1podmansh(1) General Commands Manual podmansh(1)
2
3
4
6 podmansh - Execute login shell within the Podman podmansh container
7
8
10 podmansh
11
12
14 Execute a user shell within a container when the user logs into the
15 system. The container that the users get added to can be defined via a
16 Podman Quadlet file. This user only has access to volumes and capabili‐
17 ties configured into the Quadlet file.
18
19
20 Administrators can create a Quadlet in /etc/containers/systemd/users,
21 which systemd will start for all users when they log in. The adminis‐
22 trator can create a specific Quadlet with the container name podmansh,
23 then enable users to use the login shell /usr/bin/podmansh. These user
24 login shells are automatically executed inside the podmansh container
25 via Podman.
26
27
28 Optionally, the administrator can place Quadlet files in the /etc/con‐
29 tainers/systemd/users/${UID} directory for a user. Only this UID will
30 execute these Quadlet services when that user logs in.
31
32
33 The user is confined to the container environment via all of the secu‐
34 rity mechanisms, including SELinux. The only information that will be
35 available from the system comes from volumes leaked into the container.
36
37
38 Systemd will automatically create the container when the user session
39 is started. Systemd will take down the container when all connections
40 to the user session are removed. This means users can log in to the
41 system multiple times, with each session connected to the same con‐
42 tainer.
43
44
45 Administrators can use volumes to expose specific host data from the
46 host system to the user, without the user being exposed to other parts
47 of the system.
48
49
50 Timeout for podmansh can be set using the podmansh_timeout option in
51 containers.conf.
52
53
55 Create user login session using useradd while running as root.
56
57 # useradd -s /usr/bin/podmansh lockedu
58 # grep lockedu /etc/passwd
59 lockedu:x:4008:4008::/home/lockedu:/usr/bin/podmansh
60
61
62
63 Create a Podman Quadlet file that looks something like one of the fol‐
64 lowing.
65
66
67 Fully locked down container, no access to host OS.
68
69 # USERID=$(id -u lockedu)
70 # mkdir -p /etc/containers/systemd/users/${USERID}
71 # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
72 [Unit]
73 Description=The podmansh container
74 After=local-fs.target
75
76 [Container]
77 Image=registry.fedoraproject.org/fedora
78 ContainerName=podmansh
79 RemapUsers=keep-id
80 RunInit=yes
81 DropCapability=all
82 NoNewPrivileges=true
83
84 Exec=sleep infinity
85
86 [Install]
87 RequiredBy=default.target
88 _EOF
89
90
91
92 Alternatively, while running as root, create a Quadlet where the user
93 is allowed to become root within the user namespace. They can also per‐
94 manently read/write content from their home directory which is volume
95 mounted from the actual host's users account, rather than being inside
96 of the container.
97
98 # useradd -s /usr/bin/podmansh confinedu
99 # grep confinedu /etc/passwd
100 confinedu:x:4009:4009::/home/confinedu:/usr/bin/podmansh
101 # USERID=$(id -u confinedu)
102 # mkdir -p /etc/containers/systemd/users/${USERID}
103 # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
104 [Unit]
105 Description=The podmansh container
106 After=local-fs.target
107
108 [Container]
109 Image=registry.fedoraproject.org/fedora
110 ContainerName=podmansh
111 RemapUsers=keep-id
112 RunInit=yes
113
114 Volume=%h/data:%h:Z
115 Exec=sleep infinity
116
117 [Service]
118 ExecStartPre=/usr/bin/mkdir -p %h/data
119
120 [Install]
121 RequiredBy=default.target
122 _EOF
123
124
125
126 Another example, while running as root, create a Quadlet where the
127 users inside this container are allowed to execute containers with
128 SELinux separation and able to read and write content in the $HOME/data
129 directory.
130
131 # useradd -s /usr/bin/podmansh fullu
132 # grep fullu /etc/passwd
133 fullu:x:4010:4010::/home/fullu:/usr/bin/podmansh
134 # USERID=$(id -u fullu)
135 # mkdir -p /etc/containers/systemd/users/${USERID}
136 # cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
137 [Unit]
138 Description=The podmansh container
139 After=local-fs.target
140
141 [Container]
142 Image=registry.fedoraproject.org/fedora
143 ContainerName=podmansh
144 RemapUsers=keep-id
145 RunInit=yes
146 PodmanArgs=--security-opt=unmask=/sys/fs/selinux
147 --security-opt=label=nested
148 --security-opt=label=user:container_user_u
149 --security-opt=label=type:container_user_t
150 --security-opt=label=role:container_user_r
151 --security-opt=label=level:s0-s0:c0.c1023
152
153 Volume=%h/data:%h:Z
154 WorkingDir=%h
155 Volume=/sys/fs/selinux:/sys/fs/selinux
156 Exec=sleep infinity
157
158 [Service]
159 ExecStartPre=/usr/bin/mkdir -p %h/data
160
161 [Install]
162 RequiredBy=default.target
163 _EOF
164
165
166
168 containers.conf(5) ⟨containers.conf.5.md⟩, podman(1), podman-exec(1),
169 quadlet(5)
170
171
173 May 2023, Originally compiled by Dan Walsh dwalsh@redhat.com
174 ⟨mailto:dwalsh@redhat.com⟩
175
176
177
178 podmansh(1)