summaryrefslogtreecommitdiffstats
path: root/share/man/container-shell.1.rst
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--share/man/container-shell.1.rst141
1 files changed, 141 insertions, 0 deletions
diff --git a/share/man/container-shell.1.rst b/share/man/container-shell.1.rst
new file mode 100644
index 0000000..b838344
--- /dev/null
+++ b/share/man/container-shell.1.rst
@@ -0,0 +1,141 @@
+.. Open Infrastructure: compute-tools
+
+.. Copyright (C) 2014-2021 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+===============
+container-shell
+===============
+
+----------------------------------------
+Manage systemd-nspawn containers (shell)
+----------------------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **container-shell** ['OPTIONS']
+| **cntsh** ['OPTIONS']
+
+Description
+===========
+
+compute-tools provides the system integration for managing containers using
+systemd-nspawn.
+
+Usage
+-----
+
+Although the **container-shell** can be started from a running system like any
+other program, the main intend is to use the **container-shell** via SSH. That
+way otherwise unprivileged users have possibility to manage containers without
+needing a regular shell login on the container server.
+
+For usage over SSH a unprivileged user should be created:
+
+|
+| sudo adduser --gecos "compute-tools,,," \\
+| --home /var/lib/open-infrastructure/container-shell \\
+| --shell /usr/bin/container-shell
+
+The container-shell can then be allowed for specific SSH keys via
+/var/lib/compute-tools/container-shell/.ssh/authorized_keys like so:
+
+|
+| command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\\
+| no-agent-forwarding,no-pty ssh-ed25519 [...]
+
+Restricted shell
+----------------
+
+The container-shell by default grants any user that has access to it to use all available container commands.
+
+Through two corresponding environment variables users can be allowed or disallowed to use specific container commands.
+In connection with SSH this makes it possible to grant certain SSH keys (and by that, users) privileges to operate container
+servers without having to give them root access, a login shell at all and prevents them from doing things they are not trusted to do.
+
+Example (blacklisting)
+^^^^^^^^^^^^^^^^^^^^^^
+
+In order to allow all commands except for removing and stopping containers, the
+following variable can be used:
+
+|
+| command="CONTAINER_COMMANDS_DISABLE='remove stop' \\
+| /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\\
+| no-agent-forwarding,no-pty ssh-rsa [...]
+
+Example (whitelisting)
+^^^^^^^^^^^^^^^^^^^^^^
+
+The other way around works too. To disallow all commands except for listing
+containers and showing the compute-tools version, the following variable can be
+used:
+
+|
+| command="CONTAINER_COMMANDS_ENABLE='list version' \\
+| /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\\
+| no-agent-forwarding,no-pty ssh-rsa [...]
+
+Commands
+========
+
+All container commands are available, see container(1). Additionally, the
+following commands are specific to container-shell:
+
+about:
+ Shows introduction (manpage).
+
+help:
+ Shows available commands within the container-shell.
+
+help COMMAND:
+ Shows help (manpage) for a specific container command.
+
+logout, exit:
+ Exits container-shell.
+
+See also
+========
+
+| compute-tools(7),
+| container(1).
+
+Homepage
+========
+
+More information about compute-tools and the Open Infrastructure project can be
+found on the homepage at https://open-infrastructure.net.
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are
+welcome on the Open Infrastructure Software Mailing List
+<software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System
+(https://bugs.debian.org).
+
+Authors
+=======
+
+compute-tools were written by Daniel Baumann
+<daniel.baumann@open-infrastructure.net> and others.