docker-stacks in kubernetes --user root config

Created on 3 Oct 2017  路  5Comments  路  Source: jupyter/docker-stacks

Hi! Thanks for using Jupyter's docker-stacks images.

If you are requesting a library upgrade or addition in one of the existing images, please state the desired library name and version here and disregard the remaining sections.

More of a question than an upgrade request.

We're running a kubernetes based infra and I'd like to be able to provide quick and simple pyspark style notebooks for my users.

I whipped this up:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: test-pod-jupyter
spec:
  replicas: 1
  template:
    metadata:
      labels:
        role: jupyter-test
    spec:
      containers:
        - name: test-container-jup
          image: jupyter/all-spark-notebook
          resources:
            requests:
              cpu: 8
              memory: 30G
            limits:
              cpu: 8
              memory: 30G
          env:
          - name: GRANT_SUDO
            value: "yes"

And it worked, until I needed root to modify the image in place (a pre-requisite... I generally make modifications, test them and then codify the changes).

I see the instructions in the notebooks state:

-e GRANT_SUDO=yes - Gives the jovyan user passwordless sudo capability. Useful for installing OS packages. For this option to take effect, you must run the container with --user root. (The start-notebook.sh script will su jovyan after adding jovyan to sudoers.) You should only enable sudo if you trust the user or if the container is running on an isolated host.

I don't think there's a way to suit that requirement in Kubernetes (at least not to my knowledge). If there is great, if not has anyone else run into this?

If not is there interest in making this feature (root user) available via an environment variable or some other mechanism? IE a command arg in kubernetes.

I've done a bit of digging into the various start scripts, presumably there's a mechanism to call them with the correct setup, but it doesn't seem overly documented or intended.

Question
Source
picture luck02

Most helpful comment

Thanks for the tag, @parente!

By default Kubernetes just runs the container with the user that's specified as USER in the Dockerfile. However, you can override it by specifying a securityContext.runAsUser explicitly (https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more info).

So you probably want securityContext.runAsUser: 0 in your container config.

picture yuvipanda on 16 Oct 2017
👍2

All 5 comments

Sorry, I'm not too familiar with kubernetes. Are you saying sudo for the jovyan wasn't good enough and you need to be the root user in the container, or that granting sudo didn't work in your setup?

@yuvipanda @choldgraf @willingc have great k8s experience and might understand what you're after far better than I.

parente picture parente on 14 Oct 2017

I was unable to get sudo to work for the jovyan user. It looked like you needed to run the container with -e GRANT_SUDO=yes as well as execute it with the docker --user root argument. It looks like there's no obvious way to issue the --user root argument in kubernetes.

My workaround was to use the jupyter all-spark image as base and extend:

FROM jupyter/all-spark-notebook

USER root

RUN \
    wget "http://central.maven.org/maven2/org/apache/hadoop/hadoop-aws/2.7.3/hadoop-aws-2.7.3.jar"; \
    wget "http://central.maven.org/maven2/com/amazonaws/aws-java-sdk/1.7.4/aws-java-sdk-1.7.4.jar"; \
    wget "http://central.maven.org/maven2/joda-time/joda-time/2.9.3/joda-time-2.9.3.jar"; \
    wget "http://central.maven.org/maven2/mysql/mysql-connector-java/5.1.35/mysql-connector-java-5.1.35.jar"; \
    mkdir /opt/extra-jars; \
    mv *.jar /opt/extra-jars;

COPY ./spark-defaults.conf /usr/local/spark/conf/spark-defaults.conf

by adding USER root I was able to get this functional.

luck02 picture luck02 on 14 Oct 2017
👍2

Thanks for the tag, @parente!

By default Kubernetes just runs the container with the user that's specified as USER in the Dockerfile. However, you can override it by specifying a securityContext.runAsUser explicitly (https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more info).

So you probably want securityContext.runAsUser: 0 in your container config.

yuvipanda picture yuvipanda on 16 Oct 2017
👍2

@luck02 I think @yuvipanda answered your question and that you found an alternative solution. I'm going to close out this issue. Cheers!

parente picture parente on 22 Oct 2017
👍1

Sorry, I should have closed earlier :( I got the email but then got busy and forgot to check back. Thanks @yuvipanda !

luck02 picture luck02 on 23 Oct 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

iramsey85 picture iramsey85  路  4Comments
yttty picture yttty  路  4Comments
sgloutnikov picture sgloutnikov  路  4Comments
aar0nTw picture aar0nTw  路  4Comments
maresb picture maresb  路  4Comments