47e6db4
commit
f00b3a995f
@ -284,8 +284,8 @@ services where they are ultimately consumed.
|
|||||||
|
|
||||||
1. A container manager may set the `$CREDENTIALS_DIRECTORY` environment
|
1. A container manager may set the `$CREDENTIALS_DIRECTORY` environment
|
||||||
variable for systemd running as PID 1 in the container, the same way as
|
variable for systemd running as PID 1 in the container, the same way as
|
||||||
systemd would set it for a service it
|
systemd would set it for a service it invokes.
|
||||||
invokes. [`systemd-nspawn(1)`](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#Credentials)'s
|
[`systemd-nspawn(1)`](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#Credentials)'s
|
||||||
`--set-credential=` and `--load-credential=` switches implement this, in
|
`--set-credential=` and `--load-credential=` switches implement this, in
|
||||||
order to pass arbitrary credentials from host to container payload. Also see
|
order to pass arbitrary credentials from host to container payload. Also see
|
||||||
the [Container Interface](CONTAINER_INTERFACE) documentation.
|
the [Container Interface](CONTAINER_INTERFACE) documentation.
|
||||||
@ -300,31 +300,27 @@ services where they are ultimately consumed.
|
|||||||
host through the hypervisor into the VM via qemu's `fw_cfg` mechanism. (All
|
host through the hypervisor into the VM via qemu's `fw_cfg` mechanism. (All
|
||||||
three of these specific switches would set credential `foo` to `bar`.)
|
three of these specific switches would set credential `foo` to `bar`.)
|
||||||
Passing credentials via the SMBIOS mechanism is typically preferable over
|
Passing credentials via the SMBIOS mechanism is typically preferable over
|
||||||
`fw_cfg` since it is faster and less specific to the chosen VMM
|
`fw_cfg` since it is faster and less specific to the chosen VMM implementation.
|
||||||
implementation. Moreover, `fw_cfg` has a 55 character limitation on names
|
Moreover, `fw_cfg` has a 55 character limitation on names passed that way. So some settings may not fit.
|
||||||
passed that way. So some settings may not fit.
|
|
||||||
|
|
||||||
3. Credentials may be passed from the initrd to the host during the initrd →
|
3. Credentials may be passed from the initrd to the host during the initrd → host transition.
|
||||||
host transition. Provisioning systems that run in the initrd may use this to
|
Provisioning systems that run in the initrd may use this to install credentials on the system.
|
||||||
install credentials on the system. All files placed in
|
All files placed in `/run/credentials/@initrd/` are imported into the set of file system credentials during the transition.
|
||||||
`/run/credentials/@initrd/` are imported into the set of file system
|
The files (and their directory) are removed once this is completed.
|
||||||
credentials during the transition. The files (and their directory) are
|
|
||||||
removed once this is completed.
|
|
||||||
|
|
||||||
4. Credentials may also be passed from the UEFI environment to userspace, if
|
4. Credentials may also be passed from the UEFI environment to userspace, if
|
||||||
the
|
the
|
||||||
[`systemd-stub`](https://www.freedesktop.org/software/systemd/man/systemd-stub.html)
|
[`systemd-stub`](https://www.freedesktop.org/software/systemd/man/systemd-stub.html)
|
||||||
UEFI kernel stub is used. This allows placing encrypted credentials in the
|
UEFI kernel stub is used.
|
||||||
EFI System Partition, which are then picked up by `systemd-stub` and passed
|
This allows placing encrypted credentials in the EFI System Partition, which are then picked up by `systemd-stub` and passed to the kernel and ultimately userspace where systemd receives them.
|
||||||
to the kernel and ultimately userspace where systemd receives them. This is
|
This is useful to implement secure parameterization of vendor-built and signed
|
||||||
useful to implement secure parameterization of vendor-built and signed
|
|
||||||
initrds, as userspace can place credentials next to these EFI kernels, and
|
initrds, as userspace can place credentials next to these EFI kernels, and
|
||||||
be sure they can be accessed securely from initrd context.
|
be sure they can be accessed securely from initrd context.
|
||||||
|
|
||||||
5. Credentials can also be passed into a system via the kernel command line,
|
5. Credentials can also be passed into a system via the kernel command line,
|
||||||
via the `systemd.set_credential=` and `systemd.set_credential_binary=`
|
via the `systemd.set_credential=` and `systemd.set_credential_binary=`
|
||||||
kernel command line options (the latter takes Base64 encoded binary
|
kernel command line options (the latter takes Base64 encoded binary data).
|
||||||
data). Note though that any data specified here is visible to all userspace
|
Note though that any data specified here is visible to all userspace
|
||||||
applications (even unprivileged ones) via `/proc/cmdline`. Typically, this
|
applications (even unprivileged ones) via `/proc/cmdline`. Typically, this
|
||||||
is hence not useful to pass sensitive information, and should be avoided.
|
is hence not useful to pass sensitive information, and should be avoided.
|
||||||
|
|
||||||
@ -376,20 +372,19 @@ Various services shipped with `systemd` consume credentials for tweaking behavio
|
|||||||
* [`systemd(1)`](https://www.freedesktop.org/software/systemd/man/systemd.html)
|
* [`systemd(1)`](https://www.freedesktop.org/software/systemd/man/systemd.html)
|
||||||
(I.E.: PID1, the system manager) will look for the credential `vmm.notify_socket`
|
(I.E.: PID1, the system manager) will look for the credential `vmm.notify_socket`
|
||||||
and will use it to send a `READY=1` datagram when the system has finished
|
and will use it to send a `READY=1` datagram when the system has finished
|
||||||
booting. This is useful for hypervisors/VMMs or other processes on the host
|
booting.
|
||||||
to receive a notification via VSOCK when a virtual machine has finished booting.
|
This is useful for hypervisors/VMMs or other processes on the host to receive a notification via VSOCK when a virtual machine has finished booting.
|
||||||
Note that in case the hypervisor does not support `SOCK_DGRAM` over `AF_VSOCK`,
|
Note that in case the hypervisor does not support `SOCK_DGRAM` over `AF_VSOCK`,
|
||||||
`SOCK_SEQPACKET` will be tried instead. The credential payload should be in the
|
`SOCK_SEQPACKET` will be tried instead.
|
||||||
form: `vsock:<CID>:<PORT>`. `vsock` may be replaced with `vsock-stream`, `vsock-dgram` or `vsock-seqpacket`
|
The credential payload should be in the form: `vsock:<CID>:<PORT>`.
|
||||||
to force usage of the corresponding socket type. Also note that this requires support for VHOST to be
|
Also note that this requires support for VHOST to be built-in both the guest and the host kernels, and the kernel modules to be loaded.
|
||||||
built-in both the guest and the host kernels, and the kernel modules to be loaded.
|
|
||||||
|
|
||||||
* [`systemd-sysusers(8)`](https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html)
|
* [`systemd-sysusers(8)`](https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html)
|
||||||
will look for the credentials `passwd.hashed-password.<username>`,
|
will look for the credentials `passwd.hashed-password.<username>`,
|
||||||
`passwd.plaintext-password.<username>` and `passwd.shell.<username>` to
|
`passwd.plaintext-password.<username>` and `passwd.shell.<username>` to
|
||||||
configure the password (either in UNIX hashed form, or plaintext) or shell of
|
configure the password (either in UNIX hashed form, or plaintext) or shell of
|
||||||
system users created. Replace `<username>` with the system user of your
|
system users created.
|
||||||
choice, for example, `root`.
|
Replace `<username>` with the system user of your choice, for example, `root`.
|
||||||
|
|
||||||
* [`systemd-firstboot(1)`](https://www.freedesktop.org/software/systemd/man/systemd-firstboot.html)
|
* [`systemd-firstboot(1)`](https://www.freedesktop.org/software/systemd/man/systemd-firstboot.html)
|
||||||
will look for the credentials `firstboot.locale`, `firstboot.locale-messages`,
|
will look for the credentials `firstboot.locale`, `firstboot.locale-messages`,
|
||||||
@ -489,17 +484,14 @@ credentials that must be decrypted/validated before use, such as those from
|
|||||||
|
|
||||||
The `ImportCredential=` setting (and the `LoadCredential=` and
|
The `ImportCredential=` setting (and the `LoadCredential=` and
|
||||||
`LoadCredentialEncrypted=` settings when configured with a relative source
|
`LoadCredentialEncrypted=` settings when configured with a relative source
|
||||||
path) will search for the source file to read the credential from
|
path) will search for the source file to read the credential from automatically.
|
||||||
automatically. Primarily, these credentials are searched among the credentials
|
Primarily, these credentials are searched among the credentials passed into the system. If not found there, they are searched in `/etc/credstore/`, `/run/credstore/`, `/usr/lib/credstore/`. `LoadCredentialEncrypted=` will also search
|
||||||
passed into the system. If not found there, they are searched in
|
`/etc/credstore.encrypted/` and similar directories.
|
||||||
`/etc/credstore/`, `/run/credstore/`,
|
`ImportCredential=` will search both the non-encrypted and encrypted directories.
|
||||||
`/usr/lib/credstore/`. `LoadCredentialEncrypted=` will also search
|
These directories are hence a great place to store credentials to load on the system.
|
||||||
`/etc/credstore.encrypted/` and similar directories. `ImportCredential=` will
|
|
||||||
search both the non-encrypted and encrypted directories. These directories are
|
|
||||||
hence a great place to store credentials to load on the system.
|
|
||||||
|
|
||||||
## Conditionalizing Services
|
## Conditionalizing Services
|
||||||
|
|
||||||
Sometimes it makes sense to conditionalize system services and invoke them only
|
Sometimes it makes sense to conditionalize system services and invoke them only
|
||||||
if the right system credential is passed to the system. Use the
|
if the right system credential is passed to the system.
|
||||||
`ConditionCredential=` and `AssertCredential=` unit file settings for that.
|
Use the `ConditionCredential=` and `AssertCredential=` unit file settings for that.
|
||||||
|
Loading…
Reference in New Issue
Block a user