1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
.. Open Infrastructure: compute-tools
.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
..
.. SPDX-License-Identifier: GPL-3.0+
..
.. This program is free software: you can redistribute it and/or modify
.. it under the terms of the GNU General Public License as published by
.. the Free Software Foundation, either version 3 of the License, or
.. (at your option) any later version.
..
.. This program is distributed in the hope that it will be useful,
.. but WITHOUT ANY WARRANTY; without even the implied warranty of
.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.. GNU General Public License for more details.
..
.. You should have received a copy of the GNU General Public License
.. along with this program. If not, see <https://www.gnu.org/licenses/>.
===============
container-shell
===============
----------------------------------------
Manage systemd-nspawn containers (shell)
----------------------------------------
:manual section: 1
:manual group: Open Infrastructure
Synopsis
========
| **container-shell** ['OPTIONS']
| **cntsh** ['OPTIONS']
Description
===========
compute-tools provides the system integration for managing containers using
systemd-nspawn.
Usage
-----
Although the **container-shell** can be started from a running system like any
other program, the main intend is to use the **container-shell** via SSH. That
way otherwise unprivileged users have possibility to manage containers without
needing a regular shell login on the container server.
For usage over SSH a unprivileged user should be created:
|
| sudo adduser --gecos "compute-tools,,," \\
| --home /var/lib/open-infrastructure/container-shell \\
| --shell /usr/bin/container-shell
The container-shell can then be allowed for specific SSH keys via
/var/lib/compute-tools/container-shell/.ssh/authorized_keys like so:
|
| command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\\
| no-agent-forwarding,no-pty ssh-ed25519 [...]
Restricted shell
----------------
The container-shell by default grants any user that has access to it to use all available container commands.
Through two corresponding environment variables users can be allowed or disallowed to use specific container commands.
In connection with SSH this makes it possible to grant certain SSH keys (and by that, users) privileges to operate container
servers without having to give them root access, a login shell at all and prevents them from doing things they are not trusted to do.
Example (blacklisting)
^^^^^^^^^^^^^^^^^^^^^^
In order to allow all commands except for removing and stopping containers, the
following variable can be used:
|
| command="CONTAINER_COMMANDS_DISABLE='remove stop' \\
| /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\\
| no-agent-forwarding,no-pty ssh-ed25519 [...]
Example (whitelisting)
^^^^^^^^^^^^^^^^^^^^^^
The other way around works too. To disallow all commands except for listing
containers and showing the compute-tools version, the following variable can be
used:
|
| command="CONTAINER_COMMANDS_ENABLE='list version' \\
| /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\\
| no-agent-forwarding,no-pty ssh-ed25519 [...]
Commands
========
All container commands are available, see container(1). Additionally, the
following commands are specific to container-shell:
about:
Shows introduction (manpage).
help:
Shows available commands within the container-shell.
help COMMAND:
Shows help (manpage) for a specific container command.
logout, exit:
Exits container-shell.
See also
========
| compute-tools(7),
| container(1).
Homepage
========
More information about compute-tools and the Open Infrastructure project can be
found on the homepage (https://open-infrastructure.net).
Contact
=======
Bug reports, feature requests, help, patches, support and everything else are
welcome on the Open Infrastructure Software Mailing List
<software@lists.open-infrastructure.net>.
Debian specific bugs can also be reported in the Debian Bug Tracking System
(https://bugs.debian.org).
Authors
=======
compute-tools were written by Daniel Baumann
<daniel.baumann@open-infrastructure.net> and others.
|