Add --credential option to set systemd credentials

diff --git a/mkosi.md b/mkosi.md
index e7c7c4b265aa773e08b15e992b14a91d49c5d69a..8370571876ef93546952bf69a1e53d106e3de4c9 100644 (file)
--- a/mkosi.md
+++ b/mkosi.md
@@ -1043,6 +1043,12 @@ a machine ID.
   in scripted environments where the `qemu` and `ssh` verbs are used in a quick
   succession and the virtual device might not get enough time to configure itself.
 
+`Credential=`, `--credential`
+
+: Set credentials to be passed to systemd-nspawn or qemu respectively when
+  `mkosi shell/boot` or `mkosi qemu` are used. This option takes a space separated
+  list of key=value assignments.
+
 ### Commandline-only Options
 
 Those settings cannot be configured in the configuration files.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 6856d68135da184ff188b9fe2d51c881253dbad9..10bb15db15af9a3d3a9102f699816d4045e31491 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2355,6 +2355,14 @@ def create_parser() -> ArgumentParserMkosi:
         metavar="PORT",
         help="If specified, 'mkosi ssh' will use this port to connect",
     )
+    group.add_argument(
+        "--credential",
+        dest="credentials",
+        action=SpaceDelimitedListAction,
+        default=[],
+        help="Pass a systemd credential to systemd-nspawn or qemu",
+        metavar="NAME=VALUE",
+    )
 
     group = parser.add_argument_group("Additional configuration options")
     group.add_argument(
@@ -3000,6 +3008,15 @@ def load_args(args: argparse.Namespace) -> MkosiConfig:
     else:
         args.environment = {}
 
+    if args.credentials:
+        credentials = {}
+        for s in args.credentials:
+            key, _, value = s.partition("=")
+            credentials[key] = value
+        args.credentials = credentials
+    else:
+        args.credentials = {}
+
     if args.cache_path is not None:
         args.cache_path = args.cache_path.absolute()
 
@@ -3813,7 +3830,7 @@ def build_stuff(config: MkosiConfig) -> None:
                 shutil.move(str(state.staging / p.name), str(p))
                 if p in (state.config.output, state.config.output_split_kernel):
                     compress_output(state.config, p)
-            if state.config.chown and p.exists(): 
+            if state.config.chown and p.exists():
                 chown_to_running_user(p)
 
         for p in state.staging.iterdir():
@@ -3937,6 +3954,9 @@ def run_shell(config: MkosiConfig) -> None:
     if config.source_file_transfer_final == SourceFileTransfer.mount:
         cmdline += [f"--bind={config.build_sources}:/root/src", "--chdir=/root/src"]
 
+    for k, v in config.credentials.items():
+        cmdline += [f"--set-credential={k}:{v}"]
+
     if config.verb == Verb.boot:
         # Add nspawn options first since systemd-nspawn ignores all options after the first argument.
         cmdline += config.cmdline
@@ -4146,6 +4166,9 @@ def run_qemu(config: MkosiConfig) -> None:
             "-append", config.output_split_cmdline.read_text().strip(),
         ]
 
+    for k, v in config.credentials.items():
+        cmdline += ["-smbios", f"type=11,value=io.systemd.credential:{k}={v}"]
+
     with contextlib.ExitStack() as stack:
         if config.qemu_boot == "uefi" and fw_supports_sb:
             ovmf_vars = stack.enter_context(copy_file_temporary(src=find_ovmf_vars(config), dir=tmp_dir()))

diff --git a/mkosi/backend.py b/mkosi/backend.py
index 0cd428b24c835579261994a16730d2e7d27c320f..43b1b7650f66c432527f2c9fc2ae6bb4a31185e4 100644 (file)
--- a/mkosi/backend.py
+++ b/mkosi/backend.py
@@ -420,6 +420,7 @@ class MkosiConfig:
     ssh_agent: Optional[Path]
     ssh_timeout: int
     ssh_port: int
+    credentials: Dict[str, str]
     directory: Optional[Path]
     config_path: Optional[Path]
     all: bool

diff --git a/tests/test_config_parser.py b/tests/test_config_parser.py
index 1d5691a023062a6003903b20e88ea12029d344eb..e32f1440fe72f34e1c19a6822502f74675bd00c7 100644 (file)
--- a/tests/test_config_parser.py
+++ b/tests/test_config_parser.py
@@ -142,6 +142,7 @@ class MkosiConfig:
             "ssh_timeout": 0,
             "ssh_agent": None,
             "ssh_port": 22,
+            "credentials": [],
             "split_artifacts": False,
             "image_id": None,
             "image_version": None,