Merge pull request #16373 from JackFangXN/master

[thirdparty/systemd.git] / man / systemd-journal-upload.service.xml

diff --git a/man/systemd-journal-upload.service.xml b/man/systemd-journal-upload.service.xml
index 141e595400d86897f45b7e6aebda2997eeb259e6..174bef803f45401f3d231f5df968abea3b9d262d 100644 (file)
--- a/man/systemd-journal-upload.service.xml
+++ b/man/systemd-journal-upload.service.xml
@@ -1,17 +1,10 @@
-<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
 <!ENTITY % entities SYSTEM "custom-entities.ent" >
 %entities;
 ]>
-
-<!--
-  SPDX-License-Identifier: LGPL-2.1+
-
-  This file is part of systemd.
-
-  Copyright 2014 Zbigniew Jędrzejewski-Szmek
--->
+<!-- SPDX-License-Identifier: LGPL-2.1+ -->
 
 <refentry id="systemd-journal-upload" conditional='HAVE_MICROHTTPD'
           xmlns:xi="http://www.w3.org/2001/XInclude">
@@ -19,15 +12,6 @@
   <refentryinfo>
     <title>systemd-journal-upload.service</title>
     <productname>systemd</productname>
-
-    <authorgroup>
-      <author>
-        <contrib>Developer</contrib>
-        <firstname>Zbigniew</firstname>
-        <surname>Jędrzejewski-Szmek</surname>
-        <email>zbyszek@in.waw.pl</email>
-      </author>
-    </authorgroup>
   </refentryinfo>
 
   <refmeta>
@@ -61,6 +45,12 @@
     Unless limited by one of the options specified below, all journal entries accessible to the user
     the program is running as will be uploaded, and then the program will wait and send new entries
     as they become available.</para>
+
+    <para><filename>systemd-journal-upload.service</filename> is a system service that uses
+    <command>systemd-journal-upload</command> to upload journal entries to a server. It uses the
+    configuration in
+    <citerefentry><refentrytitle>journal-upload.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+    At least the <varname>URL=</varname> option must be specified.</para>
   </refsect1>
 
   <refsect1>
@@ -175,7 +165,9 @@
         <term><option>--key=</option></term>
 
         <listitem><para>
-          Takes a path to a SSL key file in PEM format.
+          Takes a path to a SSL key file in PEM format, or <option>-</option>.
+          If <option>-</option> is set, then client certificate authentication checking
+          will be disabled.
           Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>.
         </para></listitem>
       </varlistentry>
@@ -184,7 +176,9 @@
         <term><option>--cert=</option></term>
 
         <listitem><para>
-          Takes a path to a SSL certificate file in PEM format.
+          Takes a path to a SSL certificate file in PEM format, or <option>-</option>.
+          If <option>-</option> is set, then client certificate authentication checking
+          will be disabled.
           Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>.
         </para></listitem>
       </varlistentry>
@@ -193,9 +187,8 @@
         <term><option>--trust=</option></term>
 
         <listitem><para>
-          Takes a path to a SSL CA certificate file in PEM format,
-          or <option>all</option>. If <option>all</option> is set,
-          then certificate checking will be disabled.
+          Takes a path to a SSL CA certificate file in PEM format, or <option>-</option>/<option>all</option>.
+          If <option>-</option>/<option>all</option> is set, then certificate checking will be disabled.
           Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
         </para></listitem>
       </varlistentry>
@@ -222,7 +215,8 @@
       legitimate, and vice versa, that the client is trusted.</para>
 
       <para>A suitable set of certificates can be generated with
-      <command>openssl</command>:</para>
+      <command>openssl</command>. Note, 2048 bits of key length
+      is minimally recommended to use for security reasons:</para>
 
       <programlisting>openssl req -newkey rsa:2048 -days 3650 -x509 -nodes \
       -out ca.pem -keyout ca.key -subj '/CN=Certificate authority/'
@@ -257,10 +251,10 @@ echo 0001 &gt;serial
 SERVER=server
 CLIENT=client
 
-openssl req -newkey rsa:1024 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
+openssl req -newkey rsa:2048 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
 openssl ca -batch -config ca.conf -notext -in $SERVER.csr -out $SERVER.pem
 
-openssl req -newkey rsa:1024 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
+openssl req -newkey rsa:2048 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
 openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
 </programlisting>
 
@@ -273,7 +267,7 @@ openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
       those files can be specified using
       <varname>TrustedCertificateFile=</varname>,
       <varname>ServerCertificateFile=</varname>,
-      <varname>ServerKeyFile=</varname>, in
+      and <varname>ServerKeyFile=</varname> in
       <filename>/etc/systemd/journal-remote.conf</filename> and
       <filename>/etc/systemd/journal-upload.conf</filename>,
       respectively. The default locations can be queried by using
@@ -285,6 +279,7 @@ openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
   <refsect1>
     <title>See Also</title>
     <para>
+      <citerefentry><refentrytitle>journal-upload.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>systemd-journal-remote.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,