diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2017-06-29 09:14:46 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2017-06-29 09:20:38 +0000 |
commit | 13f1aa11bd770faf8e66a72a7ac34fc1f7e2305a (patch) | |
tree | 1cdf704c14e208bc35e4ea25569ff14086ae4ed7 /share/man/container-shell.1.txt | |
parent | Adding upstream version 20170522. (diff) | |
download | open-infrastructure-compute-tools-13f1aa11bd770faf8e66a72a7ac34fc1f7e2305a.tar.xz open-infrastructure-compute-tools-13f1aa11bd770faf8e66a72a7ac34fc1f7e2305a.zip |
Adding upstream version 20170629.upstream/20170629
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'share/man/container-shell.1.txt')
-rw-r--r-- | share/man/container-shell.1.txt | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/share/man/container-shell.1.txt b/share/man/container-shell.1.txt index 6d792b8..760e0c5 100644 --- a/share/man/container-shell.1.txt +++ b/share/man/container-shell.1.txt @@ -53,6 +53,39 @@ All container commands are available, see container(1). Additionally, the follow *logout*, *exit:*:: exits container-shell. +USAGE +----- +Although the container-shell can be started from a running system like any other program, the main intend is to use the +container-shell via SSH. That way otherwise unprivileged users have possibility to manage containers without +needing a regular shell login on the container server. + +For usage over SSH a unprivileged user should be created: + + sudo adduser --gecos "container-tools,,," \ + --home /var/lib/container-tools/container-shell \ + --shell /usr/bin/container-shell + +The container-shell can then be allowed for specific SSH keys via /var/ib/container-tools/container-shell/.ssh/authorized_keys like so: + + command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...] + + +RESTRICTED SHELL +---------------- +The container-shell by default grants any user that has access to it to use all available container commands. + +Through two corresponding environment variables users can be allowed or disallowed to use specific container commands. +In connection with SSH this makes it possible to grant certain SSH keys (and by that, users) privileges to operate container +servers without having to give them root access, a login shell at all and prevents them from doing things they are not trusted to do. + +Example (blacklisting): In order to allow all commands except for removing and stopping containers, the following variable can be used: + + command="CONTAINER_COMMANDS_DISABLE='remove stop' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...] + +Example (whitelisting): The other way around works too. To disallow all commands except for listing containers and showing the container-tools version, the following variable can be used: + + command="CONTAINER_COMMANDS_ENABLE='list version' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...] + SEE ALSO -------- |