diff options
author | Luca Boccassi <bluca@debian.org> | 2022-09-08 16:33:24 +0100 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2022-09-08 16:33:24 +0100 |
commit | b60d3016ebe9c0391064fbd903354418ba8e1453 (patch) | |
tree | a9af580052977eafb344670470ebf5b473db06a0 /docs | |
parent | 87d1886346ab0bc57fae6f1e6e10646f088cc3f6 (diff) | |
download | systemd-b60d3016ebe9c0391064fbd903354418ba8e1453.tar.gz |
docs: mention tmpfiles.d in CREDENTIALS.md and add example
Diffstat (limited to 'docs')
-rw-r--r-- | docs/CREDENTIALS.md | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/docs/CREDENTIALS.md b/docs/CREDENTIALS.md index 52741082f2..70e2ea36d5 100644 --- a/docs/CREDENTIALS.md +++ b/docs/CREDENTIALS.md @@ -342,6 +342,10 @@ Various services shipped with `systemd` consume credentials for tweaking behavio `firstboot.keymap`, `firstboot.timezone`, that configure locale, keymap or timezone settings in case the data is not yet set in `/etc/`. +* [`tmpfiles.d(5)`](https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html) + will look for the credentials `tmpfiles.extra` with arbitrary tmpfiles.d lines. + Can be encoded in base64 to allow easily passing it on the command line. + In future more services are likely to gain support for consuming credentials. Example: @@ -377,6 +381,23 @@ qemu-system-x86_64 \ -smbios type=11,value=io.systemd.credential:firstboot.locale=C.UTF-8 ``` +This boots the specified disk image via qemu, provisioning public key SSH access +for the root user from the caller's key: + +``` +qemu-system-x86_64 \ + -machine type=q35,accel=kvm,smm=on \ + -smp 2 \ + -m 1G \ + -cpu host \ + -nographic \ + -nodefaults \ + -serial mon:stdio \ + -drive if=none,id=hd,file=test.raw,format=raw \ + -device virtio-scsi-pci,id=scsi \ + -device scsi-hd,drive=hd,bootindex=1 \ + -smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=$(echo "f~ /root/.ssh/authorized_keys 700 root root - $(ssh-add -L | base64 -w 0)" | base64 -w 0) +``` ## Relevant Paths From *service* perspective the runtime path to find loaded credentials in is |