Provided by: open-infrastructure-compute-tools_20221223-3_all bug

NAME

       container-shell - Manage systemd-nspawn containers (shell)

SYNOPSIS

       container-shell ['OPTIONS']
       cntsh ['OPTIONS']

DESCRIPTION

       compute-tools   provides   the   system   integration   for   managing   containers  using
       systemd-nspawn.

   Usage
       Although the container-shell can be started from a running system like any other  program,
       the  main  intend  is  to use the container-shell via SSH. That way otherwise unprivileged
       users have possibility to manage containers without needing a regular shell login  on  the
       container server.

       For usage over SSH a unprivileged user should be created:

         sudo adduser --gecos "compute-tools,,," \
           --home /var/lib/open-infrastructure/container-shell \
           --shell /usr/bin/container-shell

       The    container-shell    can    then    be    allowed   for   specific   SSH   keys   via
       /var/lib/compute-tools/container-shell/.ssh/authorized_keys like so:

         command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\
           no-agent-forwarding,no-pty ssh-ed25519 [...]

   Restricted shell
       The container-shell by default grants any user that has access to it to use all  available
       container commands.

       Through  two corresponding environment variables users can be allowed or disallowed to use
       specific container commands.  In connection with SSH  this  makes  it  possible  to  grant
       certain  SSH  keys  (and  by  that, users) privileges to operate container servers without
       having to give them root access, a login shell at all and prevents them from doing  things
       they are not trusted to do.

   Example (blacklisting)
       In  order to allow all commands except for removing and stopping containers, the following
       variable can be used:

         command="CONTAINER_COMMANDS_DISABLE='remove stop' \
           /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\
           no-agent-forwarding,no-pty ssh-ed25519 [...]

   Example (whitelisting)
       The other way around works too. To disallow all commands except for listing containers and
       showing the compute-tools version, the following variable can be used:

         command="CONTAINER_COMMANDS_ENABLE='list version' \
           /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\
           no-agent-forwarding,no-pty ssh-ed25519 [...]

COMMANDS

       All  container  commands  are  available,  see  container(1).  Additionally, the following
       commands are specific to container-shell:

       about: Shows introduction (manpage).

       help:  Shows available commands within the container-shell.

       help COMMAND:
              Shows help (manpage) for a specific container command.

       logout, exit:
              Exits container-shell.

SEE ALSO

       compute-tools(7),
       container(1).

HOMEPAGE

       More information about compute-tools and the Open Infrastructure project can be  found  on
       the homepage (https://open-infrastructure.net).

CONTACT

       Bug  reports,  feature requests, help, patches, support and everything else are welcome on
       the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>.

       Debian specific  bugs  can  also  be  reported  in  the  Debian  Bug  Tracking  System  (‐
       https://bugs.debian.org).

AUTHORS

       compute-tools  were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and
       others.