The SudoSpawner enables JupyterHub
to spawn single-user servers without being root, by spawning an intermediate
sudo, which takes actions on behalf of the user.
sudospawner mediator, the intermediate process, can only do two things:
- send a signal to another process using the os.kill() call
- spawn single-user servers
sudospawner script is the only action that requires a
JupyterHub administrator to have
sudo access to execute.
Installation and setup
pip install -e .
To configure JupyterHub to use SudoSpawner, add the following to your
Custom singleuser launch command
In order to limit what permissions the use of sudospawner grants the Hub,
when a single-user server is launched
the executable spawned is hardcoded as
This requires the
sudospawner executable to be in the same directory as the
It is very important that users cannot modify the
bin/ directory containing
otherwise they can modify what
sudospawner actually enables JupyterHub to do.
You may want to initialize user environment variables before launching the server, or do other initialization.
If you install a script called
sudospawner-singleuser next to
this will be used instead of the direct
For example, you might want to spawn notebook servers from conda environments that are revised and deployed separately from your hub instance.
#!/bin/bash -l set -e # Activate the notebook environment source /opt/miniconda/bin/activate /opt/envs/notebook-latest # Show environment info in the log to aid debugging conda info # Delegate the notebook server launch to the jupyterhub-singleuser script. # this is how most sudospawner-singleuser scripts should end. exec "$(dirname "$0")/jupyterhub-singleuser" $@
SudoSpawner with JupyterLab-Hub singleuser launch command
In order to have SudoSpawner work with JupyterLab-Hub you will need to create a custom singleuser launch command.
Create the script
sudospawner-singleuser containing the below code in the same directory as
sudospawner and grant it the same permissions.
#!/bin/bash -l # Delegate the notebook server launch to the jupyter-labhub script. exec "jupyter-labhub" $@
The Dockerfile in this repo contains an example configuration for setting up a JupyterHub system, without any need to run anything as root.