Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

start jupyterhub-singleuser within docker spawer #95

Merged
merged 5 commits into from
Sep 24, 2024
Merged

Conversation

Tianhao-Gu
Copy link
Collaborator

No description provided.

self._ensure_system_user()
self._ensure_workspace_permission()

def start_single_user_server(self):
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

copied from customer_spawner.py

self.log.info(f'Executing command: {" ".join(cmd)}')
subprocess.run(cmd, check=True)

def _ensure_system_user(self):
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mostly copied from customer_spawner.py. But using pwd and grp to check existing user and group.

finally:
fcntl.flock(lock, fcntl.LOCK_UN)

def _ensure_workspace_permission(self):
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

copied from custom_spawner.py

Copy link

codecov bot commented Sep 23, 2024

Codecov Report

Attention: Patch coverage is 21.25000% with 63 lines in your changes missing coverage. Please review.

Project coverage is 47.75%. Comparing base (d48c16f) to head (16a4ffc).
Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
src/jupyterhub_config/hub_singleuser.py 21.25% 63 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main      #95      +/-   ##
==========================================
- Coverage   54.37%   47.75%   -6.63%     
==========================================
  Files           6        7       +1     
  Lines         320      400      +80     
==========================================
+ Hits          174      191      +17     
- Misses        146      209      +63     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

self.groupname = groupname # OS system group

# Inherit the current environment variables
self.environment = dict(os.environ)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still makes me nervous...

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will get a whitelist later once system is up and running.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

:param username: The name of the user for whom the environment is set up.
:param groupname: The name of the OS system group to which the user belongs.
"""
self.username = username # OS system username
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand why the juipyterhub username and the linux username need to be the same

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

somewhere down the line (I think it's auth) will need to check that system user exist with the same jupyterhub username.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't quite get that - why would the linux username need to match the auth username?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe for some spawner it's not required. But I don't see it concerns us.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yarn is working fine with different users.

Not if it's bypassing fair share it isn't

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will explore some yarn setting (spark.yarn.queue) on the client's side.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you just use the same user for the containers you don't have to worry about this

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created another issue for this. #97

It's really not how Jupyterhub works as far as I understand.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're saying that JH requires the linux username to match the JH username then yeah, that won't work and we'll have to look into modifying yarn or how the submit works


self.log.info(f'Configuring workspace permissions for {self.username}')
subprocess.run(['sudo', 'chown', '-R', f'{self.username}:{group_name}', self.user_dir], check=True)
subprocess.run(['sudo', 'chmod', '-R', '777', self.user_dir], check=True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still needed or is 700 or 770 ok?

Also this is going to make all files executable, which I assume you don't want

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 changed to 770.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making all the files executable?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 changed to 750. I am really still trying to make it work first, before considering security, etc.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

750 still makes the files executable for the owner but doesn't let the group traverse the directories. You'd probably need to do it in 2 steps, one handling directories and one handling files, unless there's some build in way in chmod to do that.

That said if you want to make an issue and move on that's fine

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it also doesn't hurt. And really not our concerns now.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it also doesn't hurt.

It does hurt for the reasons in the link and general security principles. But as I said

That said if you want to make an issue and move on that's fine

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really don't know what to put on the issue. Do you think you can make one? I just don't see any security concerns or principles being violated by assigning users 750 permissions on their own workspace within their isolated container.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security concerns are listed above in the SO post

For the ticket, just something like "Don't chmod non-executable files to executable" and link this PR, I'd say

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 #96

@Tianhao-Gu Tianhao-Gu merged commit f9d00f7 into main Sep 24, 2024
7 of 10 checks passed
@Tianhao-Gu Tianhao-Gu deleted the dev_jupyterhub branch September 24, 2024 00:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants