diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2021-07-25 06:01:23 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2021-07-25 06:01:23 +0000 |
commit | 7fe748eb374e1529c5e65143da4940d56af14696 (patch) | |
tree | 3b2b6a32daf4049f02b7c959b6fe0054560995be /share/man/container-shell.1.txt | |
parent | Releasing debian version 20210724-1. (diff) | |
download | open-infrastructure-compute-tools-7fe748eb374e1529c5e65143da4940d56af14696.tar.xz open-infrastructure-compute-tools-7fe748eb374e1529c5e65143da4940d56af14696.zip |
Merging upstream version 20210725.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'share/man/container-shell.1.txt')
-rw-r--r-- | share/man/container-shell.1.txt | 112 |
1 files changed, 0 insertions, 112 deletions
diff --git a/share/man/container-shell.1.txt b/share/man/container-shell.1.txt deleted file mode 100644 index ce5c13c..0000000 --- a/share/man/container-shell.1.txt +++ /dev/null @@ -1,112 +0,0 @@ -// Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net> -// -// SPDX-License-Identifier: GPL-3.0+ -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License -// along with this program. If not, see <https://www.gnu.org/licenses/>. - -CONTAINER(1) -============ -:doctype: manpage -:man manual: Open Infrastructure -:man source: compute-tools -:man version: {revnumber} - - -NAME ----- -container-shell - Manage systemd-nspawn containers (shell) - - -SYNOPSIS --------- -*container-shell* - - -DESCRIPTION ------------ -compute-tools provides the system integration for managing containers using systemd-nspawn. - - -COMMANDS --------- -All container commands are available, see container(1). Additionally, the following commands are specific to container-shell: - -*about:*:: - shows introduction (manpage). - -*help:*:: - shows available commands within the container-shell. - -*help COMMAND:*:: - shows help (manpage) for a specific container command. - -*logout*, *exit:*:: - exits container-shell. - -USAGE ------ -Although the container-shell can be started from a running system like any other program, the main intend is to use the -container-shell via SSH. That way otherwise unprivileged users have possibility to manage containers without -needing a regular shell login on the container server. - -For usage over SSH a unprivileged user should be created: - - sudo adduser --gecos "compute-tools,,," \ - --home /var/lib/open-infrastructure/container-shell \ - --shell /usr/bin/container-shell - -The container-shell can then be allowed for specific SSH keys via /var/lib/open-infrastructure/container-shell/.ssh/authorized_keys like so: - - command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 [...] - - -RESTRICTED SHELL ----------------- -The container-shell by default grants any user that has access to it to use all available container commands. - -Through two corresponding environment variables users can be allowed or disallowed to use specific container commands. -In connection with SSH this makes it possible to grant certain SSH keys (and by that, users) privileges to operate container -servers without having to give them root access, a login shell at all and prevents them from doing things they are not trusted to do. - -Example (blacklisting): In order to allow all commands except for removing and stopping containers, the following variable can be used: - - command="CONTAINER_COMMANDS_DISABLE='remove stop' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...] - -Example (whitelisting): The other way around works too. To disallow all commands except for listing containers and showing the compute-tools version, the following variable can be used: - - command="CONTAINER_COMMANDS_ENABLE='list version' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...] - - -SEE ALSO --------- -machinectl(1), -systemd-nspawn(1). - - -HOMEPAGE --------- -More information about compute-tools and the Open Infrastructure project can be found on the homepage at https://open-infrastructure.net. - - -CONTACT -------- -Bug reports, feature requests, help, patches, support and everything else -are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>. - -Debian specific bugs can also be reported in the Debian Bug Tracking System at https://bugs.debian.org. - - -AUTHORS -------- -compute-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others. |