github.com/blixtra/rkt@v0.8.1-0.20160204105720-ab0d1add1a43/Documentation/subcommands/metadata-service.md (about) 1 # rkt metadata-service 2 3 ## Overview 4 5 The metadata service is designed to help running apps introspect their execution environment and assert their pod identity. 6 In particular, the metadata service exposes the contents of the pod and image manifests as well as a convenient method of looking up annotations. 7 Finally, the metadata service provides a pod with cryptographically verifiable identity. 8 9 ## Running the metadata service 10 11 The metadata service is implemented by the `rkt metadata-service` command. 12 When started, it will listen for registration events over Unix socket on `/run/rkt/metadata-svc.sock`. 13 For systemd-based distributions, it also supports [systemd socket activation](http://0pointer.de/blog/projects/socket-activation.html). 14 15 If using socket activation, ensure the socket is named `/run/rkt/metadata-svc.sock`, as `rkt run` uses this name during registration. 16 Please note that when started under socket activation, the metadata service will not remove the socket on exit. 17 Use the `RemoveOnStop` directive in the relevant `.socket` file to clean up. 18 19 Example systemd unit files for running the metadata service are available in [dist](https://github.com/coreos/rkt/tree/master/dist/init/systemd). 20 21 In addition to listening on a Unix socket, the metadata service will also listen on a TCP port 2375. 22 When contacting the metadata service, the apps utilize this port. 23 The IP and port of the metadata service are passed by rkt to pods via the `AC_METADATA_URL` environment variable. 24 25 ## Using the metadata service 26 27 See [App Container specification](https://github.com/appc/spec/blob/master/spec/ace.md#app-container-metadata-service) for more information about the metadata service including a list of supported endpoints and their usage. 28 29 ## Options 30 31 | Flag | Default | Options | Description | 32 | --- | --- | --- | --- | 33 | `--listen-port` | `18112` | A port number | Listen port | 34 35 ## Global options 36 37 | Flag | Default | Options | Description | 38 | --- | --- | --- | --- | 39 | `--debug` | `false` | `true` or `false` | Prints out more debug information to `stderr` | 40 | `--dir` | `/var/lib/rkt` | A directory path | Path to the `rkt` data directory | 41 | `--insecure-options` | none | <ul><li>**none**: All security features are enabled</li><li>**http**: Allow HTTP connections. Be warned that this will send any credentials as clear text.</li><li>**image**: Disables verifying image signatures</li><li>**tls**: Accept any certificate from the server and any host name in that certificate</li><li>**ondisk**: Disables verifying the integrity of the on-disk, rendered image before running. This significantly speeds up start time.</li><li>**all**: Disables all security checks</li></ul> | Comma-separated list of security features to disable | 42 | `--local-config` | `/etc/rkt` | A directory path | Path to the local configuration directory | 43 | `--system-config` | `/usr/lib/rkt` | A directory path | Path to the system configuration directory | 44 | `--trust-keys-from-https` | `false` | `true` or `false` | Automatically trust gpg keys fetched from https | 45 | `--user-config` | `` | A directory path | Path to the user configuration directory |