compute-tools provides the system integration for managing containers using systemd-nspawn.
Usage
Although the container-shell can be started from a running system like any other program, the main intend
is to use the container-shell via SSH. That way otherwise unprivileged users have possibility to manage
containers without needing a regular shell login on the container server.
For usage over SSH a unprivileged user should be created:
sudo adduser --gecos "compute-tools,,," \
--home /var/lib/open-infrastructure/container-shell \
--shell /usr/bin/container-shell
The container-shell can then be allowed for specific SSH keys via
/var/lib/compute-tools/container-shell/.ssh/authorized_keys like so:
command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\
no-agent-forwarding,no-pty ssh-ed25519 [...]
Restrictedshell
The container-shell by default grants any user that has access to it to use all available container
commands.
Through two corresponding environment variables users can be allowed or disallowed to use specific
container commands. In connection with SSH this makes it possible to grant certain SSH keys (and by
that, users) privileges to operate container servers without having to give them root access, a login
shell at all and prevents them from doing things they are not trusted to do.
Example(blacklisting)
In order to allow all commands except for removing and stopping containers, the following variable can be
used:
command="CONTAINER_COMMANDS_DISABLE='remove stop' \
/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\
no-agent-forwarding,no-pty ssh-ed25519 [...]
Example(whitelisting)
The other way around works too. To disallow all commands except for listing containers and showing the
compute-tools version, the following variable can be used:
command="CONTAINER_COMMANDS_ENABLE='list version' \
/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,\
no-agent-forwarding,no-pty ssh-ed25519 [...]