diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-08-26 10:32:30 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-26 10:32:30 +0200 |
commit | b6abc2acb4a56344db90eefa36a989e6b7ded34d (patch) | |
tree | 06886aa661c18d7acfdd0b1d95a8b9ec9a449997 /docs | |
parent | 8b5cb69bc8b70d1dcc39ed2165907723099bd9d8 (diff) | |
parent | fabece9ccb77e773bd5e9ac91edfa841e2d78f38 (diff) | |
download | systemd-b6abc2acb4a56344db90eefa36a989e6b7ded34d.tar.gz |
Merge pull request #16568 from poettering/creds-store
credentials logic to pass privileged data to services
Diffstat (limited to 'docs')
-rw-r--r-- | docs/CONTAINER_INTERFACE.md | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/docs/CONTAINER_INTERFACE.md b/docs/CONTAINER_INTERFACE.md index c7c57c7c06..40b1533595 100644 --- a/docs/CONTAINER_INTERFACE.md +++ b/docs/CONTAINER_INTERFACE.md @@ -131,6 +131,17 @@ manager, please consider supporting the following interfaces. `$container_host_variant_id=server` `$container_host_version_id=10` +5. systemd supports passing immutable binary data blobs with limited size and + restricted access to services via the `LoadCredential=` and `SetCredential=` + settings. The same protocol may be used to pass credentials from the + container manager to systemd itself. The credential data should be placed in + some location (ideally a read-only and non-swappable file system, like + 'ramfs'), and the absolute path to this directory exported in the + `$CREDENTIALS_DIRECTORY` environment variable. If the container managers + does this, the credentials passed to the service manager can be propagated + to services via `LoadCredential=` (see ...). The container manager can + choose any path, but `/run/host/credentials` is recommended." + ## Advanced Integration 1. Consider syncing `/etc/localtime` from the host file system into the @@ -228,7 +239,7 @@ care should be taken to avoid naming conflicts. `systemd` (and in particular inaccessible. Note that systemd when run as PID 1 in the container payload will create these nodes on its own if not passed in by the container manager. However, in that case it likely lacks the privileges to create the - character and block devices nodes (there all fallbacks for this case). + character and block devices nodes (there are fallbacks for this case). 3. The `/run/host/notify` path is a good choice to place the `sd_notify()` socket in, that may be used for the container's PID 1 to report to the @@ -252,6 +263,9 @@ care should be taken to avoid naming conflicts. `systemd` (and in particular as the `$container_uuid` environment variable (see above). This file should be newline terminated. +7. The `/run/host/credentials/` directory is a good place to pass credentials + into the container, using the `$CREDENTIALS_DIRECTORY` protocol, see above. + ## What You Shouldn't Do 1. Do not drop `CAP_MKNOD` from the container. `PrivateDevices=` is a commonly |