github.com/containers/podman/v5@v5.1.0-rc1/docs/source/markdown/podmansh.1.md

github.com/containers/podman/v5@v5.1.0-rc1/docs/source/markdown/podmansh.1.md (about)

     1  % podmansh 1
     2  
     3  ## NAME
     4  podmansh - Execute login shell within the Podman `podmansh` container
     5  
     6  ## SYNOPSIS
     7  **podmansh**
     8  
     9  ## DESCRIPTION
    10  
    11  Execute a user shell within a container when the user logs into the system. The container that the users get added to can be defined via a Podman Quadlet file. This user only has access to volumes and capabilities configured into the Quadlet file.
    12  
    13  Administrators can create a Quadlet in /etc/containers/systemd/users, which systemd will start for all users when they log in. The administrator can create a specific Quadlet with the container name `podmansh`, then enable users to use the login shell /usr/bin/podmansh.  These user login shells are automatically executed inside  the `podmansh` container via Podman.
    14  
    15  Optionally, the administrator can place Quadlet files in the /etc/containers/systemd/users/${UID} directory for a user. Only this UID will execute these Quadlet services when that user logs in.
    16  
    17  The user is confined to the container environment via all of the security mechanisms, including SELinux. The only information that will be available from the system comes from volumes leaked into the container.
    18  
    19  Systemd will automatically create the container when the user session is started. Systemd will take down the container when all connections to the user session are removed. This means users can log in to the system multiple times, with each session connected to the same container.
    20  
    21  Administrators can use volumes to expose specific host data from the host system to the user, without the user being exposed to other parts of the system.
    22  
    23  Timeout for podmansh can be set using the `podmansh_timeout` option in containers.conf.
    24  
    25  ## Setup
    26  Create user login session using useradd while running as root.
    27  
    28  ```
    29  # useradd -s /usr/bin/podmansh lockedu
    30  # grep lockedu /etc/passwd
    31  lockedu:x:4008:4008::/home/lockedu:/usr/bin/podmansh
    32  ```
    33  
    34  Create a Podman Quadlet file that looks something like one of the following.
    35  
    36  Fully locked down container, no access to host OS.
    37  
    38  ```
    39  # USERID=$(id -u lockedu)
    40  # mkdir -p /etc/containers/systemd/users/${USERID}
    41  # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
    42  [Unit]
    43  Description=The podmansh container
    44  After=local-fs.target
    45  
    46  [Container]
    47  Image=registry.fedoraproject.org/fedora
    48  ContainerName=podmansh
    49  RemapUsers=keep-id
    50  RunInit=yes
    51  DropCapability=all
    52  NoNewPrivileges=true
    53  
    54  Exec=sleep infinity
    55  
    56  [Install]
    57  RequiredBy=default.target
    58  _EOF
    59  ```
    60  
    61  Alternatively, while running as root, create a Quadlet where the user is allowed to become root within the user namespace. They can also permanently read/write content from their home directory which is volume mounted from the actual host's users account, rather than being inside of the container.
    62  
    63  ```
    64  # useradd -s /usr/bin/podmansh confinedu
    65  # grep confinedu /etc/passwd
    66  confinedu:x:4009:4009::/home/confinedu:/usr/bin/podmansh
    67  # USERID=$(id -u confinedu)
    68  # mkdir -p /etc/containers/systemd/users/${USERID}
    69  # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
    70  [Unit]
    71  Description=The podmansh container
    72  After=local-fs.target
    73  
    74  [Container]
    75  Image=registry.fedoraproject.org/fedora
    76  ContainerName=podmansh
    77  RemapUsers=keep-id
    78  RunInit=yes
    79  
    80  Volume=%h/data:%h:Z
    81  Exec=sleep infinity
    82  
    83  [Service]
    84  ExecStartPre=/usr/bin/mkdir -p %h/data
    85  
    86  [Install]
    87  RequiredBy=default.target
    88  _EOF
    89  ```
    90  
    91  Another example, while running as root, create a Quadlet where the users inside this container are allowed to execute containers with SELinux separation and able to read and write content in the $HOME/data directory.
    92  
    93  ```
    94  # useradd -s /usr/bin/podmansh fullu
    95  # grep fullu /etc/passwd
    96  fullu:x:4010:4010::/home/fullu:/usr/bin/podmansh
    97  # USERID=$(id -u fullu)
    98  # mkdir -p /etc/containers/systemd/users/${USERID}
    99  # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
   100  [Unit]
   101  Description=The podmansh container
   102  After=local-fs.target
   103  
   104  [Container]
   105  Image=registry.fedoraproject.org/fedora
   106  ContainerName=podmansh
   107  RemapUsers=keep-id
   108  RunInit=yes
   109  PodmanArgs=--security-opt=unmask=/sys/fs/selinux \
   110  	--security-opt=label=nested \
   111  	--security-opt=label=user:container_user_u \
   112  	--security-opt=label=type:container_user_t \
   113  	--security-opt=label=role:container_user_r \
   114  	--security-opt=label=level:s0-s0:c0.c1023
   115  
   116  Volume=%h/data:%h:Z
   117  WorkingDir=%h
   118  Volume=/sys/fs/selinux:/sys/fs/selinux
   119  Exec=sleep infinity
   120  
   121  [Service]
   122  ExecStartPre=/usr/bin/mkdir -p %h/data
   123  
   124  [Install]
   125  RequiredBy=default.target
   126  _EOF
   127  ```
   128  
   129  ## SEE ALSO
   130  **[containers.conf(5)](containers.conf.5.md)**, **[podman(1)](podman.1.md)**, **[podman-exec(1)](podman-exec.1.md)**, **quadlet(5)**
   131  
   132  ## HISTORY
   133  May 2023, Originally compiled by Dan Walsh <dwalsh@redhat.com>