Inconsistent trust status of Jupyter-Notbooks in Docker

Question

I have a docker image containing two .ipynb notebooks to run when starting a container from this image.

Here are the steps from within the DockerFile to copy and trust the notebooks:

USER root
RUN mkdir -p $NOTEBOOK_DIR
COPY /PATH/TO/NOTEBOOK/NB1.ipynb $NOTEBOOK_DIR
COPY /PATH/TO/NOTEBOOK/NB2.ipynb $NOTEBOOK_DIR
RUN chown -R $NB_USER:$NB_GID $NOTEBOOK_DIR

USER $NB_UID
WORKDIR $HOME
RUN jupyter trust $NOTEBOOK_DIR/NB1.ipynb
RUN jupyter trust $NOTEBOOK_DIR/NB2.ipynb

The ENTRYPOINT ["start-notebooks.sh"] runs the following script:

#!/bin/bash
set -e
NB_PASS=$(echo ${SOME_ID} | python3.8 -c 'from notebook.auth import passwd;print(passwd(input()))')

# Run notebooks
jupyter trust $NOTEBOOK_DIR/NB1.ipynb
jupyter trust $NOTEBOOK_DIR/NB2.ipynb

jupyter-notebook --no-browser --ip 0.0.0.0 --port 8888 --NotebookApp.allow_origin='*' \
--NotebookApp.allow_remote_access=True --NotebookApp.quit_button=False --NotebookApp.terminals_enabled=False \
--NotebookApp.trust_xheaders=True --NotebookApp.open_browser=False --NotebookApp.notebook_dir=$NOTEBOOK_DIR \
--NotebookApp.password=${NB_PASS}

When I run and start the container I get the following output:

my_user@my_host:~$ docker run -it --rm -p 8888:8888 --expose 8888 -v /efs/PATH/TO/NOTEBOOK_FILES:/efs/PATH/TO/NOTEBOOK_FILES -e BASE_PATH=/efs/PATH/TO/BASE_PATH -e SOME_ID=fd283b38-3e4a-11eb-a205-7085c2c5e519 notebooks-image:latest

**Notebook already signed: /home/nb_user/notebooks/NB1.ipynb**
/home/nb_user/.local/lib/python3.8/site-packages/nbformat/__init__.py:92: MissingIDFieldWarning: Code cell is missing an id field, this will become a hard error in future nbformat versions. You may want to use `normalize()` on your notebooks before validations (available since nbformat 5.1.4). Previous versions of nbformat are fixing this issue transparently, and will stop doing so in the future.
  validate(nb)
**Signing notebook: /home/nb_user/notebooks/NB2.ipynb**
[I 11:40:10.051 NotebookApp] Writing notebook server cookie secret to /home/nb_user/.local/share/jupyter/runtime/notebook_cookie_secret
[I 11:40:10.303 NotebookApp] [jupyter_nbextensions_configurator] enabled 0.6.1
[I 2022-12-11 11:40:10.507 LabApp] JupyterLab extension loaded from /home/nb_user/.local/lib/python3.8/site-packages/jupyterlab
[I 2022-12-11 11:40:10.507 LabApp] JupyterLab application directory is /home/nb_user/.local/share/jupyter/lab
[I 11:40:10.513 NotebookApp] Serving notebooks from local directory: /home/nb_user/notebooks
[I 11:40:10.513 NotebookApp] Jupyter Notebook 6.5.2 is running at:
[I 11:40:10.513 NotebookApp] http://my_host:8888/
[I 11:40:10.513 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[I 11:59:33.290 NotebookApp] 302 GET / (192.168.x.x) 1.300000ms
[W 11:59:33.303 NotebookApp] Clearing invalid/expired login cookie username-my_host-8888
[I 11:59:33.304 NotebookApp] 302 GET /tree? (192.168.x.x) 2.570000ms
[W 11:59:43.120 NotebookApp] Not allowing login redirect to '/tree?'
[I 11:59:43.120 NotebookApp] 302 POST /login?next=%2Ftree%3F (192.168.x.x) 63.300000ms
[I 11:59:43.191 NotebookApp] 302 GET / (192.168.x.x) 1.130000ms
/home/nb_user/.local/lib/python3.8/site-packages/nbformat/__init__.py:92: MissingIDFieldWarning: Code cell is missing an id field, this will become a hard error in future nbformat versions. You may want to use `normalize()` on your notebooks before validations (available since nbformat 5.1.4). Previous versions of nbformat are fixing this issue transparently, and will stop doing so in the future.
  validate(nb)
[W 11:59:47.222 NotebookApp] **Notebook NB2.ipynb is not trusted**

When I open NB1 in Jupyter Notebook GUI it is already trusted and I can start working immediately. But when I open NB2 within the Jupyter Notebook GUI, it automatically pops up:

I'm aware of this answer for the question Jupyter notebook not trusted. It states:

This can also happen when you create a notebook in a docker container with mounted volume (the file is owned by the root user) and then open in in jupyter running on the host machine. Changing file owner to the host user helps.

My Questions are:

1. Assuming NB1.ipynb and NB2.ipynb both have the same ownership and permissions, are the rest of my steps OK?
2. If so, why is NB1 trusted and NB2 is not?

Answer 1

I was able to fix this issue after investigating this error from my contianer output above:

MissingIDFieldWarning: Code cell is missing an id field

I found this question, which is the opposite of my error message above. I compared the nbformat_minor value in both NB1 and NB2 notebook metadata.

In NB1 is was "nbformat_minor": 4 whereas in NB2 it was "nbformat_minor": 5.

as suggested in the answer, I changed within my notebook the nbformat_minor from 5 to 4. In short I opened my notebook in a text editor and changed in the end of the notebook to:

{
    "nbformat": 4,
    "nbformat_minor": 4
}

This fixed my issue with both notebooks trusted when running the container.