@@ -2821,7 +2821,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
28212821 <variablelist class =' unit-directives'
28222822
28232823 <varlistentry >
2824- <term ><varname >LoadCredential=</varname ><replaceable >ID</replaceable >:<replaceable >PATH</replaceable ></term >
2824+ <term ><varname >LoadCredential=</varname ><replaceable >ID</replaceable >< optional > :<replaceable >PATH</replaceable ></ optional ></term >
28252825
28262826 <listitem ><para >Pass a credential to the unit. Credentials are limited-size binary or textual objects
28272827 that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
@@ -2834,19 +2834,21 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
28342834 environment variable to the unit's processes.</para >
28352835
28362836 <para >The <varname >LoadCredential=</varname > setting takes a textual ID to use as name for a
2837- credential plus a file system path. The ID must be a short ASCII string suitable as filename in the
2838- filesystem, and may be chosen freely by the user. If the specified path is absolute it is opened as
2839- regular file and the credential data is read from it. If the absolute path refers to an
2840- <constant >AF_UNIX</constant > stream socket in the file system a connection is made to it (only once
2841- at unit start-up) and the credential data read from the connection, providing an easy IPC integration
2842- point for dynamically providing credentials from other services. If the specified path is not
2843- absolute and itself qualifies as valid credential identifier it is understood to refer to a
2844- credential that the service manager itself received via the <varname >$CREDENTIALS_DIRECTORY</varname >
2845- environment variable, which may be used to propagate credentials from an invoking environment (e.g. a
2846- container manager that invoked the service manager) into a service. The contents of the file/socket
2847- may be arbitrary binary or textual data, including newline characters and <constant >NUL</constant >
2848- bytes. This option may be used multiple times, each time defining an additional credential to pass to
2849- the unit.</para >
2837+ credential plus a file system path, separated by a colon. The ID must be a short ASCII string
2838+ suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
2839+ is absolute it is opened as regular file and the credential data is read from it. If the absolute
2840+ path refers to an <constant >AF_UNIX</constant > stream socket in the file system a connection is made
2841+ to it (only once at unit start-up) and the credential data read from the connection, providing an
2842+ easy IPC integration point for dynamically providing credentials from other services. If the
2843+ specified path is not absolute and itself qualifies as valid credential identifier it is understood
2844+ to refer to a credential that the service manager itself received via the
2845+ <varname >$CREDENTIALS_DIRECTORY</varname > environment variable, which may be used to propagate
2846+ credentials from an invoking environment (e.g. a container manager that invoked the service manager)
2847+ into a service. The contents of the file/socket may be arbitrary binary or textual data, including
2848+ newline characters and <constant >NUL</constant > bytes. If the file system path is omitted it is
2849+ chosen identical to the credential name, i.e. this is a terse way do declare credentials to inherit
2850+ from the service manager into a service. This option may be used multiple times, each time defining
2851+ an additional credential to pass to the unit.</para >
28502852
28512853 <para >The credential files/IPC sockets must be accessible to the service manager, but don't have to
28522854 be directly accessible to the unit's processes: the credential data is read and copied into separate,
0 commit comments