1podmansh(1)                 General Commands Manual                podmansh(1)
2
3
4

NAME

6       podmansh - Execute login shell within the Podman podmansh container
7
8

SYNOPSIS

10       podmansh
11
12

DESCRIPTION

14       Execute  a  user  shell  within a container when the user logs into the
15       system. The container that the users get added to can be defined via  a
16       Podman Quadlet file. This user only has access to volumes and capabili‐
17       ties configured into the Quadlet file.
18
19
20       Administrators can create a Quadlet  in  /etc/containers/systemd/users,
21       which  systemd  will start for all users when they log in. The adminis‐
22       trator can create a specific Quadlet with the container name  podmansh,
23       then enable users to use the login shell /usr/bin/podmansh.  These user
24       login shells are automatically executed inside  the podmansh  container
25       via Podman.
26
27
28       Optionally,  the administrator can place Quadlet files in the /etc/con‐
29       tainers/systemd/users/${UID} directory for a user. Only this  UID  will
30       execute these Quadlet services when that user logs in.
31
32
33       The  user is confined to the container environment via all of the secu‐
34       rity mechanisms, including SELinux. The only information that  will  be
35       available from the system comes from volumes leaked into the container.
36
37
38       Systemd  will  automatically create the container when the user session
39       is started. Systemd will take down the container when  all  connections
40       to  the  user  session  are removed. This means users can log in to the
41       system multiple times, with each session connected  to  the  same  con‐
42       tainer.
43
44
45       Administrators  can  use  volumes to expose specific host data from the
46       host system to the user, without the user being exposed to other  parts
47       of the system.
48
49
50       Timeout  for  podmansh  can be set using the podmansh_timeout option in
51       containers.conf.
52
53

Setup

55       Create user login session using useradd while running as root.
56
57       # useradd -s /usr/bin/podmansh lockedu
58       # grep lockedu /etc/passwd
59       lockedu:x:4008:4008::/home/lockedu:/usr/bin/podmansh
60
61
62
63       Create a Podman Quadlet file that looks something like one of the  fol‐
64       lowing.
65
66
67       Fully locked down container, no access to host OS.
68
69       # USERID=$(id -u lockedu)
70       # mkdir -p /etc/containers/systemd/users/${USERID}
71       # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
72       [Unit]
73       Description=The podmansh container
74       After=local-fs.target
75
76       [Container]
77       Image=registry.fedoraproject.org/fedora
78       ContainerName=podmansh
79       RemapUsers=keep-id
80       RunInit=yes
81       DropCapability=all
82       NoNewPrivileges=true
83
84       Exec=sleep infinity
85
86       [Install]
87       RequiredBy=default.target
88       _EOF
89
90
91
92       Alternatively,  while  running as root, create a Quadlet where the user
93       is allowed to become root within the user namespace. They can also per‐
94       manently  read/write  content from their home directory which is volume
95       mounted from the actual host's users account, rather than being  inside
96       of the container.
97
98       # useradd -s /usr/bin/podmansh confinedu
99       # grep confinedu /etc/passwd
100       confinedu:x:4009:4009::/home/confinedu:/usr/bin/podmansh
101       # USERID=$(id -u confinedu)
102       # mkdir -p /etc/containers/systemd/users/${USERID}
103       # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
104       [Unit]
105       Description=The podmansh container
106       After=local-fs.target
107
108       [Container]
109       Image=registry.fedoraproject.org/fedora
110       ContainerName=podmansh
111       RemapUsers=keep-id
112       RunInit=yes
113
114       Volume=%h/data:%h:Z
115       Exec=sleep infinity
116
117       [Service]
118       ExecStartPre=/usr/bin/mkdir -p %h/data
119
120       [Install]
121       RequiredBy=default.target
122       _EOF
123
124
125
126       Another  example,  while  running  as  root, create a Quadlet where the
127       users inside this container are  allowed  to  execute  containers  with
128       SELinux separation and able to read and write content in the $HOME/data
129       directory.
130
131       # useradd -s /usr/bin/podmansh fullu
132       # grep fullu /etc/passwd
133       fullu:x:4010:4010::/home/fullu:/usr/bin/podmansh
134       # USERID=$(id -u fullu)
135       # mkdir -p /etc/containers/systemd/users/${USERID}
136       # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
137       [Unit]
138       Description=The podmansh container
139       After=local-fs.target
140
141       [Container]
142       Image=registry.fedoraproject.org/fedora
143       ContainerName=podmansh
144       RemapUsers=keep-id
145       RunInit=yes
146       PodmanArgs=--security-opt=unmask=/sys/fs/selinux
147            --security-opt=label=nested
148            --security-opt=label=user:container_user_u
149            --security-opt=label=type:container_user_t
150            --security-opt=label=role:container_user_r
151            --security-opt=label=level:s0-s0:c0.c1023
152
153       Volume=%h/data:%h:Z
154       WorkingDir=%h
155       Volume=/sys/fs/selinux:/sys/fs/selinux
156       Exec=sleep infinity
157
158       [Service]
159       ExecStartPre=/usr/bin/mkdir -p %h/data
160
161       [Install]
162       RequiredBy=default.target
163       _EOF
164
165
166

SEE ALSO

168       containers.conf(5) ⟨containers.conf.5.md⟩,  podman(1),  podman-exec(1),
169       quadlet(5)
170
171

HISTORY

173       May   2023,   Originally   compiled   by  Dan  Walsh  dwalsh@redhat.com
174       ⟨mailto:dwalsh@redhat.com⟩
175
176
177
178                                                                   podmansh(1)
Impressum