Provided by: open-infrastructure-compute-tools_20221223-3_all bug

NAME
       container-shell - Manage systemd-nspawn containers (shell)


SYNOPSIS
       container-shell ['OPTIONS']
       cntsh ['OPTIONS']


DESCRIPTION
       compute-tools provides the system integration for managing containers using systemd-nspawn.

   Usage
       Although the container-shell can be started from a running system like any other program, the main intend
       is  to  use the container-shell via SSH. That way otherwise unprivileged users have possibility to manage
       containers without needing a regular shell login on the container server.

       For usage over SSH a unprivileged user should be created:

         sudo adduser --gecos "compute-tools,,," \
           --home /var/lib/open-infrastructure/container-shell \
           --shell /usr/bin/container-shell

       The     container-shell     can     then     be     allowed     for     specific     SSH     keys     via
       /var/lib/compute-tools/container-shell/.ssh/authorized_keys like so:

         command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\
           no-agent-forwarding,no-pty ssh-ed25519 [...]

   Restricted shell
       The  container-shell  by  default  grants  any  user that has access to it to use all available container
       commands.

       Through two corresponding environment variables users can  be  allowed  or  disallowed  to  use  specific
       container  commands.   In  connection  with  SSH this makes it possible to grant certain SSH keys (and by
       that, users) privileges to operate container servers without having to give them  root  access,  a  login
       shell at all and prevents them from doing things they are not trusted to do.

   Example (blacklisting)
       In order to allow all commands except for removing and stopping containers, the following variable can be
       used:

         command="CONTAINER_COMMANDS_DISABLE='remove stop' \
           /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\
           no-agent-forwarding,no-pty ssh-ed25519 [...]

   Example (whitelisting)
       The  other  way  around works too. To disallow all commands except for listing containers and showing the
       compute-tools version, the following variable can be used:

         command="CONTAINER_COMMANDS_ENABLE='list version' \
           /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\
           no-agent-forwarding,no-pty ssh-ed25519 [...]


COMMANDS
       All container commands are available, see container(1). Additionally, the following commands are specific
       to container-shell:

       about: Shows introduction (manpage).

       help:  Shows available commands within the container-shell.

       help COMMAND:
              Shows help (manpage) for a specific container command.

       logout, exit:
              Exits container-shell.


SEE ALSO
       compute-tools(7),
       container(1).


HOMEPAGE
       More information about compute-tools and the Open Infrastructure project can be found on the homepage  (‐
       https://open-infrastructure.net).


CONTACT
       Bug  reports,  feature  requests,  help,  patches,  support  and  everything else are welcome on the Open
       Infrastructure Software Mailing List <software@lists.open-infrastructure.net>.

       Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org).


AUTHORS
       compute-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others.

Open Infrastructure                               compute-tools                               CONTAINER-SHELL(1)