]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f3eac27) | patch
imds: add new systemd-imdsd.service that makes IMDS data accessible locally
authorLennart Poettering <lennart@amutable.com>
Wed, 4 Mar 2026 14:10:37 +0000 (15:10 +0100)
committerLennart Poettering <lennart@amutable.com>
Thu, 26 Mar 2026 09:54:15 +0000 (10:54 +0100)
commiteb6e5b07f13cefddf1f49e1f7bda4af22f5aba17
tree2d412e25c7c1513f831a1377c3fdc53fe1342e33tree | snapshot
parentf3eac272e6ce8671bb6ab71b46a89d5afb916628commit | diff
imds: add new systemd-imdsd.service that makes IMDS data accessible locally

This service's job is to talk to a VM associated IMDS service provided
by the local Cloud. It tries to abstract the protocol differences
various IMDS implementations implement, but does *not* really try to
abstract more than a few basic fields of the actual IMDS metadata.

IMDS access is wrapped in a Varlink API that local clients can talk to.

If possible this makes use of the IMDS endpoint information that has
been added to hwdb in the preceeding commit. However, endpoint info can
also be provided via kernel command line and credentials. For debugging
purposes we also accept them via environment variables and command line
arguments.

This adds a concept of early-boot networking, just enough to be able to
talk to the IMDS service. It is minimally configurable via a kernel
cmdline option (and a build-time option): the user may choose between
"locked" and "unlocked" mode. In the former mode direct access to IMDS via
HTTPS is blocked via a prohibit route (and thus all IMDS communication
has to be done via systemd-imdsd@.service). In the latter case no such
lockdown takes place, and IMDS may be acquired both via this new service
and directly. The latter is typically a good idea for compatibility with
current systems, the former is preferable for secure installations.

Access to IMDS fields is controlled via PK.
22 files changed:
man/kernel-command-line.xml diff | blob | blame | history
man/rules/meson.build diff | blob | blame | history
man/systemd-imdsd@.service.xml [new file with mode: 0644] blob
man/systemd.system-credentials.xml diff | blob | blame | history
meson.build diff | blob | blame | history
meson_options.txt diff | blob | blame | history
src/imds/imds-util.c [new file with mode: 0644] blob
src/imds/imds-util.h [new file with mode: 0644] blob
src/imds/imdsd.c [new file with mode: 0644] blob
src/imds/io.systemd.imds.policy [new file with mode: 0644] blob
src/imds/meson.build [new file with mode: 0644] blob
src/import/meson.build diff | blob | blame | history
src/shared/meson.build diff | blob | blame | history
src/shared/varlink-io.systemd.InstanceMetadata.c [new file with mode: 0644] blob
src/shared/varlink-io.systemd.InstanceMetadata.h [new file with mode: 0644] blob
src/test/test-varlink-idl.c diff | blob | blame | history
sysusers.d/meson.build diff | blob | blame | history
sysusers.d/systemd-imds.conf.in [new file with mode: 0644] blob
units/meson.build diff | blob | blame | history
units/systemd-imds-early-network.service.in [new file with mode: 0644] blob
units/systemd-imdsd.socket [new file with mode: 0644] blob
units/systemd-imdsd@.service.in [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.