diff options
| -rw-r--r-- | Dockerfile | 44 | ||||
| -rwxr-xr-x | build.sh | 23 | ||||
| -rwxr-xr-x | scripts/fix-permissions | 35 | ||||
| -rw-r--r-- | scripts/jupyter_notebook_config.py | 55 | ||||
| -rwxr-xr-x | scripts/start-notebook.sh | 14 | ||||
| -rwxr-xr-x | scripts/start-singleuser.sh | 43 | ||||
| -rwxr-xr-x | scripts/start.sh | 150 |
7 files changed, 346 insertions, 18 deletions
@@ -4,21 +4,61 @@ FROM ${HUB}/datb-tc-pipeline:${PIPELINE} LABEL maintainer="jhunk@stsci.edu" \ vendor="Space Telescope Science Institute" +ARG NB_USER="jovyan" +ARG NB_UID="1100" +ARG NB_GID="110" + +USER root WORKDIR "${TOOLCHAIN_BUILD}" COPY scripts/build.sh ${TOOLCHAIN_BUILD}/bin/ COPY etc/ ${TOOLCHAIN_BUILD}/etc +ENV NB_USER="${NB_USER}" \ + NB_UID="${NB_UID}" \ + NB_GID="${NB_GID}" \ + LC_ALL=en_US.UTF-8 \ + LANG=en_US.UTF-8 \ + LANGUAGE=en_US.UTF-8 +ENV NB_HOME="/home/${NB_USER}" + +ADD scripts/fix-permissions /usr/local/bin/fix-permissions +# Create jovyan user with UID=1100 and in the 'users' group +# and make sure these dirs are writable by the `users` group. +RUN echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && \ + useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \ + chmod g+w /etc/passwd && \ + fix-permissions $NB_HOME && \ + echo "root ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/rewt + +# Begin toolchain image-specific steps USER "${USER_ACCT}" RUN sudo chown -R ${USER_ACCT}: ${TOOLCHAIN_BUILD} \ && bin/build.sh \ && sudo rm -rf "${TOOLCHAIN_BUILD}" +# Begin jupyterhub specific steps +ENV HOME="${NB_HOME}" +USER "${NB_UID}" + +# Setup work directory for backward-compatibility +RUN mkdir /home/$NB_USER/work && \ + fix-permissions /home/$NB_USER && \ + jupyter notebook --generate-config + USER root EXPOSE 8888 +WORKDIR "${HOME}" + ENTRYPOINT ["tini", "-g", "--"] -CMD ["start.sh"] +CMD ["start-notebook.sh"] + +COPY scripts/start.sh /usr/local/bin/ +COPY scripts/start-notebook.sh /usr/local/bin/ +COPY scripts/start-singleuser.sh /usr/local/bin/ +COPY scripts/jupyter_notebook_config.py /etc/jupyter/ +RUN fix-permissions /etc/jupyter/ -COPY scripts/start.sh /usr/local/bin +USER "${NB_UID}" @@ -53,15 +53,22 @@ fi max_retry=4 retry=0 set +e -while (( retry != max_retry )) +for tag in "${TAGS[@]}" do - echo "Push attempt #$(( retry + 1 ))" - docker push "${PROJECT}:${image_tag}" - rv=$? - if [[ ${rv} == 0 ]]; then - break - fi - (( retry++ )) + # strip argument prefix + tag=${tag#"-t"} + tag=${tag#" "} + + while (( retry != max_retry )) + do + echo "Push attempt #$(( retry + 1 ))" + docker push "${tag}" + rv=$? + if [[ ${rv} == 0 ]]; then + break + fi + (( retry++ )) + done done exit ${rv} diff --git a/scripts/fix-permissions b/scripts/fix-permissions new file mode 100755 index 0000000..7e27f51 --- /dev/null +++ b/scripts/fix-permissions @@ -0,0 +1,35 @@ +#!/bin/bash +# set permissions on a directory +# after any installation, if a directory needs to be (human) user-writable, +# run this script on it. +# It will make everything in the directory owned by the group $NB_GID +# and writable by that group. +# Deployments that want to set a specific user id can preserve permissions +# by adding the `--group-add users` line to `docker run`. + +# uses find to avoid touching files that already have the right permissions, +# which would cause massive image explosion + +# right permissions are: +# group=$NB_GID +# AND permissions include group rwX (directory-execute) +# AND directories have setuid,setgid bits set + +set -e + +for d in "$@"; do + find "$d" \ + ! \( \ + -group $NB_GID \ + -a -perm -g+rwX \ + \) \ + -exec chgrp $NB_GID {} \; \ + -exec chmod g+rwX {} \; + # setuid,setgid *on directories only* + find "$d" \ + \( \ + -type d \ + -a ! -perm -6000 \ + \) \ + -exec chmod u+s,g+s {} \; +done diff --git a/scripts/jupyter_notebook_config.py b/scripts/jupyter_notebook_config.py new file mode 100644 index 0000000..453943b --- /dev/null +++ b/scripts/jupyter_notebook_config.py @@ -0,0 +1,55 @@ +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +from jupyter_core.paths import jupyter_data_dir +import subprocess +import os +import errno +import stat + +c = get_config() +c.NotebookApp.ip = '0.0.0.0' +c.NotebookApp.port = 8888 +c.NotebookApp.open_browser = False + +# https://github.com/jupyter/notebook/issues/3130 +c.FileContentsManager.delete_to_trash = False + +# Generate a self-signed certificate +if 'GEN_CERT' in os.environ: + dir_name = jupyter_data_dir() + pem_file = os.path.join(dir_name, 'notebook.pem') + try: + os.makedirs(dir_name) + except OSError as exc: # Python >2.5 + if exc.errno == errno.EEXIST and os.path.isdir(dir_name): + pass + else: + raise + + # Generate an openssl.cnf file to set the distinguished name + cnf_file = os.path.join(os.getenv('TOOLCHAIN_LIB', '/usr/lib'), 'ssl', 'openssl.cnf') + if not os.path.isfile(cnf_file): + with open(cnf_file, 'w') as fh: + fh.write('''\ +[req] +distinguished_name = req_distinguished_name +[req_distinguished_name] +''') + + # Generate a certificate if one doesn't exist on disk + subprocess.check_call(['openssl', 'req', '-new', + '-newkey', 'rsa:2048', + '-days', '365', + '-nodes', '-x509', + '-subj', '/C=XX/ST=XX/L=XX/O=generated/CN=generated', + '-keyout', pem_file, + '-out', pem_file]) + # Restrict access to the file + os.chmod(pem_file, stat.S_IRUSR | stat.S_IWUSR) + c.NotebookApp.certfile = pem_file + +# Change default umask for all subprocesses of the notebook server if set in +# the environment +if 'NB_UMASK' in os.environ: + os.umask(int(os.environ['NB_UMASK'], 8)) diff --git a/scripts/start-notebook.sh b/scripts/start-notebook.sh new file mode 100755 index 0000000..b38c738 --- /dev/null +++ b/scripts/start-notebook.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +set -e + +if [[ ! -z "${JUPYTERHUB_API_TOKEN}" ]]; then + # launched by JupyterHub, use single-user entrypoint + exec /usr/local/bin/start-singleuser.sh "$@" +elif [[ ! -z "${JUPYTER_ENABLE_LAB}" ]]; then + . /usr/local/bin/start.sh jupyter lab "$@" +else + . /usr/local/bin/start.sh jupyter notebook "$@" +fi diff --git a/scripts/start-singleuser.sh b/scripts/start-singleuser.sh new file mode 100755 index 0000000..8cb8cae --- /dev/null +++ b/scripts/start-singleuser.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +set -e + +# set default ip to 0.0.0.0 +if [[ "$NOTEBOOK_ARGS $@" != *"--ip="* ]]; then + NOTEBOOK_ARGS="--ip=0.0.0.0 $NOTEBOOK_ARGS" +fi + +# handle some deprecated environment variables +# from DockerSpawner < 0.8. +# These won't be passed from DockerSpawner 0.9, +# so avoid specifying --arg=empty-string +if [ ! -z "$NOTEBOOK_DIR" ]; then + NOTEBOOK_ARGS="--notebook-dir='$NOTEBOOK_DIR' $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_PORT" ]; then + NOTEBOOK_ARGS="--port=$JPY_PORT $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_USER" ]; then + NOTEBOOK_ARGS="--user=$JPY_USER $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_COOKIE_NAME" ]; then + NOTEBOOK_ARGS="--cookie-name=$JPY_COOKIE_NAME $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_BASE_URL" ]; then + NOTEBOOK_ARGS="--base-url=$JPY_BASE_URL $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_HUB_PREFIX" ]; then + NOTEBOOK_ARGS="--hub-prefix=$JPY_HUB_PREFIX $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_HUB_API_URL" ]; then + NOTEBOOK_ARGS="--hub-api-url=$JPY_HUB_API_URL $NOTEBOOK_ARGS" +fi +if [ ! -z "$JUPYTER_ENABLE_LAB" ]; then + NOTEBOOK_BIN="jupyter labhub" +else + NOTEBOOK_BIN="jupyterhub-singleuser" +fi + +. /usr/local/bin/start.sh $NOTEBOOK_BIN $NOTEBOOK_ARGS "$@" diff --git a/scripts/start.sh b/scripts/start.sh index c773303..deab4a2 100755 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -1,13 +1,147 @@ #!/bin/bash -set -vxe -if [[ "${@}" == bash* ]]; then - exec "${@}" +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +set -e + +# Exec the specified command or fall back on bash +if [ $# -eq 0 ]; then + cmd=( "bash" ) +else + cmd=( "$@" ) fi -if [[ -n ${JUPYTER_API_TOKEN} ]]; then - exec jupyterhub-singleuser --ip=0.0.0.0 "${@}" -elif [[ -n ${JUPYTER_ENABLE_LAB} ]]; then - exec jupyter labhub --ip=0.0.0.0 "${@}" +run-hooks () { + # Source scripts or run executable files in a directory + if [[ ! -d "$1" ]] ; then + return + fi + echo "$0: running hooks in $1" + for f in "$1/"*; do + case "$f" in + *.sh) + echo "$0: running $f" + source "$f" + ;; + *) + if [[ -x "$f" ]] ; then + echo "$0: running $f" + "$f" + else + echo "$0: ignoring $f" + fi + ;; + esac + done + echo "$0: done running hooks in $1" +} + +run-hooks /usr/local/bin/start-notebook.d + +# Handle special flags if we're root +if [ $(id -u) == 0 ] ; then + + # Only attempt to change the jovyan username if it exists + if id jovyan &> /dev/null ; then + echo "Set username to: $NB_USER" + usermod -d /home/$NB_USER -l $NB_USER jovyan + fi + + # Handle case where provisioned storage does not have the correct permissions by default + # Ex: default NFS/EFS (no auto-uid/gid) + if [[ "$CHOWN_HOME" == "1" || "$CHOWN_HOME" == 'yes' ]]; then + echo "Changing ownership of /home/$NB_USER to $NB_UID:$NB_GID" + chown $CHOWN_HOME_OPTS $NB_UID:$NB_GID /home/$NB_USER + fi + if [ ! -z "$CHOWN_EXTRA" ]; then + for extra_dir in $(echo $CHOWN_EXTRA | tr ',' ' '); do + chown $CHOWN_EXTRA_OPTS $NB_UID:$NB_GID $extra_dir + done + fi + + # handle home and working directory if the username changed + if [[ "$NB_USER" != "jovyan" ]]; then + # changing username, make sure homedir exists + # (it could be mounted, and we shouldn't create it if it already exists) + if [[ ! -e "/home/$NB_USER" ]]; then + echo "Relocating home dir to /home/$NB_USER" + mv /home/jovyan "/home/$NB_USER" + fi + # if workdir is in /home/jovyan, cd to /home/$NB_USER + if [[ "$PWD/" == "/home/jovyan/"* ]]; then + newcwd="/home/$NB_USER/${PWD:13}" + echo "Setting CWD to $newcwd" + cd "$newcwd" + fi + fi + + # Change UID of NB_USER to NB_UID if it does not match + if [ "$NB_UID" != $(id -u $NB_USER) ] ; then + echo "Set $NB_USER UID to: $NB_UID" + usermod -u $NB_UID $NB_USER + fi + + # Set NB_USER primary gid to NB_GID (after making the group). Set + # supplementary gids to NB_GID and 100. + if [ "$NB_GID" != $(id -g $NB_USER) ] ; then + echo "Add $NB_USER to group: $NB_GID" + groupadd -g $NB_GID -o ${NB_GROUP:-${NB_USER}} + usermod -g $NB_GID -aG 100 $NB_USER + fi + + # Enable sudo if requested + if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == 'yes' ]]; then + echo "Granting $NB_USER sudo access" + echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook + fi + + # Exec the command as NB_USER with the PATH and the rest of + # the environment preserved + run-hooks /usr/local/bin/before-notebook.d + echo "Executing the command: ${cmd[@]}" + exec sudo -E -H -u $NB_USER PATH=$PATH XDG_CACHE_HOME=/home/$NB_USER/.cache PYTHONPATH=$PYTHONPATH "${cmd[@]}" else - exec jupyter notebook --ip=0.0.0.0 "${@}" + if [[ "$NB_UID" == "$(id -u jovyan)" && "$NB_GID" == "$(id -g jovyan)" ]]; then + # User is not attempting to override user/group via environment + # variables, but they could still have overridden the uid/gid that + # container runs as. Check that the user has an entry in the passwd + # file and if not add an entry. + STATUS=0 && whoami &> /dev/null || STATUS=$? && true + if [[ "$STATUS" != "0" ]]; then + if [[ -w /etc/passwd ]]; then + echo "Adding passwd file entry for $(id -u)" + cat /etc/passwd | sed -e "s/^jovyan:/nayvoj:/" > /tmp/passwd + echo "jovyan:x:$(id -u):$(id -g):,,,:/home/jovyan:/bin/bash" >> /tmp/passwd + cat /tmp/passwd > /etc/passwd + rm /tmp/passwd + else + echo 'Container must be run with group "root" to update passwd file' + fi + fi + + # Warn if the user isn't going to be able to write files to $HOME. + if [[ ! -w /home/jovyan ]]; then + echo 'Container must be run with group "users" to update files' + fi + else + # Warn if looks like user want to override uid/gid but hasn't + # run the container as root. + if [[ ! -z "$NB_UID" && "$NB_UID" != "$(id -u)" ]]; then + echo 'Container must be run as root to set $NB_UID' + fi + if [[ ! -z "$NB_GID" && "$NB_GID" != "$(id -g)" ]]; then + echo 'Container must be run as root to set $NB_GID' + fi + fi + + # Warn if looks like user want to run in sudo mode but hasn't run + # the container as root. + if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == 'yes' ]]; then + echo 'Container must be run as root to grant sudo permissions' + fi + + # Execute the command + run-hooks /usr/local/bin/before-notebook.d + echo "Executing the command: ${cmd[@]}" + exec "${cmd[@]}" fi |