1podmansh(1) General Commands Manual podmansh(1)
2
3
4
6 podmansh - Execute login shell within the Podman podmansh container
7
8
10 podmansh
11
12
14 Execute a user shell within a container when the user logs into the
15 system. The container that the users get added to can be defined via a
16 Podman Quadlet file. This user only has access to volumes and capabili‐
17 ties configured into the Quadlet file.
18
19
20 Administrators can create a Quadlet in /etc/containers/systemd/users,
21 which systemd will start for all users when they log in. The adminis‐
22 trator can create a specific Quadlet with the container name podmansh,
23 then enable users to use the login shell /usr/bin/podmansh. These user
24 login shells are automatically executed inside the podmansh container
25 via Podman.
26
27
28 Optionally, the administrator can place Quadlet files in the /etc/con‐
29 tainers/systemd/users/${UID} directory for a user. Only this UID will
30 execute these Quadlet services when that user logs in.
31
32
33 The user is confined to the container environment via all of the secu‐
34 rity mechanisms, including SELinux. The only information that will be
35 available from the system comes from volumes leaked into the container.
36
37
38 Systemd will automatically create the container when the user session
39 is started. Systemd will take down the container when all connections
40 to the user session are removed. This means users can log in to the
41 system multiple times, with each session connected to the same con‐
42 tainer.
43
44
45 Administrators can use volumes to expose specific host data from the
46 host system to the user, without the user being exposed to other parts
47 of the system.
48
49
50 Timeout for podmansh can be set using the podmansh_timeout option in
51 containers.conf.
52
53
55 Create user login session using useradd while running as root.
56
57
58 # useradd -s /usr/bin/podmansh lockedu
59 # grep lockedu /etc/passwd
60 lockedu:x:4008:4008::/home/lockedu:/usr/bin/podmansh
61
62
63
64 Create a Podman Quadlet file that looks something like one of the fol‐
65 lowing.
66
67
68 Fully locked down container, no access to host OS.
69
70
71 # USERID=$(id -u lockedu)
72 # mkdir -p /etc/containers/systemd/users/${USERID}
73 # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
74 [Unit]
75 Description=The podmansh container
76 After=local-fs.target
77
78 [Container]
79 Image=registry.fedoraproject.org/fedora
80 ContainerName=podmansh
81 RemapUsers=keep-id
82 RunInit=yes
83 DropCapability=all
84 NoNewPrivileges=true
85
86 Exec=sleep infinity
87
88 [Install]
89 RequiredBy=default.target
90 _EOF
91
92
93
94 Alternatively, while running as root, create a Quadlet where the user
95 is allowed to become root within the user namespace. They can also per‐
96 manently read/write content from their home directory which is volume
97 mounted from the actual host's users account, rather than being inside
98 of the container.
99
100
101 # useradd -s /usr/bin/podmansh confinedu
102 # grep confinedu /etc/passwd
103 confinedu:x:4009:4009::/home/confinedu:/usr/bin/podmansh
104 # USERID=$(id -u confinedu)
105 # mkdir -p /etc/containers/systemd/users/${USERID}
106 # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
107 [Unit]
108 Description=The podmansh container
109 After=local-fs.target
110 ExecStartPre=-/bin/mkdir -p %h/data
111
112 [Container]
113 Image=registry.fedoraproject.org/fedora
114 ContainerName=podmansh
115 RemapUsers=keep-id
116 RunInit=yes
117
118 Volume=%h/data:%h:Z
119 Exec=sleep infinity
120
121 [Service]
122 ExecStartPre=/usr/bin/mkdir -p %h/data
123
124 [Install]
125 RequiredBy=default.target
126 _EOF
127
128
129
130 Another example, while running as root, create a Quadlet where the
131 users inside this container are allowed to execute containers with
132 SELinux separation and able to read and write content in the $HOME/data
133 directory.
134
135
136 # useradd -s /usr/bin/podmansh fullu
137 # grep fullu /etc/passwd
138 fullu:x:4010:4010::/home/fullu:/usr/bin/podmansh
139 # USERID=$(id -u fullu)
140 # mkdir -p /etc/containers/systemd/users/${USERID}
141 # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
142 [Unit]
143 Description=The podmansh container
144 After=local-fs.target
145
146 [Container]
147 Image=registry.fedoraproject.org/fedora
148 ContainerName=podmansh
149 RemapUsers=keep-id
150 RunInit=yes
151 PodmanArgs=--security-opt=unmask=/sys/fs/selinux
152 --security-opt=label=nested
153 --security-opt=label=user:container_user_u
154 --security-opt=label=type:container_user_t
155 --security-opt=label=role:container_user_r
156 --security-opt=label=level:s0-s0:c0.c1023
157
158 Volume=%h/data:%h:Z
159 WorkingDir=%h
160 Volume=/sys/fs/selinux:/sys/fs/selinux
161 Exec=sleep infinity
162
163 [Service]
164 ExecStartPre=/usr/bin/mkdir -p %h/data
165
166 [Install]
167 RequiredBy=default.target
168 _EOF
169
170
171
173 containers.conf(5) ⟨containers.conf.5.md⟩, podman(1), podman-exec(1),
174 quadlet(5)
175
176
178 May 2023, Originally compiled by Dan Walsh dwalsh@redhat.com
179 ⟨mailto:dwalsh@redhat.com⟩
180
181
182
183 podmansh(1)