Last active
January 30, 2023 22:54
-
-
Save epifanio/2e8d1c6f3a6f848c713ac5e71f4bdb18 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) Jupyter Development Team. | |
# Distributed under the terms of the Modified BSD License. | |
from jupyter_core.paths import jupyter_data_dir | |
import subprocess | |
import os | |
import errno | |
import stat | |
c = get_config() # noqa: F821 | |
c.NotebookApp.ip = '0.0.0.0' | |
c.NotebookApp.port = 8888 | |
c.NotebookApp.open_browser = False | |
# https://github.com/jupyter/notebook/issues/3130 | |
c.FileContentsManager.delete_to_trash = False | |
# Generate a self-signed certificate | |
if 'GEN_CERT' in os.environ: | |
dir_name = jupyter_data_dir() | |
pem_file = os.path.join(dir_name, 'notebook.pem') | |
try: | |
os.makedirs(dir_name) | |
except OSError as exc: # Python >2.5 | |
if exc.errno == errno.EEXIST and os.path.isdir(dir_name): | |
pass | |
else: | |
raise | |
# Generate an openssl.cnf file to set the distinguished name | |
cnf_file = os.path.join(os.getenv('CONDA_DIR', '/usr/lib'), 'ssl', 'openssl.cnf') | |
if not os.path.isfile(cnf_file): | |
with open(cnf_file, 'w') as fh: | |
fh.write('''\ | |
[req] | |
distinguished_name = req_distinguished_name | |
[req_distinguished_name] | |
''') | |
# Generate a certificate if one doesn't exist on disk | |
subprocess.check_call(['openssl', 'req', '-new', | |
'-newkey', 'rsa:2048', | |
'-days', '365', | |
'-nodes', '-x509', | |
'-subj', '/C=XX/ST=XX/L=XX/O=generated/CN=generated', | |
'-keyout', pem_file, | |
'-out', pem_file]) | |
# Restrict access to the file | |
os.chmod(pem_file, stat.S_IRUSR | stat.S_IWUSR) | |
c.NotebookApp.certfile = pem_file | |
# Change default umask for all subprocesses of the notebook server if set in | |
# the environment | |
if 'NB_UMASK' in os.environ: | |
os.umask(int(os.environ['NB_UMASK'], 8)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Copyright (c) Jupyter Development Team. | |
# Distributed under the terms of the Modified BSD License. | |
set -e | |
# set default ip to 0.0.0.0 | |
if [[ "$NOTEBOOK_ARGS $@" != *"--ip="* ]]; then | |
NOTEBOOK_ARGS="--ip=0.0.0.0 $NOTEBOOK_ARGS" | |
fi | |
# handle some deprecated environment variables | |
# from DockerSpawner < 0.8. | |
# These won't be passed from DockerSpawner 0.9, | |
# so avoid specifying --arg=empty-string | |
if [ ! -z "$NOTEBOOK_DIR" ]; then | |
NOTEBOOK_ARGS="--notebook-dir='$NOTEBOOK_DIR' $NOTEBOOK_ARGS" | |
fi | |
if [ ! -z "$JPY_PORT" ]; then | |
NOTEBOOK_ARGS="--port=$JPY_PORT $NOTEBOOK_ARGS" | |
fi | |
if [ ! -z "$JPY_USER" ]; then | |
NOTEBOOK_ARGS="--user=$JPY_USER $NOTEBOOK_ARGS" | |
fi | |
if [ ! -z "$JPY_COOKIE_NAME" ]; then | |
NOTEBOOK_ARGS="--cookie-name=$JPY_COOKIE_NAME $NOTEBOOK_ARGS" | |
fi | |
if [ ! -z "$JPY_BASE_URL" ]; then | |
NOTEBOOK_ARGS="--base-url=$JPY_BASE_URL $NOTEBOOK_ARGS" | |
fi | |
if [ ! -z "$JPY_HUB_PREFIX" ]; then | |
NOTEBOOK_ARGS="--hub-prefix=$JPY_HUB_PREFIX $NOTEBOOK_ARGS" | |
fi | |
if [ ! -z "$JPY_HUB_API_URL" ]; then | |
NOTEBOOK_ARGS="--hub-api-url=$JPY_HUB_API_URL $NOTEBOOK_ARGS" | |
fi | |
NOTEBOOK_BIN="jupyterhub-singleuser" | |
. /usr/local/bin/start.sh $NOTEBOOK_BIN $NOTEBOOK_ARGS "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Copyright (c) Jupyter Development Team. | |
# Distributed under the terms of the Modified BSD License. | |
set -e | |
# Exec the specified command or fall back on bash | |
if [ $# -eq 0 ]; then | |
cmd=( "bash" ) | |
else | |
cmd=( "$@" ) | |
fi | |
run-hooks () { | |
# Source scripts or run executable files in a directory | |
if [[ ! -d "$1" ]] ; then | |
return | |
fi | |
echo "$0: running hooks in $1" | |
for f in "$1/"*; do | |
case "$f" in | |
*.sh) | |
echo "$0: running $f" | |
source "$f" | |
;; | |
*) | |
if [[ -x "$f" ]] ; then | |
echo "$0: running $f" | |
"$f" | |
else | |
echo "$0: ignoring $f" | |
fi | |
;; | |
esac | |
done | |
echo "$0: done running hooks in $1" | |
} | |
run-hooks /usr/local/bin/start-notebook.d | |
# Handle special flags if we're root | |
if [ $(id -u) == 0 ] ; then | |
# Only attempt to change the jovyan username if it exists | |
if id jovyan &> /dev/null ; then | |
echo "Set username to: $NB_USER" | |
usermod -d /home/$NB_USER -l $NB_USER jovyan | |
fi | |
# handle home and working directory if the username changed | |
if [[ "$NB_USER" != "jovyan" ]]; then | |
# changing username, make sure homedir exists | |
# (it could be mounted, and we shouldn't create it if it already exists) | |
if [[ ! -e "/home/$NB_USER" ]]; then | |
echo "Relocating home dir to /home/$NB_USER" | |
mv /home/jovyan "/home/$NB_USER" || ln -s /home/jovyan "/home/$NB_USER" | |
fi | |
# if workdir is in /home/jovyan, cd to /home/$NB_USER | |
if [[ "$PWD/" == "/home/jovyan/"* ]]; then | |
newcwd="/home/$NB_USER/${PWD:13}" | |
echo "Setting CWD to $newcwd" | |
cd "$newcwd" | |
fi | |
fi | |
# Handle case where provisioned storage does not have the correct permissions by default | |
# Ex: default NFS/EFS (no auto-uid/gid) | |
if [[ "$CHOWN_HOME" == "1" || "$CHOWN_HOME" == 'yes' ]]; then | |
echo "Changing ownership of /home/$NB_USER to $NB_UID:$NB_GID with options '${CHOWN_HOME_OPTS}'" | |
chown $CHOWN_HOME_OPTS $NB_UID:$NB_GID /home/$NB_USER | |
fi | |
if [ ! -z "$CHOWN_EXTRA" ]; then | |
for extra_dir in $(echo $CHOWN_EXTRA | tr ',' ' '); do | |
echo "Changing ownership of ${extra_dir} to $NB_UID:$NB_GID with options '${CHOWN_EXTRA_OPTS}'" | |
chown $CHOWN_EXTRA_OPTS $NB_UID:$NB_GID $extra_dir | |
done | |
fi | |
# Change UID:GID of NB_USER to NB_UID:NB_GID if it does not match | |
if [ "$NB_UID" != $(id -u $NB_USER) ] || [ "$NB_GID" != $(id -g $NB_USER) ]; then | |
echo "Set user $NB_USER UID:GID to: $NB_UID:$NB_GID" | |
if [ "$NB_GID" != $(id -g $NB_USER) ]; then | |
groupadd -f -g $NB_GID -o ${NB_GROUP:-${NB_USER}} | |
fi | |
userdel $NB_USER | |
useradd --home /home/$NB_USER -u $NB_UID -g $NB_GID -G 100 -l $NB_USER | |
fi | |
# Enable sudo if requested | |
if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == 'yes' ]]; then | |
echo "Granting $NB_USER sudo access and appending $CONDA_DIR/bin to sudo PATH" | |
echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook | |
fi | |
# Add $CONDA_DIR/bin to sudo secure_path | |
sed -r "s#Defaults\s+secure_path\s*=\s*\"?([^\"]+)\"?#Defaults secure_path=\"\1:$CONDA_DIR/bin\"#" /etc/sudoers | grep secure_path > /etc/sudoers.d/path | |
# Exec the command as NB_USER with the PATH and the rest of | |
# the environment preserved | |
run-hooks /usr/local/bin/before-notebook.d | |
echo "Executing the command: ${cmd[@]}" | |
exec sudo -E -H -u $NB_USER PATH=$PATH XDG_CACHE_HOME=/home/$NB_USER/.cache PYTHONPATH=${PYTHONPATH:-} "${cmd[@]}" | |
else | |
if [[ "$NB_UID" == "$(id -u jovyan 2>/dev/null)" && "$NB_GID" == "$(id -g jovyan 2>/dev/null)" ]]; then | |
# User is not attempting to override user/group via environment | |
# variables, but they could still have overridden the uid/gid that | |
# container runs as. Check that the user has an entry in the passwd | |
# file and if not add an entry. | |
STATUS=0 && whoami &> /dev/null || STATUS=$? && true | |
if [[ "$STATUS" != "0" ]]; then | |
if [[ -w /etc/passwd ]]; then | |
echo "Adding passwd file entry for $(id -u)" | |
cat /etc/passwd | sed -e "s/^jovyan:/nayvoj:/" > /tmp/passwd | |
echo "jovyan:x:$(id -u):$(id -g):,,,:/home/jovyan:/bin/bash" >> /tmp/passwd | |
cat /tmp/passwd > /etc/passwd | |
rm /tmp/passwd | |
else | |
echo 'Container must be run with group "root" to update passwd file' | |
fi | |
fi | |
# Warn if the user isn't going to be able to write files to $HOME. | |
if [[ ! -w /home/jovyan ]]; then | |
echo 'Container must be run with group "users" to update files' | |
fi | |
else | |
# Warn if looks like user want to override uid/gid but hasn't | |
# run the container as root. | |
if [[ ! -z "$NB_UID" && "$NB_UID" != "$(id -u)" ]]; then | |
echo 'Container must be run as root to set $NB_UID' | |
fi | |
if [[ ! -z "$NB_GID" && "$NB_GID" != "$(id -g)" ]]; then | |
echo 'Container must be run as root to set $NB_GID' | |
fi | |
fi | |
# Warn if looks like user want to run in sudo mode but hasn't run | |
# the container as root. | |
if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == 'yes' ]]; then | |
echo 'Container must be run as root to grant sudo permissions' | |
fi | |
# Execute the command | |
run-hooks /usr/local/bin/before-notebook.d | |
echo "Executing the command: ${cmd[@]}" | |
exec "${cmd[@]}" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment