From c4616560cf84481b51b959f6c9b67cb4577f6c85 Mon Sep 17 00:00:00 2001 From: Peter Parente Date: Fri, 28 Aug 2015 22:38:13 -0400 Subject: [PATCH] Make subimages compatible with late user creation * Always remain as root during install * Put kernel specs in system path, not user home * Create user work directory at startup * Note this is in 4.0 and up images, not 3.2 Contribution (c) Copyright IBM Corp. 2015 --- all-spark-notebook/Dockerfile | 14 +++----------- all-spark-notebook/README.md | 1 + datascience-notebook/Dockerfile | 7 +------ datascience-notebook/README.md | 1 + minimal-notebook/Dockerfile | 11 +++-------- minimal-notebook/README.md | 2 +- minimal-notebook/start-notebook.sh | 6 ++++++ pyspark-notebook/Dockerfile | 9 +-------- pyspark-notebook/README.md | 1 + r-notebook/Dockerfile | 5 ----- r-notebook/README.md | 1 + scipy-notebook/Dockerfile | 7 +------ scipy-notebook/README.md | 1 + 13 files changed, 21 insertions(+), 45 deletions(-) diff --git a/all-spark-notebook/Dockerfile b/all-spark-notebook/Dockerfile index 93413d7a..f860be21 100644 --- a/all-spark-notebook/Dockerfile +++ b/all-spark-notebook/Dockerfile @@ -3,8 +3,6 @@ FROM jupyter/minimal-notebook MAINTAINER Jupyter Project -USER root - # Spark dependencies ENV APACHE_SPARK_VERSION 1.4.1 RUN apt-get -y update && \ @@ -43,8 +41,6 @@ RUN cd /tmp && \ apt-get remove -y sbt && \ apt-get clean -USER jovyan - # Spark and Mesos pointers ENV SPARK_HOME /usr/local/spark ENV R_LIBS_USER $SPARK_HOME/R/lib @@ -74,7 +70,7 @@ RUN conda create -p $CONDA_DIR/envs/python2 python=2.7 \ && conda clean -yt RUN $CONDA_DIR/envs/python2/bin/python \ $CONDA_DIR/envs/python2/bin/ipython \ - kernelspec install-self --user + kernelspec install-self # R packages RUN conda config --add channels r @@ -85,9 +81,5 @@ RUN conda install --yes \ 'r-rcurl=1.95*' && conda clean -yt # Scala Spark kernel spec -RUN mkdir -p $HOME/.ipython/kernels/scala -COPY kernel.json $HOME/.ipython/kernels/scala/ - -# Switch back to root so that supervisord runs under that user -USER root -RUN chown -R $NB_USER:$NB_USER $HOME/.ipython/kernels/scala/ \ No newline at end of file +RUN mkdir -p /usr/local/share/jupyter/kernels/scala +COPY kernel.json /usr/local/share/jupyter/kernels/scala/ diff --git a/all-spark-notebook/README.md b/all-spark-notebook/README.md index 2ffc7f1f..ff31f1a0 100644 --- a/all-spark-notebook/README.md +++ b/all-spark-notebook/README.md @@ -203,6 +203,7 @@ You may customize the execution of the Docker container and the Notebook server * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks. * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you. +* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership. * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.** * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade). * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server. diff --git a/datascience-notebook/Dockerfile b/datascience-notebook/Dockerfile index f4971490..cae17b69 100644 --- a/datascience-notebook/Dockerfile +++ b/datascience-notebook/Dockerfile @@ -16,8 +16,6 @@ RUN apt-get update && \ julia \ libnettle4 && apt-get clean -USER jovyan - # Install Python 3 packages RUN conda install --yes \ 'ipywidgets=4.0*' \ @@ -59,7 +57,7 @@ RUN conda create -p $CONDA_DIR/envs/python2 python=2.7 \ && conda clean -yt RUN $CONDA_DIR/envs/python2/bin/python \ $CONDA_DIR/envs/python2/bin/ipython \ - kernelspec install-self --user + kernelspec # R packages RUN conda config --add channels r @@ -85,6 +83,3 @@ RUN conda install --yes \ # IJulia and Julia packages RUN julia -e 'Pkg.add("IJulia")' RUN julia -e 'Pkg.add("Gadfly")' && julia -e 'Pkg.add("RDatasets")' - -# Switch back to root so that supervisord runs under that user -USER root diff --git a/datascience-notebook/README.md b/datascience-notebook/README.md index d700c4f5..3a099bf1 100644 --- a/datascience-notebook/README.md +++ b/datascience-notebook/README.md @@ -24,6 +24,7 @@ You may customize the execution of the Docker container and the Notebook server * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks. * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you. +* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership. * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.** * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade). * `-v /some/host/folder/for/server.pem:/home/jovyan/.local/share/jupyter/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server. diff --git a/minimal-notebook/Dockerfile b/minimal-notebook/Dockerfile index 5a3b6359..3f50f6b4 100644 --- a/minimal-notebook/Dockerfile +++ b/minimal-notebook/Dockerfile @@ -24,8 +24,11 @@ RUN apt-get update && apt-get install -yq --no-install-recommends \ sudo \ && apt-get clean +# Configure docker environment ENV CONDA_DIR /opt/conda ENV NB_USER jovyan +ENV WORK /home/$NB_USER/work +ENV PATH $CONDA_DIR/bin:$PATH # Install conda RUN echo export PATH=$CONDA_DIR/bin:'$PATH' > /etc/profile.d/conda.sh && \ @@ -34,14 +37,6 @@ RUN echo export PATH=$CONDA_DIR/bin:'$PATH' > /etc/profile.d/conda.sh && \ rm Miniconda3-3.9.1-Linux-x86_64.sh && \ $CONDA_DIR/bin/conda install --yes conda==3.14.1 -# Configure docker environment -ENV PATH $CONDA_DIR/bin:$PATH - -# Setup a work directory rooted in home for ease of volume mounting -ENV WORK /notebooks -RUN mkdir -p $WORK && chown root.users $WORK && chmod g+w $WORK -WORKDIR $WORK - # Install Jupyter notebook RUN conda install --yes \ 'notebook=4.0*' \ diff --git a/minimal-notebook/README.md b/minimal-notebook/README.md index 2322512c..4fb2cb37 100644 --- a/minimal-notebook/README.md +++ b/minimal-notebook/README.md @@ -21,7 +21,7 @@ You may customize the execution of the Docker container and the Notebook server * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks. * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not provided (see below), the container will generate a self-signed certificate for you. -* `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership. +* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership. * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.** * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade). * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server. diff --git a/minimal-notebook/start-notebook.sh b/minimal-notebook/start-notebook.sh index 2c5e5798..f2b0af06 100755 --- a/minimal-notebook/start-notebook.sh +++ b/minimal-notebook/start-notebook.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -e # Create non-root NB_USER, member of group "users" useradd -m -s /bin/bash -u ${NB_UID:-1000} -G users $NB_USER @@ -7,6 +8,11 @@ useradd -m -s /bin/bash -u ${NB_UID:-1000} -G users $NB_USER chown -R root.users $CONDA_DIR chmod -R g+w $CONDA_DIR +# Setup a work directory rooted in the NB_USER home +mkdir -p $WORK +chown root.users $WORK +chmod g+w $WORK + # Enable sudo if requested if [ ! -z "$GRANT_SUDO" ]; then echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook diff --git a/pyspark-notebook/Dockerfile b/pyspark-notebook/Dockerfile index ac959262..dbf91131 100644 --- a/pyspark-notebook/Dockerfile +++ b/pyspark-notebook/Dockerfile @@ -3,8 +3,6 @@ FROM jupyter/minimal-notebook MAINTAINER Jupyter Project -USER root - # Spark dependencies ENV APACHE_SPARK_VERSION 1.4.1 RUN apt-get -y update && \ @@ -22,8 +20,6 @@ RUN apt-key adv --keyserver keyserver.ubuntu.com --recv E56151BF && \ apt-get --no-install-recommends -y --force-yes install mesos=0.22.1-1.0.debian78 && \ apt-get clean -USER jovyan - # Spark and Mesos pointers ENV SPARK_HOME /usr/local/spark ENV PYTHONPATH $SPARK_HOME/python:$SPARK_HOME/python/lib/py4j-0.8.2.1-src.zip @@ -52,7 +48,4 @@ RUN conda create -p $CONDA_DIR/envs/python2 python=2.7 \ && conda clean -yt RUN $CONDA_DIR/envs/python2/bin/python \ $CONDA_DIR/envs/python2/bin/ipython \ - kernelspec install-self --user - -# Switch back to root so that supervisord runs under that user -USER root \ No newline at end of file + kernelspec install-self \ No newline at end of file diff --git a/pyspark-notebook/README.md b/pyspark-notebook/README.md index 17c37197..90298cff 100644 --- a/pyspark-notebook/README.md +++ b/pyspark-notebook/README.md @@ -93,6 +93,7 @@ You may customize the execution of the Docker container and the Notebook server * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks. * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you. +* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership. * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.** * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade). * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server. diff --git a/r-notebook/Dockerfile b/r-notebook/Dockerfile index 37e1c720..d699ad33 100644 --- a/r-notebook/Dockerfile +++ b/r-notebook/Dockerfile @@ -11,8 +11,6 @@ RUN apt-get update && \ gfortran \ gcc && apt-get clean -USER jovyan - # R packages RUN conda config --add channels r RUN conda install --yes \ @@ -33,6 +31,3 @@ RUN conda install --yes \ 'r-caret=6.0*' \ 'r-rcurl=1.95*' \ 'r-randomforest=4.6*' && conda clean -yt - -# Switch back to root so that supervisord runs under that user -USER root \ No newline at end of file diff --git a/r-notebook/README.md b/r-notebook/README.md index ad3a9f7f..c7d1fbae 100644 --- a/r-notebook/README.md +++ b/r-notebook/README.md @@ -21,6 +21,7 @@ You may customize the execution of the Docker container and the Notebook server * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks. * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you. +* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership. * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.** * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade). * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server. diff --git a/scipy-notebook/Dockerfile b/scipy-notebook/Dockerfile index 82f899bf..ee02d592 100644 --- a/scipy-notebook/Dockerfile +++ b/scipy-notebook/Dockerfile @@ -3,8 +3,6 @@ FROM jupyter/minimal-notebook MAINTAINER Jupyter Project -USER jovyan - # Install Python 3 packages RUN conda install --yes \ 'ipywidgets=4.0*' \ @@ -46,7 +44,4 @@ RUN conda create -p $CONDA_DIR/envs/python2 python=2.7 \ && conda clean -yt RUN $CONDA_DIR/envs/python2/bin/python \ $CONDA_DIR/envs/python2/bin/ipython \ - kernelspec install-self --user - -# Switch back to root so that supervisord runs under that user -USER root \ No newline at end of file + kernelspec install-self diff --git a/scipy-notebook/README.md b/scipy-notebook/README.md index 20cc4dbf..128b747f 100644 --- a/scipy-notebook/README.md +++ b/scipy-notebook/README.md @@ -21,6 +21,7 @@ You may customize the execution of the Docker container and the Notebook server * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks. * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you. +* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership. * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.** * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade). * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server.