SudoSpawner: Spawner for JupyterHub using sudo
Project description
SudoSpawner
The SudoSpawner enables JupyterHub
to spawn single-user servers without being root, by spawning an intermediate
process via sudo
, which takes actions on behalf of the user.
The sudospawner
mediator, the intermediate process, can only do two things:
- send a signal to another process using the os.kill() call
- spawn single-user servers
Launching the sudospawner
script is the only action that requires a
JupyterHub administrator to have sudo
access to execute.
Installation and setup
-
Install:
pip install -e .
-
To configure JupyterHub to use SudoSpawner, add the following to your
jupyterhub_config.py
:c.JupyterHub.spawner_class='sudospawner.SudoSpawner'
The JupyterHub documentation has additional information about creating a configuration file, if needed, and recommended file locations for configuration files.
Custom singleuser launch command
In order to limit what permissions the use of sudospawner grants the Hub,
when a single-user server is launched
the executable spawned is hardcoded as dirname(sudospawner)/jupyterhub-singleuser
.
This requires the sudospawner
executable to be in the same directory as the jupyterhub-singleuser
command.
It is very important that users cannot modify the bin/
directory containing sudospawner
,
otherwise they can modify what sudospawner
actually enables JupyterHub to do.
You may want to initialize user environment variables before launching the server, or do other initialization.
If you install a script called sudospawner-singleuser
next to sudospawner
,
this will be used instead of the direct jupyterhub-singleuser
command.
For example, you might want to spawn notebook servers from conda environments that are revised and deployed separately from your hub instance.
#!/bin/bash -l
set -e
# Activate the notebook environment
source /opt/miniconda/bin/activate /opt/envs/notebook-latest
# Show environment info in the log to aid debugging
conda info
# Delegate the notebook server launch to the jupyterhub-singleuser script.
# this is how most sudospawner-singleuser scripts should end.
exec "$(dirname "$0")/jupyterhub-singleuser" $@
SudoSpawner with JupyterLab-Hub singleuser launch command
In order to have SudoSpawner work with JupyterLab-Hub you will need to create a custom singleuser launch command.
Create the script sudospawner-singleuser
containing the below code in the same directory as sudospawner
and grant it the same permissions.
#!/bin/bash -l
# Delegate the notebook server launch to the jupyter-labhub script.
exec "jupyter-labhub" $@
Example
The Dockerfile in this repo contains an example configuration for setting up a JupyterHub system, without any need to run anything as root.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for sudospawner-0.5.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 662e5513a8c78cc654f7e997449ad36532a7f04051d459b39a423e4171cc8495 |
|
MD5 | 4de2a1488543b087ccdc1f724ae70196 |
|
BLAKE2b-256 | 55a8ff1a55a19f3d9b6927282e78e147e6c093a529d2c99a4a5d4d1d9a46a437 |