NAME

       podmansh - Execute login shell within the Podman podmansh container

SYNOPSIS

       podmansh

DESCRIPTION

       Execute  a user shell within a container when the user logs into the system. The container
       that the users get added to can be defined via a Podman Quadlet file. This user  only  has
       access to volumes and capabilities configured into the Quadlet file.

       Administrators  can  create a Quadlet in /etc/containers/systemd/users, which systemd will
       start for all users when they log in. The administrator can create a specific Quadlet with
       the  container  name podmansh, then enable users to use the login shell /usr/bin/podmansh.
       These user login shells are automatically executed  inside   the  podmansh  container  via
       Podman.

       Optionally,     the     administrator     can     place     Quadlet     files    in    the
       /etc/containers/systemd/users/${UID} directory for a user.  Only  this  UID  will  execute
       these Quadlet services when that user logs in.

       The  user  is  confined  to  the container environment via all of the security mechanisms,
       including SELinux. The only information that will be available from the system comes  from
       volumes leaked into the container.

       Systemd  will automatically create the container when the user session is started. Systemd
       will take down the container when all connections to the user session  are  removed.  This
       means  users  can  log in to the system multiple times, with each session connected to the
       same container.

       Administrators can use volumes to expose specific host data from the host  system  to  the
       user, without the user being exposed to other parts of the system.

       Timeout for podmansh can be set using the podmansh_timeout option in containers.conf.

Setup

       Create user login session using useradd while running as root.

       # useradd -s /usr/bin/podmansh lockedu
       # grep lockedu /etc/passwd
       lockedu:x:4008:4008::/home/lockedu:/usr/bin/podmansh

       Create a Podman Quadlet file that looks something like one of the following.

       Fully locked down container, no access to host OS.

       # USERID=$(id -u lockedu)
       # mkdir -p /etc/containers/systemd/users/${USERID}
       # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
       [Unit]
       Description=The podmansh container
       After=local-fs.target

       [Container]
       Image=registry.fedoraproject.org/fedora
       ContainerName=podmansh
       RemapUsers=keep-id
       RunInit=yes
       DropCapability=all
       NoNewPrivileges=true

       Exec=sleep infinity

       [Install]
       RequiredBy=default.target
       _EOF

       Alternatively, while running as root, create a Quadlet where the user is allowed to become
       root within the user namespace. They can also permanently read/write  content  from  their
       home  directory  which is volume mounted from the actual host's users account, rather than
       being inside of the container.

       # useradd -s /usr/bin/podmansh confinedu
       # grep confinedu /etc/passwd
       confinedu:x:4009:4009::/home/confinedu:/usr/bin/podmansh
       # USERID=$(id -u confinedu)
       # mkdir -p /etc/containers/systemd/users/${USERID}
       # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
       [Unit]
       Description=The podmansh container
       After=local-fs.target

       [Container]
       Image=registry.fedoraproject.org/fedora
       ContainerName=podmansh
       RemapUsers=keep-id
       RunInit=yes

       Volume=%h/data:%h:Z
       Exec=sleep infinity

       [Service]
       ExecStartPre=/usr/bin/mkdir -p %h/data

       [Install]
       RequiredBy=default.target
       _EOF

       Another example, while running as root, create a  Quadlet  where  the  users  inside  this
       container  are  allowed to execute containers with SELinux separation and able to read and
       write content in the $HOME/data directory.

       # useradd -s /usr/bin/podmansh fullu
       # grep fullu /etc/passwd
       fullu:x:4010:4010::/home/fullu:/usr/bin/podmansh
       # USERID=$(id -u fullu)
       # mkdir -p /etc/containers/systemd/users/${USERID}
       # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
       [Unit]
       Description=The podmansh container
       After=local-fs.target

       [Container]
       Image=registry.fedoraproject.org/fedora
       ContainerName=podmansh
       RemapUsers=keep-id
       RunInit=yes
       PodmanArgs=--security-opt=unmask=/sys/fs/selinux
            --security-opt=label=nested
            --security-opt=label=user:container_user_u
            --security-opt=label=type:container_user_t
            --security-opt=label=role:container_user_r
            --security-opt=label=level:s0-s0:c0.c1023

       Volume=%h/data:%h:Z
       WorkingDir=%h
       Volume=/sys/fs/selinux:/sys/fs/selinux
       Exec=sleep infinity

       [Service]
       ExecStartPre=/usr/bin/mkdir -p %h/data

       [Install]
       RequiredBy=default.target
       _EOF

SEE ALSO

       containers.conf(5) ⟨containers.conf.5.md⟩, podman(1), podman-exec(1), quadlet(5)

HISTORY

       May 2023, Originally compiled by Dan Walsh dwalsh@redhat.com ⟨mailto:dwalsh@redhat.com⟩

                                                                                      podmansh(1)