I ran into an issue when trying to get this to work with a NFS server which I did not have direct control over (EFS). As part of the PersistentVolumeClaim, there is no easy way to set the UID and GID of the created directory.on the networked FS.
My only concern with this chown is that some user out there might be running jupyterhub in an odd configuration where $NB_USER is not supposed to have these exact permissions on the storage. I think this is quite unlikely, but it is worth mentioning.
I chronicled my experiences with working around this issue and setting up z2jh on EFS in https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues/421 with @yuvipanda.
* Refactor to use sudo to become jovyna when the
container starts as root
* Retain all environment variables when becoming
jovyan
* Handle start.sh without additional commands when
launching a container as NB_USER too
Please refer to alias, in bottom of commit.
> dbn
Execute the command: jupyter notebook
> dbn bash
jovyan@eedcc93a837d:~$
> dbn start.sh
Execute the command:
exit
> dbnr
Set username to: jovyan
usermod: no changes
Set jovyan GID to: 100
Execute the command: jupyter notebook
Running as root is not recommended. Use --allow-root to bypass.
exit
> dbnr bash
root@893cb78b8c9c:~#
> dbnr start.sh
Set username to: jovyan
usermod: no changes
Set jovyan GID to: 100
Execute the command:
No arguments supplied
HOSTNAME=d45c52e788b7
TERM=xterm
SHELL=/bin/bash
NB_USER=jovyan
LC_ALL=en_US.UTF-8
PATH=/opt/conda/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
MINICONDA_VERSION=4.3.30
PWD=/home/jovyan
LANG=en_US.UTF-8
HOME=/home/jovyan
SHLVL=2
LANGUAGE=en_US.UTF-8
no_proxy=*.local, 169.254/16
DEBIAN_FRONTEND=noninteractive
CONDA_DIR=/opt/conda
NB_GID=100
NB_UID=1000
root@d45c52e788b7:~#
> dbnrs
Set username to: jovyan
usermod: no changes
Set jovyan GID to: 100
Granting jovyan sudo access
Execute the command: jupyter notebook
Copy/paste this URL into your browser when you connect for the first time, ....
> dbnrs bash
root@f293dce949db:~#
> dbnrs start.sh
Set username to: jovyan
usermod: no changes
Set jovyan GID to: 100
Granting jovyan sudo access
Execute the command:
No arguments supplied
HOSTNAME=d0cd57ea32e2
SHELL=/bin/bash
TERM=xterm
LC_ALL=en_US.UTF-8
USER=jovyan
SUDO_USER=root
SUDO_UID=0
USERNAME=jovyan
MAIL=/var/mail/jovyan
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
PWD=/home/jovyan
LANG=en_US.UTF-8
SHLVL=1
SUDO_COMMAND=/bin/bash -c env; PATH=$PATH; bash
HOME=/home/jovyan
LANGUAGE=en_US.UTF-8
LOGNAME=jovyan
SUDO_GID=0
_=/usr/bin/env
jovyan@d0cd57ea32e2:~$
> dbns
Container must be run as root to grant sudo permissions
Execute the command: jupyter notebook
Copy/paste this URL in..
> dbns bash
jovyan@ce5c2491fa32:~$
> dbns start.sh
Container must be run as root to grant sudo permissions
Execute the command:
exit
###### Build user setup
docker build -t $USER/base-notebook -f Dockerfile .
# Normal, dbn: docker-base-notebook
alias dbn='docker run -ti --rm -p 8888:8888 -v "$PWD":/home/jovyan/work --name base-notebook $USER/base-notebook'
# Root, dbnr: dbn with root
alias dbnr='docker run -ti --rm -p 8888:8888 --user root -v "$PWD":/home/jovyan/work --name base-notebook $USER/base-notebook'
# Jovyan SUDO, dbnr: dbn with SUDO for jovyan
alias dbnrs='docker run -ti --rm -p 8888:8888 --user root -e GRANT_SUDO=yes -v "$PWD":/home/jovyan/work --name base-notebook $USER/base-notebook'
# Root, fail to sudo for jovyan.
alias dbns='docker run -ti --rm -p 8888:8888 -e GRANT_SUDO=yes -v "$PWD":/home/jovyan/work --name base-notebook $USER/base-notebook'
ensures files have the right owner:group
unfortunately, not enough to get group-writable permissions (need acl or umask for that),
so we still need to run it after each install
- any files the user should be able to write should have group `user-permissions` with `g+rwX`
- remove `chown` from start.sh because it is no longer needed
- add `fix-permissions` script for setting the user-writable permissions on a path
- user-permissions group as GID 10000 (is there a reason for it to have a different value?)
- containers can set group with `--group-add user-writable` if they want to run with a different uid/gid
(without -u root -e NB_UID -e NB_GID, which make this unnecessary)
