Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
podmansh(1)		    General Commands Manual		   podmansh(1)

NAME
       podmansh	- Execute login	shell within the Podman	podmansh container

SYNOPSIS
       podmansh

DESCRIPTION
       Execute	a  user	 shell	within a container when	the user logs into the
       system. The container that the users get	added to can be	defined	via  a
       Podman Quadlet file. This user only has access to volumes and capabili-
       ties configured into the	Quadlet	file.

       Administrators  can  create a Quadlet in	/etc/containers/systemd/users,
       which systemd will start	for all	users when they	log in.	 The  adminis-
       trator  can create a specific Quadlet with the container	name podmansh,
       then enable users to use	the login shell	/usr/bin/podmansh.  These user
       login shells are	automatically executed inside  the podmansh  container
       via Podman.

       Optionally,  the	administrator can place	Quadlet	files in the /etc/con-
       tainers/systemd/users/${UID} directory for a user. Only this  UID  will
       execute these Quadlet services when that	user logs in.

       The  user is confined to	the container environment via all of the secu-
       rity mechanisms,	including SELinux. The only information	that  will  be
       available from the system comes from volumes leaked into	the container.

       Systemd	will  automatically create the container when the user session
       is started. Systemd will	take down the container	when  all  connections
       to  the	user  session  are removed. This means users can log in	to the
       system multiple times, with each	session	connected  to  the  same  con-
       tainer.

       Administrators  can  use	 volumes to expose specific host data from the
       host system to the user,	without	the user being exposed to other	 parts
       of the system.

       Timeout	for  podmansh  can be set using	the podmansh_timeout option in
       containers.conf.

Setup
       Create user login session using useradd while running as	root.

       # useradd -s /usr/bin/podmansh lockedu
       # grep lockedu /etc/passwd
       lockedu:x:4008:4008::/home/lockedu:/usr/bin/podmansh

       Create a	Podman Quadlet file that looks something like one of the  fol-
       lowing.

       Fully locked down container, no access to host OS.

       # USERID=$(id -u	lockedu)
       # mkdir -p /etc/containers/systemd/users/${USERID}
       # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
       [Unit]
       Description=The podmansh	container
       After=local-fs.target

       [Container]
       Image=registry.fedoraproject.org/fedora
       ContainerName=podmansh
       RemapUsers=keep-id
       RunInit=yes
       DropCapability=all
       NoNewPrivileges=true

       Exec=sleep infinity

       [Install]
       RequiredBy=default.target
       _EOF

       Alternatively,  while  running as root, create a	Quadlet	where the user
       is allowed to become root within	the user namespace. They can also per-
       manently	read/write content from	their home directory which  is	volume
       mounted	from the actual	host's users account, rather than being	inside
       of the container.

       # useradd -s /usr/bin/podmansh confinedu
       # grep confinedu	/etc/passwd
       confinedu:x:4009:4009::/home/confinedu:/usr/bin/podmansh
       # USERID=$(id -u	confinedu)
       # mkdir -p /etc/containers/systemd/users/${USERID}
       # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
       [Unit]
       Description=The podmansh	container
       After=local-fs.target

       [Container]
       Image=registry.fedoraproject.org/fedora
       ContainerName=podmansh
       RemapUsers=keep-id
       RunInit=yes

       Volume=%h/data:%h:Z
       Exec=sleep infinity

       [Service]
       ExecStartPre=/usr/bin/mkdir -p %h/data

       [Install]
       RequiredBy=default.target
       _EOF

       Another example,	while running as root,	create	a  Quadlet  where  the
       users  inside  this  container  are  allowed to execute containers with
       SELinux separation and able to read and write content in	the $HOME/data
       directory.

       # useradd -s /usr/bin/podmansh fullu
       # grep fullu /etc/passwd
       fullu:x:4010:4010::/home/fullu:/usr/bin/podmansh
       # USERID=$(id -u	fullu)
       # mkdir -p /etc/containers/systemd/users/${USERID}
       # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
       [Unit]
       Description=The podmansh	container
       After=local-fs.target

       [Container]
       Image=registry.fedoraproject.org/fedora
       ContainerName=podmansh
       RemapUsers=keep-id
       RunInit=yes
       PodmanArgs=--security-opt=unmask=/sys/fs/selinux
	    --security-opt=label=nested
	    --security-opt=label=user:container_user_u
	    --security-opt=label=type:container_user_t
	    --security-opt=label=role:container_user_r
	    --security-opt=label=level:s0-s0:c0.c1023

       Volume=%h/data:%h:Z
       WorkingDir=%h
       Volume=/sys/fs/selinux:/sys/fs/selinux
       Exec=sleep infinity

       [Service]
       ExecStartPre=/usr/bin/mkdir -p %h/data

       [Install]
       RequiredBy=default.target
       _EOF

SEE ALSO
       containers.conf(5) <containers.conf.5.md>,  podman(1),  podman-exec(1),
       quadlet(5)

HISTORY
       May   2023,   Originally	  compiled   by	 Dan  Walsh  dwalsh@redhat.com
       <mailto:dwalsh@redhat.com>

								   podmansh(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=podmansh&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help