From: Zbigniew Jędrzejewski-Szmek Date: Thu, 26 Mar 2026 16:32:43 +0000 (+0100) Subject: meson: unlock imds network by default X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F41359%2Fhead;p=thirdparty%2Fsystemd.git meson: unlock imds network by default Enabling locking by default would constitute a major footgun and compatibility break on upgrades. This functionality is useful, but it requires the rest of the system to be "ported" to use systemd-imds first. The user or distro should opt in to "locked" mode only after doing the integration work. --- diff --git a/NEWS b/NEWS index c34c55603e4..c717a355ecd 100644 --- a/NEWS +++ b/NEWS @@ -13,13 +13,13 @@ CHANGES WITH 261 in spe: attestation environments which use hardware CC registers and not the TPM quote. - * By default networking to cloud IMDS services is now locked down, for - recognized clouds. This is recommended for secure installations, but - typically conflicts with traditional IMDS clients such as cloud-init, - which require direct IMDS access currently. The new meson option - "imds-network" can be used to change the default networking mode to - "unlocked" at build-time, for compatibility. This is probably what - general purpose distributions should set for now. + New features: + + * Networking to cloud IMDS services may be locked down for recognized + clouds. This is recommended for secure installations, but typically + conflicts with traditional IMDS clients such as cloud-init, which + require direct IMDS access. The new meson option "-Dimds-network=" + can be used to change the default mode to "locked" at build-time. CHANGES WITH 260: diff --git a/meson_options.txt b/meson_options.txt index 30c5fd3ab67..d61afac519d 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -144,7 +144,7 @@ option('timesyncd', type : 'boolean', description : 'install the systemd-timesyncd daemon') option('imds', type : 'feature', description : 'install the systemd-imds stack') -option('imds-network', type : 'combo', choices : [ 'locked', 'unlocked' ], +option('imds-network', type : 'combo', choices : ['unlocked', 'locked'], description : 'whether to default to locked/unlocked IMDS network mode') option('journal-storage-default', type : 'combo', choices : ['persistent', 'auto', 'volatile', 'none'], description : 'default storage mode for journald (main namespace)')