systemd-imds-generator - Man Page

/usr/lib/systemd/system-generators/systemd-imds-generator

systemd-imds-generator is a generator that enables IMDS (Instance Metadata Service) functionality at boot on systems that support it. Specifically it does three things:

• It pulls the systemd-imdsd.socket unit (which activates systemd-imdsd@.service(8)) into the initial transaction, which provides IMDS access to local applications via Varlink IPC.
• It pulls the systemd-imds-early-network.service unit into the initial transaction, which generates a suitable systemd.network(5) network configuration file that allows early-boot network access to the IMDS functionality.
• It pulls the systemd-imds-import.service unit into the initial transaction, which automatically imports various credentials from IMDS into the local system, storing them in /run/credstore/.

By default, whether to pull in these services or not is decided based on hwdb(7) information, that detects various IMDS environments automatically. However, this logic may be overridden via systemd.imds=, see below.

systemd-imds-generator implements systemd.generator(7).

systemd-imds-generator understands the following kernel command line parameters:

systemd.imds=

Takes a boolean argument or the special value "auto", and may be used to enable or disable the IMDS logic. Note that this controls only whether the relevant services (as listed above) are automatically pulled into the initial transaction, it has no effect if some other unit or the user explicitly activates the relevant units. If this option is not used (or set to "auto") automatic detection of IMDS is used, see above.

Added in version 261.

systemd.imds.network=

Takes one of "off", "locked", "unlocked". Controls whether and how to set up networking for IMDS endpoint access. Unless set to "off" early boot networking is enabled, ensuring that the IMDS endpoint can be reached. If set to "locked" (the default) direct access to the IMDS endpoint by regular unprivileged processes is disabled via a "prohibit" route, so that any access must be done through systemd-imdsd@.service or its associated tools. If set to "unlocked" this "prohibit" route is not created, and regular unprivileged processes can directly contact IMDS.

Added in version 261.

systemd.imds.import=

Takes a boolean argument. If false the systemd-imds-import.service (see above) is not pulled into the initial transaction, i.e. no credentials are imported from IMDS. Defaults to true.

Added in version 261.

systemd(1), systemd-imds(1), systemd-imdsd@.service(8), systemd.system-credentials(7)

kernel-command-line(7), systemd.directives(7), systemd-imds(1), systemd-imdsd@.service(8), systemd.index(7).