summaryrefslogtreecommitdiffstats
path: root/share/man/container-shell.1
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2022-06-04 05:23:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2022-06-04 05:23:14 +0000
commitdceff5dd1d47962fa716c2d212aa65099e4f5669 (patch)
tree5f9569a8f9238bb05b105e46300a6b423d4f8b35 /share/man/container-shell.1
parentReleasing debian version 20220522-1. (diff)
downloadopen-infrastructure-compute-tools-dceff5dd1d47962fa716c2d212aa65099e4f5669.tar.xz
open-infrastructure-compute-tools-dceff5dd1d47962fa716c2d212aa65099e4f5669.zip
Merging upstream version 20220604.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'share/man/container-shell.1')
-rw-r--r--share/man/container-shell.1171
1 files changed, 171 insertions, 0 deletions
diff --git a/share/man/container-shell.1 b/share/man/container-shell.1
new file mode 100644
index 0000000..926d837
--- /dev/null
+++ b/share/man/container-shell.1
@@ -0,0 +1,171 @@
+.\" Open Infrastructure: compute-tools
+.\"
+.\" Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+.\"
+.\" SPDX-License-Identifier: GPL-3.0+
+.\"
+.\" This program is free software: you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <https://www.gnu.org/licenses/>.
+.\"
+.
+.TH CONTAINER-SHELL 1 compute-tools "Open Infrastructure"
+.SH NAME
+container-shell \- Manage systemd-nspawn containers (shell)
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.nf
+\fBcontainer\-shell\fP [\(aqOPTIONS\(aq]
+\fBcntsh\fP [\(aqOPTIONS\(aq]
+.fi
+.sp
+.SH DESCRIPTION
+.sp
+compute\-tools provides the system integration for managing containers using
+systemd\-nspawn.
+.SS Usage
+.sp
+Although the \fBcontainer\-shell\fP can be started from a running system like any
+other program, the main intend is to use the \fBcontainer\-shell\fP via SSH. That
+way otherwise unprivileged users have possibility to manage containers without
+needing a regular shell login on the container server.
+.sp
+For usage over SSH a unprivileged user should be created:
+.nf
+
+.in +2
+sudo adduser \-\-gecos "compute\-tools,,," \e
+.in +2
+\-\-home /var/lib/open\-infrastructure/container\-shell \e
+\-\-shell /usr/bin/container\-shell
+.in -2
+.in -2
+.fi
+.sp
+.sp
+The container\-shell can then be allowed for specific SSH keys via
+/var/lib/compute\-tools/container\-shell/.ssh/authorized_keys like so:
+.nf
+
+.in +2
+command="/usr/bin/container\-shell",no\-port\-forwarding,no\-X11\-forwarding,\e
+.in +2
+no\-agent\-forwarding,no\-pty ssh\-ed25519 [...]
+.in -2
+.in -2
+.fi
+.sp
+.SS Restricted shell
+.sp
+The container\-shell by default grants any user that has access to it to use all available container commands.
+.sp
+Through two corresponding environment variables users can be allowed or disallowed to use specific container commands.
+In connection with SSH this makes it possible to grant certain SSH keys (and by that, users) privileges to operate container
+servers without having to give them root access, a login shell at all and prevents them from doing things they are not trusted to do.
+.SS Example (blacklisting)
+.sp
+In order to allow all commands except for removing and stopping containers, the
+following variable can be used:
+.nf
+
+.in +2
+command="CONTAINER_COMMANDS_DISABLE=\(aqremove stop\(aq \e
+.in +2
+/usr/bin/container\-shell",no\-port\-forwarding,no\-X11\-forwarding,\e
+no\-agent\-forwarding,no\-pty ssh\-ed25519 [...]
+.in -2
+.in -2
+.fi
+.sp
+.SS Example (whitelisting)
+.sp
+The other way around works too. To disallow all commands except for listing
+containers and showing the compute\-tools version, the following variable can be
+used:
+.nf
+
+.in +2
+command="CONTAINER_COMMANDS_ENABLE=\(aqlist version\(aq \e
+.in +2
+/usr/bin/container\-shell",no\-port\-forwarding,no\-X11\-forwarding,\e
+no\-agent\-forwarding,no\-pty ssh\-ed25519 [...]
+.in -2
+.in -2
+.fi
+.sp
+.SH COMMANDS
+.sp
+All container commands are available, see container(1). Additionally, the
+following commands are specific to container\-shell:
+.INDENT 0.0
+.TP
+.B about:
+Shows introduction (manpage).
+.TP
+.B help:
+Shows available commands within the container\-shell.
+.TP
+.B help COMMAND:
+Shows help (manpage) for a specific container command.
+.TP
+.B logout, exit:
+Exits container\-shell.
+.UNINDENT
+.SH SEE ALSO
+.nf
+compute\-tools(7),
+container(1).
+.fi
+.sp
+.SH HOMEPAGE
+.sp
+More information about compute\-tools and the Open Infrastructure project can be
+found on the homepage (\fI\%https://open\-infrastructure.net\fP).
+.SH CONTACT
+.sp
+Bug reports, feature requests, help, patches, support and everything else are
+welcome on the Open Infrastructure Software Mailing List
+<\fI\%software@lists.open\-infrastructure.net\fP>.
+.sp
+Debian specific bugs can also be reported in the Debian Bug Tracking System
+(\fI\%https://bugs.debian.org\fP).
+.SH AUTHORS
+.sp
+compute\-tools were written by Daniel Baumann
+<\fI\%daniel.baumann@open\-infrastructure.net\fP> and others.
+.