Create jovyan in Dockerfile, reset UID at startup #31
Conversation
parente
force-pushed
the
early-user-late-uid
branch
from
a596a07 to
fa8d7b5
Compare
|
Argh, docker fun: So after installing ijulia, the I tried various workarounds to no avail. Might be at a dead end. |
|
Found slight workarounds for the docker permission weirdness for both ijulia and bash kernel. Will kick off builds of all the other subimages tonight and see if anything else breaks with this change. |
* Create user jovyan with UID=1000 in the default users group in the Dockerfile * Set group ownership of user home and conda to root to avoid 'users' group from host access when mounted * Set stick bit on both paths so root owns subdirs too * Change jovyan UID if NB_UID is specified and is not the default 1000 Contribution (c) Copyright IBM Corp. 2015
parente
force-pushed
the
early-user-late-uid
branch
2 times, most recently
from
fdd348a to
0276cb5
Compare
Contribution (c) Copyright IBM Corp. 2015
parente
force-pushed
the
early-user-late-uid
branch
from
0276cb5 to
f13a494
Compare
… but install kernel specs global to avoid problems when switching NB_UID Contribution (c) Copyright IBM Corp. 2015
parente
force-pushed
the
early-user-late-uid
branch
from
f13a494 to
69c5c35
Compare
|
I've locally rebuilt every stack using the new minimal-notebook image defined by the Dockerfile changes in this PR. I've confirmed the changes fix #30 and make #25 possible without any serious hoop-jumping. I've run each image in the following two ways (i.e., with and without a UID change for jovyan): In every case, I've confirmed the containers to be working properly, meaning:
Remaining problem: I don't know what I don't know. For instance, does setting the default group for jovyan to I'm just looking to be a bit more careful up front this time to avoid having to come back to updating the base again and again with slight tweaks for different user / mount scenarios. @rgbkrk Can I get a quick sanity check? |
|
Looking really good. Only thing I'm wondering is what the reasoning is for ending as root user in the final user bound images. |
|
Turns out that if you don't switch back to root, the CMD from the base image launches as the last USER. 👀 |
|
I agree; this has great promise. Simpler is better! |
| mkdir /home/$NB_USER/.jupyter && \ | ||
| mkdir /home/$NB_USER/.local && \ | ||
| chown -R $NB_USER:root $CONDA_DIR && \ | ||
| chown -R $NB_USER:root /home/$NB_USER |
There was a problem hiding this comment.
Why set the group ownership to root?
There was a problem hiding this comment.
Exactly what I wanted to ask you. :) The -N on useradd puts the jovyan user in the default users group (GID=100). Anything that user touches in a host mount home or work dir will be accessible by GID=100 on the host unless the root of the mount has proper permissions. To head off any "Oops, I didn't think to protect against a container / host group overlap as well as UID overlap", I figured root was a safe bet.
But I agree it's quirky. I'm open to suggestions here.
There was a problem hiding this comment.
I didn't notice the -N switch but I like the effect. Coincidentally, I am using the users group on my host CentOS system where the GID is also 100 so I'd prefer that over root but I respect that it may not satisfy all applications.
This must be a common Docker problem... Some research may be required for a sensible suggestion.
There was a problem hiding this comment.
Long running issue with lots of solutions but no clear best practice:
moby/moby#7198
The real solution probably lies in docker + kernel support for user namespace mapping: moby/moby#12648
My gut tells me we should treat whatever we do as a patch for the time being and so simpler is better. We can state the limitations and exactly what's going to happen in host mounts in the READMEs. My vote is for calling out user=jovyan (fixed), primary group = users (fixed), UID=configurable via env var NB_UID (default: 1000) and GID=100 (fixed).
I guess I assumed that was the opinionated behavior we wanted to provide people, so they don't run as root by default. |
|
supervisord runs as root and changes to the jovyan user. If / when we switch away from that (issue #24), it'll need to change, yes. |
|
Oh durr. I totally forgot about that. So sorry. |
|
👍 |
|
Last set of pushes now has:
Going to put this into master and trigger the DH builds. datascience-notebook will fail to rebuild because IJulia has a regression at the moment and I can't find a way to point at a specific commit in Julia. |
Create jovyan in Dockerfile, reset UID at startup
Enable requesting a specific OAuth scope in subclasses
@costerwi Can you give this a shot and see if it retains what you're looking for via the NB_UID runtime env var plus fixes the problems you were correcting in your latest PRs? Meanwhile, I'm going to see if it fixes both the bash and julia kernel install problems people have reported with the current setup.