Skip to content

Commit b0d29bf

Browse files
poetteringpoettering
committed
man: document credentials passing in the container interface
1 parent 60cc90b commit b0d29bf

File tree

1 file changed

+15
-1
lines changed

1 file changed

+15
-1
lines changed

docs/CONTAINER_INTERFACE.md

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,17 @@ manager, please consider supporting the following interfaces.
131131
`$container_host_variant_id=server`
132132
`$container_host_version_id=10`
133133

134+
5. systemd supports passing immutable binary data blobs with limited size and
135+
restricted access to services via the `LoadCredential=` and `SetCredential=`
136+
settings. The same protocol may be used to pass credentials from the
137+
container manager to systemd itself. The credential data should be placed in
138+
some location (ideally a read-only and non-swappable file system, like
139+
'ramfs'), and the absolute path to this directory exported in the
140+
`$CREDENTIALS_DIRECTORY` environment variable. If the container managers
141+
does this, the credentials passed to the service manager can be propagated
142+
to services via `LoadCredential=` (see ...). The container manager can
143+
choose any path, but `/run/host/credentials` is recommended."
144+
134145
## Advanced Integration
135146

136147
1. Consider syncing `/etc/localtime` from the host file system into the
@@ -228,7 +239,7 @@ care should be taken to avoid naming conflicts. `systemd` (and in particular
228239
inaccessible. Note that systemd when run as PID 1 in the container payload
229240
will create these nodes on its own if not passed in by the container
230241
manager. However, in that case it likely lacks the privileges to create the
231-
character and block devices nodes (there all fallbacks for this case).
242+
character and block devices nodes (there are fallbacks for this case).
232243

233244
3. The `/run/host/notify` path is a good choice to place the `sd_notify()`
234245
socket in, that may be used for the container's PID 1 to report to the
@@ -252,6 +263,9 @@ care should be taken to avoid naming conflicts. `systemd` (and in particular
252263
as the `$container_uuid` environment variable (see above). This file should
253264
be newline terminated.
254265

266+
7. The `/run/host/credentials/` directory is a good place to pass credentials
267+
into the container, using the `$CREDENTIALS_DIRECTORY` protocol, see above.
268+
255269
## What You Shouldn't Do
256270

257271
1. Do not drop `CAP_MKNOD` from the container. `PrivateDevices=` is a commonly

0 commit comments

Comments
 (0)