system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-22 18:55:10 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

credentials: document that their path is stable for system services

Browse source
This commit is contained in:
Joerg Behrmann 2023-10-20 11:35:04 +02:00 committed by Luca Boccassi
parent af7417ac7b
commit cf37171890
2 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
docs/CREDENTIALS.md
View file

@ -468,7 +468,12 @@ READY=1
## Relevant Paths
From *service* perspective the runtime path to find loaded credentials in is
provided in the `$CREDENTIALS_DIRECTORY` environment variable.
provided in the `$CREDENTIALS_DIRECTORY` environment variable. For *system
services* the credential directory will be `/run/credentials/<unit name>`, but
hardcoding this path is discouraged, because it does not work for *user
services*. Packagers and system administrators may hardcode the credential path
as a last resort for software that does not yet search for credentials relative
to `$CREDENTIALS_DIRECTORY`.
From *generator* perspective the runtime path to find credentials passed into
the system in plaintext form in is provided in `$CREDENTIALS_DIRECTORY`, and

7
man/systemd.exec.xml
View file

@ -3430,7 +3430,12 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
<varname>ExecStart=</varname> command line use <literal>${CREDENTIALS_DIRECTORY}/mycred</literal>,
e.g. <literal>ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred</literal>. In order to reference the path
a credential may be read from within a <varname>Environment=</varname> line use
<literal>%d/mycred</literal>, e.g. <literal>Environment=MYCREDPATH=%d/mycred</literal>.</para>
<literal>%d/mycred</literal>, e.g. <literal>Environment=MYCREDPATH=%d/mycred</literal>. For system
services the path may also be referenced as
<literal>/run/credentials/<replaceable>UNITNAME</replaceable></literal> in cases where no
interpolation is possible, e.g. configuration files of software that does not yet support credentials
natively. <varname>$CREDENTIALS_DIRECTORY</varname> is considered the primary interface to look for
credentials, though, since it also works for user services.</para>
<para>Currently, an accumulated credential size limit of 1 MB per unit is enforced.</para>