New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GRANT_SUDO on started servers #562
Comments
so, it does not work because jupyterhub starts the user server using the user id and not root (see base-notebook/start.sh#L57. My current mitigation is to overload the docker image with my own docker layer:
|
Thanks for bringing this up! We should document how to do this! You can grant sudo by: singleuser:
extraEnv:
GRANT_SUDO: "yes"
uid: 0 The uid:0 will start the notebook as root, and you won't need extra entries. |
ok, and after it will still start the notebook server as joyvan as usual, right? |
It should, yeah - at least with the default image / docker-stacks images.
The user id switching is done in the scripts in the image.
…On Thu, Mar 15, 2018 at 12:51 PM, Gaetan Semet ***@***.***> wrote:
ok, and after it will start the notebook server as joyvan as usual, right?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#562 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAB23hg2-SqV7-Yu-5Ep75tZ9OUT06khks5tesYxgaJpZM4ScF3K>
.
--
Yuvi Panda T
http://yuvi.in/blog
|
I get an error "Running as root is not recommended" when using |
ah I forgot about that, @gsemet! Would be awesome if you can open a docs PR :) |
I don't have a proper solution yet, for the moment I hardcode the sudoers hack in a customized derived notebook docker image.... |
@manics got an idea for something to make us actionable in general about this issue? |
@consideRatio Sorry, been away for a few days. Looks like it should just work: |
@manics, @gsemet: I was able to get this working with: singleuser:
extraEnv:
GRANT_SUDO: "yes"
uid: 0
cmd: null By default, the chart's values.yaml hard-codes running |
Sadly this is not an option when wanting to use jupyterlab, as one normally should set Is there currently a different option than to set the NEW UPDATE: Seems a bit hacky to me altogether, but it works. |
@dkipping Does setting |
@manics Just a quick detail plug without reading the discussion up to this point. The |
Yes that works. Thanks guys! Maybe it would make the configuration work a bit more fluent, if instead of specifying On the other hand, that would make it less consistent with other usecases of |
singleuser.uid=0 seems to throw "Running as root is not recommended. Use --allow-root to bypass." for me which prevents the container from coming up properly. My use case is:
I still can't get sudo working for jovyan despite the comments above in this thread. @dkipping Am I missing something obvious? All the envs are set for singleuser, and none for hub - right? I can get jupyterlab working nicely but again without sudo. Very grateful for any and all help - many thanks |
@jtlz2 can you paste or link to your configuration and Dockerfile? There are several suggestions in this thread, so please give us more detail on your current setup. |
@manics Many thanks. Here you go:
config.yaml -
Thanks! |
extraConfig:
jupyterlab: |
c.Spawner.cmd = ['jupyter-labhub']
c.InteractiveShellApp.exec_lines = ['!pip install --upgrade pip'] This sets the startup command to |
I also cannot get this approach to work. I'm not trying to default to JupyterLab, so I just inserted the singleuser code. Do I need to do something else? My config file is as follows:
|
@manics Extremely belatedly - just tested - your scheme works! Thank you so so much :) JUPYTER_ENABLE_LAB not needed |
Note, starting Also, the I understand it as we need to start jupyterhub-singleuser in order to let the notebook server itself be Hub aware though, and to start within jupyterlab, we need to have a defaultUrl set. My best current understanding, on how to get JupyterLab running by default, with SUDO access for users, in z2jh, is like this: singleuser:
defaultUrl: /lab
extraEnv:
GRANT_SUDO: "yes"
NOTEBOOK_ARGS: "--allow-root"
uid: 0
cmd: start-singleuser.sh Note that GRANT_SUDO will be ignored by the start scripts unless it is started as the root user (uid=0). UPDATEI'm working to resolve this for myself currently, the configuration above isn't enough I think. |
Based on comments above and this comment, the following config enabled JupyterLab with singleuser:
extraEnv:
GRANT_SUDO: "yes"
NOTEBOOK_ARGS: "--allow-root"
uid: 0
cmd: start-singleuser.sh
defaultUrl: "/lab"
hub:
extraConfig:
jupyterlab: |
c.Spawner.default_url = "/lab" |
@ilhaan these parts are doing the same thing, only one is needed.
|
@consideRatio Thanks! I think I had that left over from an older config and didn't remove it since things were in working condition. |
I'm closing this as it seems to be resolved. |
I would love to see this re-opened. This GRANT_SUDO variable is goofy. If you set the pod to run as root, what is the point of granting sudo? I want the pod to run as the jovyan user, but give the user the ability to run sudo. At this point it makes more sense to add a sudoers file in the docker file. That's the simplest and likley best option. That way I can actually put the list of commands I want to be able to have the jovyan user run. |
The GRANT_SUDO variable only has meaning based on specific docker images and I want to decouple this repo's (jupyterhub helm chart repo) issues from jupyter/docker-stacks issues. To my knowledge, this is what would be required for the The example below is relying on start-singleuser.sh - a script out of control of this repo, and GRANT_SUDO, an environment variable with meaning by this script, and NOTEBOOK_ARGS as well. Due to this, I find that the only thing in scope of this project could be to have a configuration example like below.
@cocampbe for any issue, I'd like there to be a concrete action point to the code base in the github repository. What kind of change do you suggest we include? This repo contains the documentation on how to use the JupyterHub Helm chart, and it could be in scope to document something for example. If we do document something like above, it is strictly for use with against jupyter/docker-stacks based images though. Related in jupyter/docker-stacks
|
This makes sense. I wasn't thinking of them as separate. I think the issue for me is that the projects are related and trying to figure out how to reconcile the two can be difficult. After reading your reply, I am in agreement. For my case, I am going to have to add a sudoer file to the docker image. |
Hello
I don't seem to be able to grant SUDO permission on the started instance. The container should have the
GRANT_SUDO
environment variable and be started as root, and the later condition does not seem to be met.I have put this env in extraEnv and does see in the started container:
The text was updated successfully, but these errors were encountered: