What is the best practice for handling uid/gid and permissions with jupyter notebooks in docker? When one of the jupyter+python Dockerfiles in jupyter/docker-stack is run, a notebook gets saved with uid/gid 1000:100. This will fail if a mounted host folder is not writable by "other", which is an ugly approach. The notebook image can be run specifying the NB_UID and NB_GID, like this: docker run -p 8888:8888 -it --rm \ -e NB_UID=$(id -u) \ -e NB_GID=$(id -g) \ -e GRANT_SUDO=yes \ --user root \ --mount type=bind,source="$(pwd)",target=/home/jovyan/work \ myimage In this case, the uid/gid of joyvan in the container match my uid/gid, so there is no permissions problem writing to a mounted folder. However, now jovyan (the container user) cannot access /opt/conda , which is owned by 1000:100 and is not readable by other. So all the add-on packages cannot be loaded! We could also run docker build with --build-arg myuid=$(id -u) --build-arg mygid=$(id -g) I believe this would result in both /home/jovyan and /opt/conda being owned by the same uid:gid as me, everything good. However, the resulting image can be used only by me. If I give it to my collaborators (who has a different UID), it will not work. So it seems that every possibility is blocked or a poor choice. File permissions in docker are difficult. Can anyone share the best approach for this problem?

dockerjupyter-notebook

matchingmoments

Reputation: 2625

docker how to handle permissions for jupyter notebook - 3 approaches that do not work

What is the best practice for handling uid/gid and permissions with jupyter notebooks in docker?

When one of the jupyter+python Dockerfiles in jupyter/docker-stack is run, a notebook gets saved with uid/gid 1000:100. This will fail if a mounted host folder is not writable by "other", which is an ugly approach.
The notebook image can be run specifying the NB_UID and NB_GID, like this:
```
 docker run -p 8888:8888 -it --rm \
   -e NB_UID=$(id -u) \
   -e NB_GID=$(id -g) \
   -e GRANT_SUDO=yes \
   --user root \
   --mount type=bind,source="$(pwd)",target=/home/jovyan/work \
   myimage 
```
In this case, the uid/gid of joyvan in the container match my uid/gid, so there is no permissions problem writing to a mounted folder. However, now jovyan (the container user) cannot access /opt/conda, which is owned by 1000:100 and is not readable by other. So all the add-on packages cannot be loaded!
We could also run docker build with --build-arg myuid=$(id -u) --build-arg mygid=$(id -g)

I believe this would result in both /home/jovyan and /opt/conda being owned by the same uid:gid as me, everything good. However, the resulting image can be used only by me. If I give it to my collaborators (who has a different UID), it will not work.

So it seems that every possibility is blocked or a poor choice. File permissions in docker are difficult.

Can anyone share the best approach for this problem?

Upvotes: 10

Answers (2)

lifang

Reputation: 1705

I encountered the same problem and found a good solution which is referred from here.

COPY --chown=1000:100 hostfolder/* /home/$NB_USER/work/

Note that environment or argument expansion in command options is not implemented yet, thus following line would cause build error failed to build: unable to convert uid/gid chown string to host mapping: can't find uid for user $NB_UID: no such user: $NB_UID

# COPY --chown=$NB_USER:$NB_GID hostfolder/* /home/$NB_USER/work/

Therefore, need to hard code the user(jovyan) and group name(users) or id(1000:100).

Upvotes: 1

Samuli Asmala

Reputation: 2371

The best practise with Jupyter Notebook is to use your own user id and group id so the new files you create will have correct ownership. Then use --group-add users to add yourself to users group to get access to the required folders (e.g. /opt/conda).

The full command would be:

docker run -it --rm --user $(id -u):$(id -g) --group-add users -v "$(pwd)":/home/jovyan -p 8888:8888 jupyter/scipy-notebook

Upvotes: 11

docker how to handle permissions for jupyter notebook - 3 approaches that do not work

Answers (2)

Related Questions