Create jovyan in Dockerfile, reset UID at startup

* Create user jovyan with UID=1000 in the default users group in the Dockerfile
* Set group ownership of user home and conda to root to avoid 'users' group from host access when mounted
* Set stick bit on both paths so root owns subdirs too
* Change jovyan UID if NB_UID is specified and is not the default 1000

Contribution (c) Copyright IBM Corp. 2015

minimal-notebook/Dockerfile

@@ -29,11 +29,15 @@ RUN apt-get update && apt-get install -yq --no-install-recommends \
 # Configure environment
 ENV CONDA_DIR /opt/conda
 ENV PATH $CONDA_DIR/bin:$PATH
+ENV NB_USER jovyan
+ENV NB_UID 1000
 
 # Install conda
-RUN echo export PATH=$CONDA_DIR/bin:'$PATH' > /etc/profile.d/conda.sh && \
+RUN mkdir -p $CONDA_DIR && \
+    chmod g+s $CONDA_DIR && \
+    echo export PATH=$CONDA_DIR/bin:'$PATH' > /etc/profile.d/conda.sh && \
     wget --quiet https://repo.continuum.io/miniconda/Miniconda3-3.9.1-Linux-x86_64.sh && \
-    /bin/bash /Miniconda3-3.9.1-Linux-x86_64.sh -b -p $CONDA_DIR && \
+    /bin/bash /Miniconda3-3.9.1-Linux-x86_64.sh -f -b -p $CONDA_DIR && \
     rm Miniconda3-3.9.1-Linux-x86_64.sh && \
     $CONDA_DIR/bin/conda install --yes conda==3.14.1
 
@@ -43,6 +47,16 @@ RUN conda install --yes \
     terminado \
     && conda clean -yt
 
+# Create jovyan user with UID=1000 and in the 'users' group
+# Grant ownership over the conda dir and home dir, but stick the group as root.
+RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
+    chmod g+s /home/$NB_USER && \
+    mkdir /home/$NB_USER/work && \
+    mkdir /home/$NB_USER/.jupyter && \
+    mkdir /home/$NB_USER/.local && \
+    chown -R $NB_USER:root $CONDA_DIR && \
+    chown -R $NB_USER:root /home/$NB_USER
+
 # Configure container startup
 EXPOSE 8888
 CMD [ "start-notebook.sh" ]
@@ -50,4 +64,5 @@ CMD [ "start-notebook.sh" ]
 # Add local files as late as possible to avoid cache busting
 COPY start-notebook.sh /usr/local/bin/
 COPY notebook.conf /etc/supervisor/conf.d/
-COPY jupyter_notebook_config.py /etc/skel/.jupyter/
+COPY jupyter_notebook_config.py /home/$NB_USER/.jupyter/
+RUN chown -R $NB_USER:root /home/$NB_USER/.jupyter

minimal-notebook/start-notebook.sh

@@ -1,29 +1,9 @@
 #!/bin/bash
 
-# Constants
-NB_USER=jovyan
-NB_HOME=/home/$NB_USER
-NB_WORK=$NB_HOME/work
-
-# Create non-root NB_USER if one doesn't exist
-id -u $NB_USER && user_exists=true
-if [ -z "$user_exists" ] ; then
-    useradd -m -s /bin/bash -u ${NB_UID:-1000} $NB_USER
-
-    # Setup a work directory rooted in the NB_USER home
-    mkdir -p $NB_WORK
-    chown -R $NB_USER.$NB_USER $NB_HOME
-
-    # Allow NB_USER group to update conda root env
-    chown -R root.$NB_USER $CONDA_DIR
-    chmod g+w $CONDA_DIR
-fi
-
-# Copy skeleton files if useradd didn't do it (e.g., volume mounted dir
-# residing in NB_HOME prevented it)
-if [ ! -d $NB_HOME/.jupyter ]; then
-    cp -r /etc/skel/. $NB_HOME
-    chown -R $NB_USER.$NB_USER $NB_HOME
+# Change UID of jovyan to NB_UID if it does not match
+if [ "$NB_UID" != $(id -u jovyan) ] ; then
+    usermod -u $NB_UID $NB_USER
+    chown -R $NB_UID:$NB_UID $CONDA_DIR
 fi
 
 # Enable sudo if requested