common
common copied to clipboard
containers
RFE: Support systemd credentials
Secrets sounds a lot like systemd "credentials". (Though we try a bit harder to lock them down via ramfs rather than tmpfs). Might be worth making them compatible by setting the CREDENTIALS_PATH env var implicitly in podman) By making podman secrets and systemd credentials compat you gain that you can pass them from podman to systemd running in the container further down the tree. - via twitter
freedesktop.org/software/systemd/man/systemd.exec.html#Credentials https://twitter.com/pid_eins/status/1381731529404071940
@vrothberg @giuseppe any idea what we should do with @poettering tweet?
@poettering do you think we should set the CREDENTIALS_PATH to the path to secrets if the user creates a conainer with a secret?
I find very little documentation googling CREDENTIALS_PATH?
Yes, if podman has a directory where it makes these secrets/credentials available as regular files, then it would be excellent if it would set the $CREDENTIALS_PATH env var to the path to this dir. That way program code could reference both podman secrets and systemd credentials the exact same way: if you look for some secret/credential "xyz" you'd open "$CREDENTIALS_PATH/xyz" and that's it.
The docs for the feature in systemd you find here:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Credentials
@ashley-cui Could you look at this? We need to make sure that CREDENTIALS_PATH environment is not saved in the image, if the image was saved.
