Reputation: 31
Docker Entrypoint not running as root on jupyterhub
We are trying to run a docker entrypoint as root in a docker image used by our jupyterhub for the single user servers. We need root to add a host to access an internal git registry from within a single user jupyter notebook server on a jupyterhub running on K8S by it's domain.
We already tried adding the domain to the /etc/hosts file in the docker image which is loaded for the single user servers by our jupyterhub in a docker-entrypoint script (code can be seen at the bottom).
However we get a permission denied when trying to add the host. The printouts also show why:
Locally, the first whoami shows root , as we expected.
On the jupyter notebook started in a pod by our jupyterhub (running on K8s) however, the first printout already shows jovyan.
The same effect can be seen when directly printing out whoami in the entrypoint in the Dockerfile like this:
ENTRYPOINT ["sh", "-c", "echo $(whoami)"]
Meaning that it is the whole entrypoint, that does not get executed as root but the user is somehow switched beforehand.
Can we prevent this behaviour or is there a good workaround?
Any help appreciated, thank you in advance!
PS:
Additionally, when we try to run exec su - "jovyan" in the entrypoint-script on the jupyterhub, we are getting the error, that the su command has to be run from a terminal. Locally it works without problems.
Code of docker-entrypoint script (just for reference):
Dockerfile:
FROM jupyter/datascience-notebook:1145fb1198b2
WORKDIR /usr/src/app
USER root
...
COPY aai-entrypoint.sh /usr/src/app/aai-entrypoint.sh
RUN chmod +x /usr/src/app/aai-entrypoint.sh
ENTRYPOINT ["sh", "/usr/src/app/my-entrypoint.sh"]
CMD ""
We added the empty CMD to overwrite the CMD of the jupyter base-notebook
my-entrypoint.sh:
#!/bin/bash
echo $(whoami)
echo "xx.xxx.xxx our.domain.com" >> /etc/hosts
echo "test"
exec su - "jovyan"
echo $(whoami)
# to not overwrite the entrypoint of the jupyter/base-notebook
# see https://github.com/jupyter/docker-stacks/blob/master/base-notebook/Dockerfile
exec tini -g -- "start-notebook.sh"
Upvotes: 1
Views: 2284
Answers (1)
Reputation: 31
Cleaner Solution:
Thanks to a gitHub user who provided me with a cleaner solution: You can use kube-dns to add the hosts to the known hosts of Kubernetes, making them available for the deployments on there.
Link: https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#kube-dns
Alternative:
As we planned on granting the users sudo access no matter what (no big risk as containers are only there temporarily), the GRANT_SUDO configuration already resolves that problem. If granting sudo, the entrypoint will also be run as root. Changing to jovyan in the script might still be a good idea.
You can set the GRANT_SUDO setting for jupyterhub by:
- adding it as an environment variable the jupyterhub_config.py
- in the config.yaml used by your helm chart
If you don't want to grant the user sudo access, this still could be a working solution for you, as you might remove the sudo rights for jovyan in the script again. I have not tried that out though, as it is not wanted in our scenario.
Hope this helps someone.
Upvotes: 2
Related Questions
- error starting jupyter inside docker container
- Can't access jupyter notebook from docker
- Can't access jupyter notebook in docker
- Jupyter notebook on Docker - permission denied
- Jupyterhub/singleuser shared volume
- How can I run ENTRYPOINT as root user?
- Can't run jupyterhub in docker container
- Cannot start a Jupyter notebook from inside this docker container
- Setting up jupyterhub docker using one of the jupyter stacks
- Creating non-root user in jupyter dockerfile