summaryrefslogtreecommitdiffstats
path: root/share/man/container-shell.1.txt
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@open-infrastructure.net>2017-06-29 06:02:41 +0000
committerDaniel Baumann <daniel.baumann@open-infrastructure.net>2017-06-29 08:46:22 +0000
commit070d0458378b0a01179a61a06cb402b9037bee81 (patch)
treeababf7080eb6588a836d9dd037c2c4442c4dda06 /share/man/container-shell.1.txt
parentAdding CONTAINER_COMMANDS_DISABLE variable for container-shell to add support... (diff)
downloadcompute-tools-070d0458378b0a01179a61a06cb402b9037bee81.tar.xz
compute-tools-070d0458378b0a01179a61a06cb402b9037bee81.zip
Documenting usage of container-shell command restrictions in container-shell manpage.
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
Diffstat (limited to '')
-rw-r--r--share/man/container-shell.1.txt33
1 files changed, 33 insertions, 0 deletions
diff --git a/share/man/container-shell.1.txt b/share/man/container-shell.1.txt
index 6d792b8..760e0c5 100644
--- a/share/man/container-shell.1.txt
+++ b/share/man/container-shell.1.txt
@@ -53,6 +53,39 @@ All container commands are available, see container(1). Additionally, the follow
*logout*, *exit:*::
exits container-shell.
+USAGE
+-----
+Although the container-shell can be started from a running system like any other program, the main intend is to use the
+container-shell via SSH. That way otherwise unprivileged users have possibility to manage containers without
+needing a regular shell login on the container server.
+
+For usage over SSH a unprivileged user should be created:
+
+ sudo adduser --gecos "container-tools,,," \
+ --home /var/lib/container-tools/container-shell \
+ --shell /usr/bin/container-shell
+
+The container-shell can then be allowed for specific SSH keys via /var/ib/container-tools/container-shell/.ssh/authorized_keys like so:
+
+ command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]
+
+
+RESTRICTED SHELL
+----------------
+The container-shell by default grants any user that has access to it to use all available container commands.
+
+Through two corresponding environment variables users can be allowed or disallowed to use specific container commands.
+In connection with SSH this makes it possible to grant certain SSH keys (and by that, users) privileges to operate container
+servers without having to give them root access, a login shell at all and prevents them from doing things they are not trusted to do.
+
+Example (blacklisting): In order to allow all commands except for removing and stopping containers, the following variable can be used:
+
+ command="CONTAINER_COMMANDS_DISABLE='remove stop' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]
+
+Example (whitelisting): The other way around works too. To disallow all commands except for listing containers and showing the container-tools version, the following variable can be used:
+
+ command="CONTAINER_COMMANDS_ENABLE='list version' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]
+
SEE ALSO
--------