Make subimages compatible with late user creation

* Always remain as root during install
* Put kernel specs in system path, not user home
* Create user work directory at startup
* Note this is in 4.0 and up images, not 3.2

Contribution (c) Copyright IBM Corp. 2015

minimal-notebook/Dockerfile

@@ -24,8 +24,11 @@ RUN apt-get update && apt-get install -yq --no-install-recommends \
     sudo \
     && apt-get clean
 
+# Configure docker environment
 ENV CONDA_DIR /opt/conda
 ENV NB_USER jovyan
+ENV WORK /home/$NB_USER/work
+ENV PATH $CONDA_DIR/bin:$PATH
 
 # Install conda
 RUN echo export PATH=$CONDA_DIR/bin:'$PATH' > /etc/profile.d/conda.sh && \
@@ -34,14 +37,6 @@ RUN echo export PATH=$CONDA_DIR/bin:'$PATH' > /etc/profile.d/conda.sh && \
     rm Miniconda3-3.9.1-Linux-x86_64.sh && \
     $CONDA_DIR/bin/conda install --yes conda==3.14.1
 
-# Configure docker environment
-ENV PATH $CONDA_DIR/bin:$PATH
-
-# Setup a work directory rooted in home for ease of volume mounting
-ENV WORK /notebooks
-RUN mkdir -p $WORK && chown root.users $WORK && chmod g+w $WORK
-WORKDIR $WORK
-
 # Install Jupyter notebook
 RUN conda install --yes \
     'notebook=4.0*' \

minimal-notebook/README.md

@@ -21,7 +21,7 @@ You may customize the execution of the Docker container and the Notebook server
 
 * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks.
 * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not provided (see below), the container will generate a self-signed certificate for you.
-* `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership.
+* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership.
 * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.**
 * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade).
 * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server.

minimal-notebook/start-notebook.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e
 
 # Create non-root NB_USER, member of group "users"
 useradd -m -s /bin/bash -u ${NB_UID:-1000} -G users $NB_USER
@@ -7,6 +8,11 @@ useradd -m -s /bin/bash -u ${NB_UID:-1000} -G users $NB_USER
 chown -R root.users $CONDA_DIR
 chmod -R g+w $CONDA_DIR
 
+# Setup a work directory rooted in the NB_USER home
+mkdir -p $WORK
+chown root.users $WORK
+chmod g+w $WORK
+
 # Enable sudo if requested
 if [ ! -z "$GRANT_SUDO" ]; then
     echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook