diff options
Diffstat (limited to '')
-rw-r--r-- | share/man/container-shell.1.rst | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/share/man/container-shell.1.rst b/share/man/container-shell.1.rst new file mode 100644 index 0000000..b12958f --- /dev/null +++ b/share/man/container-shell.1.rst @@ -0,0 +1,141 @@ +.. Open Infrastructure: compute-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=============== +container-shell +=============== + +---------------------------------------- +Manage systemd-nspawn containers (shell) +---------------------------------------- + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **container-shell** ['OPTIONS'] +| **cntsh** ['OPTIONS'] + +Description +=========== + +compute-tools provides the system integration for managing containers using +systemd-nspawn. + +Usage +----- + +Although the **container-shell** can be started from a running system like any +other program, the main intend is to use the **container-shell** via SSH. That +way otherwise unprivileged users have possibility to manage containers without +needing a regular shell login on the container server. + +For usage over SSH a unprivileged user should be created: + +| +| sudo adduser --gecos "compute-tools,,," \\ +| --home /var/lib/open-infrastructure/container-shell \\ +| --shell /usr/bin/container-shell + +The container-shell can then be allowed for specific SSH keys via +/var/lib/compute-tools/container-shell/.ssh/authorized_keys like so: + +| +| command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\\ +| no-agent-forwarding,no-pty ssh-ed25519 [...] + +Restricted shell +---------------- + +The container-shell by default grants any user that has access to it to use all available container commands. + +Through two corresponding environment variables users can be allowed or disallowed to use specific container commands. +In connection with SSH this makes it possible to grant certain SSH keys (and by that, users) privileges to operate container +servers without having to give them root access, a login shell at all and prevents them from doing things they are not trusted to do. + +Example (blacklisting) +^^^^^^^^^^^^^^^^^^^^^^ + +In order to allow all commands except for removing and stopping containers, the +following variable can be used: + +| +| command="CONTAINER_COMMANDS_DISABLE='remove stop' \\ +| /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\\ +| no-agent-forwarding,no-pty ssh-ed25519 [...] + +Example (whitelisting) +^^^^^^^^^^^^^^^^^^^^^^ + +The other way around works too. To disallow all commands except for listing +containers and showing the compute-tools version, the following variable can be +used: + +| +| command="CONTAINER_COMMANDS_ENABLE='list version' \\ +| /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\\ +| no-agent-forwarding,no-pty ssh-ed25519 [...] + +Commands +======== + +All container commands are available, see container(1). Additionally, the +following commands are specific to container-shell: + +about: + Shows introduction (manpage). + +help: + Shows available commands within the container-shell. + +help COMMAND: + Shows help (manpage) for a specific container command. + +logout, exit: + Exits container-shell. + +See also +======== + +| compute-tools(7), +| container(1). + +Homepage +======== + +More information about compute-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +compute-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. |