podmansh(1) General Commands Manual podmansh(1)
NAME
podmansh - Execute login shell within the Podman podmansh container
SYNOPSIS
podmansh
DESCRIPTION
Execute a user shell within a container when the user logs into the sys-
tem. The container that the users get added to can be defined via a Pod-
man Quadlet file. This user only has access to volumes and capabilities
configured into the Quadlet file.
Administrators can create a Quadlet in /etc/containers/systemd/users,
which systemd will start for all users when they log in. The administra-
tor can create a specific Quadlet with the container name podmansh, then
enable users to use the login shell /usr/bin/podmansh. These user login
shells are automatically executed inside the podmansh container via
Podman.
Optionally, the administrator can place Quadlet files in the /etc/con-
tainers/systemd/users/${UID} directory for a user. Only this UID will
execute these Quadlet services when that user logs in.
The user is confined to the container environment via all of the secu-
rity mechanisms, including SELinux. The only information that will be
available from the system comes from volumes leaked into the container.
Systemd will automatically create the container when the user session is
started. Systemd will take down the container when all connections to
the user session are removed. This means users can log in to the system
multiple times, with each session connected to the same container.
Administrators can use volumes to expose specific host data from the
host system to the user, without the user being exposed to other parts
of the system.
Timeout for podmansh can be set using the podmansh_timeout option in
containers.conf.
Setup
Create user login session using useradd while running as root.
# useradd -s /usr/bin/podmansh lockedu
# grep lockedu /etc/passwd
lockedu:x:4008:4008::/home/lockedu:/usr/bin/podmansh
Create a Podman Quadlet file that looks something like one of the fol-
lowing.
Fully locked down container, no access to host OS.
# USERID=$(id -u lockedu)
# mkdir -p /etc/containers/systemd/users/${USERID}
# cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
[Unit]
Description=The podmansh container
After=local-fs.target
[Container]
Image=registry.fedoraproject.org/fedora
ContainerName=podmansh
RemapUsers=keep-id
RunInit=yes
DropCapability=all
NoNewPrivileges=true
Exec=sleep infinity
[Install]
RequiredBy=default.target
_EOF
Alternatively, while running as root, create a Quadlet where the user is
allowed to become root within the user namespace. They can also perma-
nently read/write content from their home directory which is volume
mounted from the actual host's users account, rather than being inside
of the container.
# useradd -s /usr/bin/podmansh confinedu
# grep confinedu /etc/passwd
confinedu:x:4009:4009::/home/confinedu:/usr/bin/podmansh
# USERID=$(id -u confinedu)
# mkdir -p /etc/containers/systemd/users/${USERID}
# cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
[Unit]
Description=The podmansh container
After=local-fs.target
[Container]
Image=registry.fedoraproject.org/fedora
ContainerName=podmansh
RemapUsers=keep-id
RunInit=yes
Volume=%h/data:%h:Z
Exec=sleep infinity
[Service]
ExecStartPre=/usr/bin/mkdir -p %h/data
[Install]
RequiredBy=default.target
_EOF
Another example, while running as root, create a Quadlet where the users
inside this container are allowed to execute containers with SELinux
separation and able to read and write content in the $HOME/data direc-
tory.
# useradd -s /usr/bin/podmansh fullu
# grep fullu /etc/passwd
fullu:x:4010:4010::/home/fullu:/usr/bin/podmansh
# USERID=$(id -u fullu)
# mkdir -p /etc/containers/systemd/users/${USERID}
# cat > /etc/containers/systemd/users/${USERID}/podmansh.container << _EOF
[Unit]
Description=The podmansh container
After=local-fs.target
[Container]
Image=registry.fedoraproject.org/fedora
ContainerName=podmansh
RemapUsers=keep-id
RunInit=yes
PodmanArgs=--security-opt=unmask=/sys/fs/selinux
--security-opt=label=nested
--security-opt=label=user:container_user_u
--security-opt=label=type:container_user_t
--security-opt=label=role:container_user_r
--security-opt=label=level:s0-s0:c0.c1023
Volume=%h/data:%h:Z
WorkingDir=%h
Volume=/sys/fs/selinux:/sys/fs/selinux
Exec=sleep infinity
[Service]
ExecStartPre=/usr/bin/mkdir -p %h/data
[Install]
RequiredBy=default.target
_EOF
SEE ALSO
containers.conf(5) ⟨containers.conf.5.md⟩, podman(1), podman-exec(1),
podman-systemd.unit(5)
HISTORY
May 2023, Originally compiled by Dan Walsh dwalsh@redhat.com
⟨mailto:dwalsh@redhat.com⟩
podmansh(1)
Generated by dwww version 1.16 on Tue Dec 16 06:31:45 CET 2025.