Granting users admin permissions on their container

[kjschiroo]

How do you give users permission to install packages on their server?

Specifically I am trying to connect to mssql, as part of this I need to install freetds

Here are the two paths I go down:

$ apt-get install freetds
E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

So I try it with sudo

$ sudo apt-get install freetds

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for jovyan:

and I don't know the password for jovyan.

[yuanzhou]

I have the same issue here. I tried to find the start-singleuser.sh but can't find it.

[minrk]

If you are using docker-stacks and set the environment GRANT_SUDO=1, you should be able to allow this:

c.DockerSpawner.environment = {
    'GRANT_SUDO': '1',
}

@yuanzhou that's unlikely to be related. start-singleuser.sh is in /usr/local/bin/ in the existing docker-stacks

[tovmeod]

I'm using docker-stacks as base image, but GRANT_SUDO doesn't seems to work:

c.DockerSpawner.container_image = 'jupyter/datascience-notebook'
c.DockerSpawner.environment = {
'GRANT_SUDO': '1',
}

but it still asks for a password when running !sudo ls

Running !ls /etc/sudoers.d just returns README, no /etc/sudoers.d/notebook

[minrk]

@parente I think you know the sudo stuff on docker-stacks better than I do.

[minrk]

@tovmeod I was just looking into this, and I think there's more work needed to get the root-level permissions using docker-stacks, which are required to grant sudo permissions. Try this:

c.DockerSpawner.container_image = 'jupyter/datascience-notebook'
# must start container as root in order to grant sudo permissions
c.DockerSpawner.extra_create_kwargs = {'user': 'root'}
c.DockerSpawner.environment = {
  'GRANT_SUDO': '1',
  'UID': '0', # workaround https://github.com/jupyter/docker-stacks/pull/420
}

[kjschiroo]

The way that I got around this was creating a new container image with a docker file like this:

FROM jupyter/datascience-notebook
USER root

Then I would set c.DockerSpawner.container_image to the name of the new container.

I think this introduces security concerns in some situations. In my case I was using it with only trusted users and within a private networks so the risks were acceptable.

[nazeels]

On Mac, i was trying to run datascience notebook, using following command
docker run -ti --rm -p 8888:8888 -e GRANT_SUDO=yes jupyter/datascience-notebook:2c80cf3537ca start-notebook.sh

I need sudo permissions on docker image.

I get following response,

Note: See the first line from the command response, saying "Container must be run as root to grant sudo permissions"

Is there anything to be corrected in my above command?

Container must be run as root to grant sudo permissions
Executing the command: jupyter notebook
[I 04:25:42.217 NotebookApp] Writing notebook server cookie secret to /home/jovyan/.local/share/jupyter/runtime/notebook_cookie_secret
[W 04:25:42.647 NotebookApp] WARNING: The notebook server is listening on all IP addresses and not using encryption. This is not recommended.
[I 04:25:42.695 NotebookApp] JupyterLab alpha preview extension loaded from /opt/conda/lib/python3.6/site-packages/jupyterlab
[I 04:25:42.695 NotebookApp] JupyterLab application directory is /opt/conda/share/jupyter/lab
[I 04:25:42.714 NotebookApp] Serving notebooks from local directory: /home/jovyan
[I 04:25:42.716 NotebookApp] 0 active kernels
[I 04:25:42.717 NotebookApp] The Jupyter Notebook is running at:
[I 04:25:42.717 NotebookApp] http://[all ip addresses on your system]:8888/?token=6c9d78ac9ae7a269edbf25ca54b281e7aea5d51bcab0bd4a
[I 04:25:42.717 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[C 04:25:42.718 NotebookApp] 
    
    Copy/paste this URL into your browser when you connect for the first time,
    to login with a token:
        http://localhost:8888/?token=6c9d78ac9ae7a269edbf25ca54b281e7aea5d51bcab0bd4a
  

[parente]

At the CLI, you need to add --user root. For example, @nazeels command would become:

For example, @nazeels docker run -ti --rm --user root -p 8888:8888 -e GRANT_SUDO=yes jupyter/datascience-notebook:2c80cf3537ca start-notebook.sh

The container needs to start as root in order to add the otherwise unprivileged jovyan user the sudoers file. Once it does that, it the startup script becomes the jovyan user before launching the notebook server. (https://github.com/jupyter/docker-stacks/tree/master/datascience-notebook#docker-options in the -e GRANT_SUDO=yes bullet)

@minrk I'm not sure how to tell JupyterHub to launch the image as the root user to start (or if that's even possible via config) other than to do what @kjschiroo suggested and build a custom image that always defaults to running as root.

[parente]

Actually, adding a user trailet in dockerspawner.py would probably do the trick. The Python docker API supports passing the initial user when creating or running a container. (We're using it in the docker-stacks test suite: https://github.com/jupyter/docker-stacks/blob/master/base-notebook/test/test_container_options.py#L66)

[nazeels]

Thank you @parente it helped me to run the container.

[minrk]

Hi! I’m going through and cleaning up old/stale issues on this repo.

It looks like this issue is resolved. Feel free to open a new Issue if you are still having this trouble.