Provided by: open-infrastructure-container-tools_20180218-2_all bug


       container-shell - Manage systemd-nspawn containers (shell)




       container-tools provides the system integration for managing containers using


       All container commands are available, see container(1). Additionally, the following
       commands are specific to container-shell:

           shows introduction (manpage).

           shows available commands within the container-shell.

       help COMMAND:
           shows help (manpage) for a specific container command.

       logout, exit:
           exits container-shell.


       Although the container-shell can be started from a running system like any other program,
       the main intend is to use the container-shell via SSH. That way otherwise unprivileged
       users have possibility to manage containers without needing a regular shell login on the
       container server.

       For usage over SSH a unprivileged user should be created:

           sudo adduser --gecos "container-tools,,," \
                 --home /var/lib/container-tools/container-shell \
                 --shell /usr/bin/container-shell

       The container-shell can then be allowed for specific SSH keys via
       /var/ib/container-tools/container-shell/.ssh/authorized_keys like so:

           command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]


       The container-shell by default grants any user that has access to it to use all available
       container commands.

       Through two corresponding environment variables users can be allowed or disallowed to use
       specific container commands. In connection with SSH this makes it possible to grant
       certain SSH keys (and by that, users) privileges to operate container servers without
       having to give them root access, a login shell at all and prevents them from doing things
       they are not trusted to do.

       Example (blacklisting): In order to allow all commands except for removing and stopping
       containers, the following variable can be used:

           command="CONTAINER_COMMANDS_DISABLE='remove stop' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]

       Example (whitelisting): The other way around works too. To disallow all commands except
       for listing containers and showing the container-tools version, the following variable can
       be used:

           command="CONTAINER_COMMANDS_ENABLE='list version' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]


       machinectl(1), systemd-nspawn(1).


       More information about container-tools and the Open Infrastructure project can be found on
       the homepage at


       Bug reports, feature requests, help, patches, support and everything else are welcome on
       the Open Infrastructure Software Mailing List <>.

       Debian specific bugs can also be reported in the Debian Bug Tracking System at


       container-tools was written by Daniel Baumann <>.