systemd-imds-generator — Generator to automatically enable IMDS on supporting environments
/usr/lib/systemd/system-generators/systemd-imds-generator
systemd-imds-generator is a generator that enables IMDS (Instance Metadata Service) functionality at boot on systems that support it. Specifically it does three things:
It pulls the systemd-imdsd.socket unit (which activates
systemd-imdsd@.service(8))
into the initial transaction, which provides IMDS access to local applications via Varlink
IPC.
It pulls the systemd-imds-early-network.service unit into the
initial transaction, which generates a suitable
systemd.network(5)
network configuration file that allows early-boot network access to the IMDS
functionality.
It pulls the systemd-imds-import.service unit into the initial
transaction, which automatically imports various credentials from IMDS into the local system, storing
them in /run/credstore/.
By default, whether to pull in these services or not is decided based on
hwdb(7) information,
that detects various IMDS environments automatically. However, this logic may be overridden via
systemd.imds=, see below.
systemd-imds-generator implements systemd.generator(7).
systemd-imds-generator understands the following kernel command line parameters:
systemd.imds=¶Takes a boolean argument or the special value "auto", and may be used to
enable or disable the IMDS logic. Note that this controls only whether the relevant services (as
listed above) are automatically pulled into the initial transaction, it has no effect if some other
unit or the user explicitly activates the relevant units. If this option is not used (or set to
"auto") automatic detection of IMDS is used, see above.
systemd.imds.network=¶Takes one of "off", "locked",
"unlocked". Controls whether and how to set up networking for IMDS endpoint
access. Unless set to "off" early boot networking is enabled, ensuring that the
IMDS endpoint can be reached. If set to "locked" (the default) direct access to
the IMDS endpoint by regular unprivileged processes is disabled via a "prohibit" route, so that any
access must be done through systemd-imdsd@.service or its associated tools. If
set to "unlocked" this "prohibit" route is not created, and regular unprivileged
processes can directly contact IMDS.
systemd.imds.import=¶Takes a boolean argument. If false the systemd-imds-import.service (see
above) is not pulled into the initial transaction, i.e. no credentials are imported from
IMDS. Defaults to true.