systemd-imds-generator - Generator to automatically enable IMDS on
supporting environments
/usr/lib/systemd/system-generators/systemd-imds-generator
systemd-imds-generator is a generator that enables IMDS
(Instance Metadata Service) functionality at boot on systems that support
it. Specifically it does three things:
•It pulls the systemd-imdsd.socket unit (which
activates
systemd-imdsd@.service(8)) into the initial transaction,
which provides IMDS access to local applications via Varlink IPC.
•It pulls the systemd-imds-early-network.service
unit into the initial transaction, which generates a suitable
systemd.network(5) network configuration file that allows early-boot
network access to the IMDS functionality.
•It pulls the systemd-imds-import.service unit
into the initial transaction, which automatically imports various credentials
from IMDS into the local system, storing them in /run/credstore/.
By default, whether to pull in these services or not is decided
based on hwdb(7) information, that detects various IMDS environments
automatically. However, this logic may be overridden via
systemd.imds=, see below.
systemd-imds-generator implements
systemd.generator(7).
systemd-imds-generator understands the following kernel
command line parameters:
systemd.imds=
Takes a boolean argument or the special value
"auto", and may be used to enable or disable the IMDS logic. Note
that this controls only whether the relevant services (as listed above) are
automatically pulled into the initial transaction, it has no effect if some
other unit or the user explicitly activates the relevant units. If this option
is not used (or set to "auto") automatic detection of IMDS is used,
see above.
Added in version 261.
systemd.imds.network=
Takes one of "off", "locked",
"unlocked". Controls whether and how to set up networking for IMDS
endpoint access. Unless set to "off" early boot networking is
enabled, ensuring that the IMDS endpoint can be reached. If set to
"locked" (the default) direct access to the IMDS endpoint by regular
unprivileged processes is disabled via a "prohibit" route, so that
any access must be done through systemd-imdsd@.service or its associated
tools. If set to "unlocked" this "prohibit" route is not
created, and regular unprivileged processes can directly contact IMDS.
Added in version 261.
systemd.imds.import=
Takes a boolean argument. If false the
systemd-imds-import.service (see above) is not pulled into the initial
transaction, i.e. no credentials are imported from IMDS. Defaults to true.
Added in version 261.