Setting Up Hrida Terminal for a Team
When multiple people on your team need terminal access through HridaAI, you have two options.
| Single Container | Per-User Containers | |
|---|---|---|
| How | One container, separate accounts inside | Each user gets their own container |
| Isolation | Files are separate, but they share the same system | Fully isolated รขโฌโ separate everything |
| Setup | One extra setting | Additional orchestration service |
| Best for | Small teams you trust | Production, larger teams, untrusted users |
| Included in | Hrida Terminal (free) | Terminals (enterprise) |
If your HridaAI instance has more than one user account and the same terminal-server connection is shared across users, you must use one of the two isolation modes below. A single Hrida Terminal container without HRIDA_TERMINAL_MULTI_USER=true (or without per-user containers via Terminals) places every user inside the same shell, the same filesystem, and the same network namespace รขโฌโ which means any user can read, modify, or replace any other user's files, run commands as the shared user, and bind shared ports. This is not a supported configuration for multi-user HridaAI.
For deployments with untrusted users (open signup, public-facing portals, mixed-tenant setups), Option 1 is also insufficient on its own รขโฌโ file isolation does not extend to network namespace, so users can still reach each other through bound ports on the shared container. Use Option 2 (per-user containers via Terminals) for these deployments, or layer TERMINAL_PROXY_HEADERS on top of Option 1 to restrict what proxied responses can do in the user's browser.
Option 1: Built-in multi-user modeโ
The simplest approach. Add one setting and each person automatically gets a separate workspace.
docker run -d --name hrida-terminal -p 8000:8000 \
-v hrida-terminal:/home \
-e HRIDA_TERMINAL_MULTI_USER=true \
-e HRIDA_TERMINAL_API_KEY=your-secret-key \
ghcr.io/hrida-ai/hrida-terminalWhat happensโ
When someone uses the terminal through HridaAI, Hrida Terminal automatically:
- Creates a personal account for that user (based on their HridaAI user ID)
- Sets up a private home folder at
/home/{user-id} - Runs all their commands under their own account
- Restricts their file access to their own folder
Each user sees only their own files in the file browser.
What's shared vs. separateโ
| Separate per user | Shared | |
|---|---|---|
| Home folder and files | รขลโ | |
| Running commands | รขลโ | |
| System packages | รขลโ | |
| CPU and memory | รขลโ | |
| Network access | รขลโ |
This mode gives everyone their own workspace, but they're all running inside the same container. Resource pressure (memory, CPU) is shared, and so is the network namespace รขโฌโ a user who binds a port (e.g. python -m http.server 8080) is reachable from any other user's terminal-server proxy URL on that port. Per-user file isolation does not extend to per-user network isolation in this mode.
Use this for small, trusted groups รขโฌโ not for wide-open deployments. For untrusted multi-user deployments, use Option 2 (per-user containers) below, or layer the TERMINAL_PROXY_HEADERS configuration on top to lock proxied responses into a sandbox CSP.
Option 2: Per-user containers with Terminalsโ
For larger deployments or when you need real isolation, Terminals gives each user their own container, completely separate from everyone else.
- Full isolation รขโฌโ each user's container is independent with its own files, processes, and resources
- On-demand provisioning รขโฌโ containers are created when users start a session and cleaned up when idle
- Resource controls รขโฌโ set CPU, memory, and storage limits per user or per environment
- Multiple environments รขโฌโ different setups for different teams (e.g., data science, development)
- Kubernetes support รขโฌโ works with Docker, Kubernetes, and k3s
Two deployment backends are available:
- Docker Backend รขโฌโ runs on a single Docker host. Best for small-to-medium teams or environments without Kubernetes.
- Kubernetes Operator รขโฌโ production-grade deployment using a CRD-based operator. Deploys alongside HridaAI via the Helm chart.
Terminals requires an HridaAI Enterprise License. See the Terminals repository for license details.