## Relevant Paths
From *service* perspective the runtime path to find loaded credentials in is
-provided in the `$CREDENTIALS_DIRECTORY` environment variable.
+provided in the `$CREDENTIALS_DIRECTORY` environment variable. For *system
+services* the credential directory will be `/run/credentials/<unit name>`, but
+hardcoding this path is discouraged, because it does not work for *user
+services*. Packagers and system administrators may hardcode the credential path
+as a last resort for software that does not yet search for credentials relative
+to `$CREDENTIALS_DIRECTORY`.
From *generator* perspective the runtime path to find credentials passed into
the system in plaintext form in is provided in `$CREDENTIALS_DIRECTORY`, and
<varname>ExecStart=</varname> command line use <literal>${CREDENTIALS_DIRECTORY}/mycred</literal>,
e.g. <literal>ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred</literal>. In order to reference the path
a credential may be read from within a <varname>Environment=</varname> line use
- <literal>%d/mycred</literal>, e.g. <literal>Environment=MYCREDPATH=%d/mycred</literal>.</para>
+ <literal>%d/mycred</literal>, e.g. <literal>Environment=MYCREDPATH=%d/mycred</literal>. For system
+ services the path may also be referenced as
+ <literal>/run/credentials/<replaceable>UNITNAME</replaceable></literal> in cases where no
+ interpolation is possible, e.g. configuration files of software that does not yet support credentials
+ natively. <varname>$CREDENTIALS_DIRECTORY</varname> is considered the primary interface to look for
+ credentials, though, since it also works for user services.</para>
<para>Currently, an accumulated credential size limit of 1 MB per unit is enforced.</para>
projects / thirdparty / systemd.git / commitdiff
