hazza/docker-stacks
1
0
Fork 0
mirror of https://github.com/jupyter/docker-stacks.git synced 2025-10-17 06:52:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1270 from maresb/patch-1

Browse Source 
Prepend $CONDA_DIR/bin instead of appending
This commit is contained in:
Erik Sundell
2022-01-30 02:04:43 +01:00
committed by GitHub
parent 0eb36d778d 1d4bd5d178
commit cf5a7ab556
2 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
base-notebook/start.sh
View File

@@ -150,8 +150,8 @@ if [ "$(id -u)" == 0 ] ; then
# Update potentially outdated environment variables since image build
export XDG_CACHE_HOME="/home/${NB_USER}/.cache"
# Add ${CONDA_DIR}/bin to sudo secure_path
sed -r "s#Defaults\s+secure_path\s*=\s*\"?([^\"]+)\"?#Defaults secure_path=\"\1:${CONDA_DIR}/bin\"#" /etc/sudoers | grep secure_path > /etc/sudoers.d/path
# Prepend ${CONDA_DIR}/bin to sudo secure_path
sed -r "s#Defaults\s+secure_path\s*=\s*\"?([^\"]+)\"?#Defaults secure_path=\"${CONDA_DIR}/bin:\1\"#" /etc/sudoers | grep secure_path > /etc/sudoers.d/path
# Optionally grant passwordless sudo rights for the desired user
if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == "yes" ]]; then
@@ -168,6 +168,12 @@ if [ "$(id -u)" == 0 ] ; then
PATH="${PATH}" \
PYTHONPATH="${PYTHONPATH:-}" \
"${cmd[@]}"
# Note on the purpose of "PATH=${PATH}":
# In case "${cmd[@]}" is "bash", then PATH will be used by this bash shell.
# However, PATH is irrelevant to how the above sudo command resolves the
# path of "${cmd[@]}". Sudo's path resolution is done via the "secure_path"
# variable set above in /etc/sudoers.d/path.
# The container didn't start as the root user, so we will have to act as the
# user we started as.

21
base-notebook/test/test_container_options.py
View File

@@ -306,3 +306,24 @@ def test_jupyter_env_vars_to_unset_as_root(
**root_args, # type: ignore
)
assert "I like bananas and stuff, and love to keep secrets!" in logs
def test_secure_path(container: TrackedContainer, tmp_path: pathlib.Path) -> None:
"""Make sure that the sudo command has conda's python (not system's) on path.
See <https://github.com/jupyter/docker-stacks/issues/1053>.
"""
d = tmp_path / "data"
d.mkdir()
p = d / "wrong_python.sh"
p.write_text('#!/bin/bash\necho "Wrong python executable invoked!"')
p.chmod(0o755)
logs = container.run_and_wait(
timeout=5,
tty=True,
user="root",
volumes={p: {"bind": "/usr/bin/python", "mode": "ro"}},
command=["start.sh", "python", "--version"],
)
assert "Wrong python" not in logs
assert "Python" in logs