man: shorten description of recursive credential passing in nspawn

The text suggested that either nspawn or systemd can make use of credentials
themselves. In fact they only pass them to children.

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index e1fec3d7a83862e509a25a06a0706ef2e0f7904a..1e7e6a82d53e20c4fb4473a11c568ab5ff2cc99a 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -1412,33 +1412,22 @@
         <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term>
         <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term>
 
-        <para>Pass a credential to the container. These two options correspond to the
+        <listitem><para>Pass a credential to the container. These two options correspond to the
         <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See
         <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
         details about these concepts, as well as the syntax of the option's arguments.</para>
 
-        <para>Note:</para>
-
-        <orderedlist>
-          <listitem><para>When <command>systemd-nspawn</command> runs as systemd system service it can make
-          use and propagate credentials it received via
-          <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> to the container
-          payload.</para></listitem>
-
-          <listitem><para>A systemd service manager running as PID 1 in the container can make use of
-          credentials passed in this way, and propagate them further to services it itself
-          runs.</para></listitem>
-        </orderedlist>
-
-        <para>Thus it is possible to easily propagate credentials from a host service manager to a
-        <command>systemd-nspawn</command> service and from there into its payload and services running within
-        it.</para>
-
-        <para>In order to embed binary data into
-        the credential data for <option>--set-credential=</option> use C-style escaping
-        (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to embed a NUL byte. Note
-        that the invoking shell might already apply unescaping once, hence this might require double
-        escaping!).</para>
+        <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate
+        the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
+        to the container payload. A systemd service manager running as PID 1 in the container can further
+        propagate them to the services it itself starts. It is thus possible to easily propagate credentials
+        from a parent service manager to a container manager service and from there into its payload. This
+        can even be done recursively.</para>
+
+        <para>In order to embed binary data into the credential data for <option>--set-credential=</option>
+        use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to
+        embed a <constant>NUL</constant> byte. Note that the invoking shell might already apply unescaping
+        once, hence this might require double escaping!).</para></listitem>
         </varlistentry>
 
     </variablelist>