diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index e1fec3d7a8..1e7e6a82d5 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -1412,33 +1412,22 @@ ID:PATH ID:VALUE - Pass a credential to the container. These two options correspond to the + Pass a credential to the container. These two options correspond to the LoadCredential= and SetCredential= settings in unit files. See systemd.exec5 for details about these concepts, as well as the syntax of the option's arguments. - Note: + Note: when systemd-nspawn runs as systemd system service it can propagate + the credentials it received via LoadCredential=/SetCredential= + to the container payload. A systemd service manager running as PID 1 in the container can further + propagate them to the services it itself starts. It is thus possible to easily propagate credentials + from a parent service manager to a container manager service and from there into its payload. This + can even be done recursively. - - When systemd-nspawn runs as systemd system service it can make - use and propagate credentials it received via - LoadCredential=/SetCredential= to the container - payload. - - A systemd service manager running as PID 1 in the container can make use of - credentials passed in this way, and propagate them further to services it itself - runs. - - - Thus it is possible to easily propagate credentials from a host service manager to a - systemd-nspawn service and from there into its payload and services running within - it. - - In order to embed binary data into - the credential data for use C-style escaping - (i.e. \n to embed a newline, or \x00 to embed a NUL byte. Note - that the invoking shell might already apply unescaping once, hence this might require double - escaping!). + In order to embed binary data into the credential data for + use C-style escaping (i.e. \n to embed a newline, or \x00 to + embed a NUL byte. Note that the invoking shell might already apply unescaping + once, hence this might require double escaping!).