diff --git a/generate_Dockerfile.sh b/generate_Dockerfile.sh index 90051ba..1d701b1 100644 --- a/generate_Dockerfile.sh +++ b/generate_Dockerfile.sh @@ -15,7 +15,7 @@ cd $STACKS_DIR && git pull && cd - # Write the contents into the DOCKERFILE and start with the header cat src/Dockerfile.header > $DOCKERFILE cp src/jupyter_notebook_config.json .build/ -ln -sf .build/jupyter_notebook_config.json jupyter_notebook_config.json +cp src/jupyter_notebook_config.json . echo " ############################################################################ @@ -24,19 +24,18 @@ echo " " >> $DOCKERFILE cat $STACKS_DIR/base-notebook/Dockerfile | grep -v BASE_CONTAINER >> $DOCKERFILE -# copy files that are used during the build +# copy files that are used during the build in two directories: cp $STACKS_DIR/base-notebook/jupyter_notebook_config.py .build/ cp $STACKS_DIR/base-notebook/fix-permissions .build/ cp $STACKS_DIR/base-notebook/start.sh .build/ cp $STACKS_DIR/base-notebook/start-notebook.sh .build/ cp $STACKS_DIR/base-notebook/start-singleuser.sh .build/ -# create softlinks for files used during the build -ln -sf .build/jupyter_notebook_config.py jupyter_notebook_config.py -ln -sf .build/fix-permissions fix-permissions -ln -sf .build/start.sh start.sh -ln -sf .build/start-notebook.sh start-notebook.sh -ln -sf .build/start-singleuser.sh start-singleuser.sh +cp $STACKS_DIR/base-notebook/jupyter_notebook_config.py . +cp $STACKS_DIR/base-notebook/fix-permissions . +cp $STACKS_DIR/base-notebook/start.sh . +cp $STACKS_DIR/base-notebook/start-notebook.sh . +cp $STACKS_DIR/base-notebook/start-singleuser.sh . echo " ############################################################################ diff --git a/jupyter_notebook_config.json b/jupyter_notebook_config.json deleted file mode 120000 index 2a66308..0000000 --- a/jupyter_notebook_config.json +++ /dev/null @@ -1 +0,0 @@ -.build/jupyter_notebook_config.json \ No newline at end of file diff --git a/jupyter_notebook_config.json b/jupyter_notebook_config.json new file mode 100644 index 0000000..d7d0959 --- /dev/null +++ b/jupyter_notebook_config.json @@ -0,0 +1,6 @@ + +{ + "NotebookApp": { + "password": "sha1:e49e73b0eb0e:32edae7a5fd119045e699a0bd04f90819ca90cd6" + } +} diff --git a/jupyter_notebook_config.py b/jupyter_notebook_config.py deleted file mode 120000 index 1d675c0..0000000 --- a/jupyter_notebook_config.py +++ /dev/null @@ -1 +0,0 @@ -.build/jupyter_notebook_config.py \ No newline at end of file diff --git a/jupyter_notebook_config.py b/jupyter_notebook_config.py new file mode 100644 index 0000000..15ac96a --- /dev/null +++ b/jupyter_notebook_config.py @@ -0,0 +1,55 @@ +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +from jupyter_core.paths import jupyter_data_dir +import subprocess +import os +import errno +import stat + +c = get_config() +c.NotebookApp.ip = '0.0.0.0' +c.NotebookApp.port = 8888 +c.NotebookApp.open_browser = False + +# https://github.com/jupyter/notebook/issues/3130 +c.FileContentsManager.delete_to_trash = False + +# Generate a self-signed certificate +if 'GEN_CERT' in os.environ: + dir_name = jupyter_data_dir() + pem_file = os.path.join(dir_name, 'notebook.pem') + try: + os.makedirs(dir_name) + except OSError as exc: # Python >2.5 + if exc.errno == errno.EEXIST and os.path.isdir(dir_name): + pass + else: + raise + + # Generate an openssl.cnf file to set the distinguished name + cnf_file = os.path.join(os.getenv('CONDA_DIR', '/usr/lib'), 'ssl', 'openssl.cnf') + if not os.path.isfile(cnf_file): + with open(cnf_file, 'w') as fh: + fh.write('''\ +[req] +distinguished_name = req_distinguished_name +[req_distinguished_name] +''') + + # Generate a certificate if one doesn't exist on disk + subprocess.check_call(['openssl', 'req', '-new', + '-newkey', 'rsa:2048', + '-days', '365', + '-nodes', '-x509', + '-subj', '/C=XX/ST=XX/L=XX/O=generated/CN=generated', + '-keyout', pem_file, + '-out', pem_file]) + # Restrict access to the file + os.chmod(pem_file, stat.S_IRUSR | stat.S_IWUSR) + c.NotebookApp.certfile = pem_file + +# Change default umask for all subprocesses of the notebook server if set in +# the environment +if 'NB_UMASK' in os.environ: + os.umask(int(os.environ['NB_UMASK'], 8)) \ No newline at end of file diff --git a/start-notebook.sh b/start-notebook.sh deleted file mode 120000 index 564e807..0000000 --- a/start-notebook.sh +++ /dev/null @@ -1 +0,0 @@ -.build/start-notebook.sh \ No newline at end of file diff --git a/start-notebook.sh b/start-notebook.sh new file mode 100644 index 0000000..ed6d066 --- /dev/null +++ b/start-notebook.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +set -e + +wrapper="" +if [[ "${RESTARTABLE}" == "yes" ]]; then + wrapper="run-one-constantly" +fi + +if [[ ! -z "${JUPYTERHUB_API_TOKEN}" ]]; then + # launched by JupyterHub, use single-user entrypoint + exec /usr/local/bin/start-singleuser.sh "$@" +elif [[ ! -z "${JUPYTER_ENABLE_LAB}" ]]; then + . /usr/local/bin/start.sh $wrapper jupyter lab "$@" +else + . /usr/local/bin/start.sh $wrapper jupyter notebook "$@" +fi diff --git a/start-singleuser.sh b/start-singleuser.sh deleted file mode 120000 index dd0ac20..0000000 --- a/start-singleuser.sh +++ /dev/null @@ -1 +0,0 @@ -.build/start-singleuser.sh \ No newline at end of file diff --git a/start-singleuser.sh b/start-singleuser.sh new file mode 100644 index 0000000..8cb8cae --- /dev/null +++ b/start-singleuser.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +set -e + +# set default ip to 0.0.0.0 +if [[ "$NOTEBOOK_ARGS $@" != *"--ip="* ]]; then + NOTEBOOK_ARGS="--ip=0.0.0.0 $NOTEBOOK_ARGS" +fi + +# handle some deprecated environment variables +# from DockerSpawner < 0.8. +# These won't be passed from DockerSpawner 0.9, +# so avoid specifying --arg=empty-string +if [ ! -z "$NOTEBOOK_DIR" ]; then + NOTEBOOK_ARGS="--notebook-dir='$NOTEBOOK_DIR' $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_PORT" ]; then + NOTEBOOK_ARGS="--port=$JPY_PORT $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_USER" ]; then + NOTEBOOK_ARGS="--user=$JPY_USER $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_COOKIE_NAME" ]; then + NOTEBOOK_ARGS="--cookie-name=$JPY_COOKIE_NAME $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_BASE_URL" ]; then + NOTEBOOK_ARGS="--base-url=$JPY_BASE_URL $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_HUB_PREFIX" ]; then + NOTEBOOK_ARGS="--hub-prefix=$JPY_HUB_PREFIX $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_HUB_API_URL" ]; then + NOTEBOOK_ARGS="--hub-api-url=$JPY_HUB_API_URL $NOTEBOOK_ARGS" +fi +if [ ! -z "$JUPYTER_ENABLE_LAB" ]; then + NOTEBOOK_BIN="jupyter labhub" +else + NOTEBOOK_BIN="jupyterhub-singleuser" +fi + +. /usr/local/bin/start.sh $NOTEBOOK_BIN $NOTEBOOK_ARGS "$@" diff --git a/start.sh b/start.sh deleted file mode 120000 index acdbb50..0000000 --- a/start.sh +++ /dev/null @@ -1 +0,0 @@ -.build/start.sh \ No newline at end of file diff --git a/start.sh b/start.sh new file mode 100644 index 0000000..da6905b --- /dev/null +++ b/start.sh @@ -0,0 +1,147 @@ +#!/bin/bash +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +set -e + +# Exec the specified command or fall back on bash +if [ $# -eq 0 ]; then + cmd=( "bash" ) +else + cmd=( "$@" ) +fi + +run-hooks () { + # Source scripts or run executable files in a directory + if [[ ! -d "$1" ]] ; then + return + fi + echo "$0: running hooks in $1" + for f in "$1/"*; do + case "$f" in + *.sh) + echo "$0: running $f" + source "$f" + ;; + *) + if [[ -x "$f" ]] ; then + echo "$0: running $f" + "$f" + else + echo "$0: ignoring $f" + fi + ;; + esac + done + echo "$0: done running hooks in $1" +} + +run-hooks /usr/local/bin/start-notebook.d + +# Handle special flags if we're root +if [ $(id -u) == 0 ] ; then + + # Only attempt to change the jovyan username if it exists + if id jovyan &> /dev/null ; then + echo "Set username to: $NB_USER" + usermod -d /home/$NB_USER -l $NB_USER jovyan + fi + + # Handle case where provisioned storage does not have the correct permissions by default + # Ex: default NFS/EFS (no auto-uid/gid) + if [[ "$CHOWN_HOME" == "1" || "$CHOWN_HOME" == 'yes' ]]; then + echo "Changing ownership of /home/$NB_USER to $NB_UID:$NB_GID with options '${CHOWN_HOME_OPTS}'" + chown $CHOWN_HOME_OPTS $NB_UID:$NB_GID /home/$NB_USER + fi + if [ ! -z "$CHOWN_EXTRA" ]; then + for extra_dir in $(echo $CHOWN_EXTRA | tr ',' ' '); do + echo "Changing ownership of ${extra_dir} to $NB_UID:$NB_GID with options '${CHOWN_EXTRA_OPTS}'" + chown $CHOWN_EXTRA_OPTS $NB_UID:$NB_GID $extra_dir + done + fi + + # handle home and working directory if the username changed + if [[ "$NB_USER" != "jovyan" ]]; then + # changing username, make sure homedir exists + # (it could be mounted, and we shouldn't create it if it already exists) + if [[ ! -e "/home/$NB_USER" ]]; then + echo "Relocating home dir to /home/$NB_USER" + mv /home/jovyan "/home/$NB_USER" || ln -s /home/jovyan "/home/$NB_USER" + fi + # if workdir is in /home/jovyan, cd to /home/$NB_USER + if [[ "$PWD/" == "/home/jovyan/"* ]]; then + newcwd="/home/$NB_USER/${PWD:13}" + echo "Setting CWD to $newcwd" + cd "$newcwd" + fi + fi + + # Change UID:GID of NB_USER to NB_UID:NB_GID if it does not match + if [ "$NB_UID" != $(id -u $NB_USER) ] || [ "$NB_GID" != $(id -g $NB_USER) ]; then + echo "Set user $NB_USER UID:GID to: $NB_UID:$NB_GID" + if [ "$NB_GID" != $(id -g $NB_USER) ]; then + groupadd -g $NB_GID -o ${NB_GROUP:-${NB_USER}} + fi + userdel $NB_USER + useradd --home /home/$NB_USER -u $NB_UID -g $NB_GID -G 100 -l $NB_USER + fi + + # Enable sudo if requested + if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == 'yes' ]]; then + echo "Granting $NB_USER sudo access and appending $CONDA_DIR/bin to sudo PATH" + echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook + fi + + # Add $CONDA_DIR/bin to sudo secure_path + sed -r "s#Defaults\s+secure_path=\"([^\"]+)\"#Defaults secure_path=\"\1:$CONDA_DIR/bin\"#" /etc/sudoers | grep secure_path > /etc/sudoers.d/path + + # Exec the command as NB_USER with the PATH and the rest of + # the environment preserved + run-hooks /usr/local/bin/before-notebook.d + echo "Executing the command: ${cmd[@]}" + exec sudo -E -H -u $NB_USER PATH=$PATH XDG_CACHE_HOME=/home/$NB_USER/.cache PYTHONPATH=${PYTHONPATH:-} "${cmd[@]}" +else + if [[ "$NB_UID" == "$(id -u jovyan)" && "$NB_GID" == "$(id -g jovyan)" ]]; then + # User is not attempting to override user/group via environment + # variables, but they could still have overridden the uid/gid that + # container runs as. Check that the user has an entry in the passwd + # file and if not add an entry. + STATUS=0 && whoami &> /dev/null || STATUS=$? && true + if [[ "$STATUS" != "0" ]]; then + if [[ -w /etc/passwd ]]; then + echo "Adding passwd file entry for $(id -u)" + cat /etc/passwd | sed -e "s/^jovyan:/nayvoj:/" > /tmp/passwd + echo "jovyan:x:$(id -u):$(id -g):,,,:/home/jovyan:/bin/bash" >> /tmp/passwd + cat /tmp/passwd > /etc/passwd + rm /tmp/passwd + else + echo 'Container must be run with group "root" to update passwd file' + fi + fi + + # Warn if the user isn't going to be able to write files to $HOME. + if [[ ! -w /home/jovyan ]]; then + echo 'Container must be run with group "users" to update files' + fi + else + # Warn if looks like user want to override uid/gid but hasn't + # run the container as root. + if [[ ! -z "$NB_UID" && "$NB_UID" != "$(id -u)" ]]; then + echo 'Container must be run as root to set $NB_UID' + fi + if [[ ! -z "$NB_GID" && "$NB_GID" != "$(id -g)" ]]; then + echo 'Container must be run as root to set $NB_GID' + fi + fi + + # Warn if looks like user want to run in sudo mode but hasn't run + # the container as root. + if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == 'yes' ]]; then + echo 'Container must be run as root to grant sudo permissions' + fi + + # Execute the command + run-hooks /usr/local/bin/before-notebook.d + echo "Executing the command: ${cmd[@]}" + exec "${cmd[@]}" +fi