Skip to content

Instantly share code, notes, and snippets.

@gdamjan

gdamjan/README.md

Last active March 16, 2018 19:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gdamjan/88477f64b6027737a44a33065b1ea973 to your computer and use it in GitHub Desktop.
Save gdamjan/88477f64b6027737a44a33065b1ea973 to your computer and use it in GitHub Desktop.
Download ZIP
run jupyter in a cheap container using nspawn
Raw
README.md

Prerequisites

  • based on debian stretch (arch is possible too)
  • backports installed, including latest systemd
  • usrmerge enabled, so whole distro is in /usr
  • python3 and python3-pip installed

Quickstart

Setup:

sudo mkdir /srv/jupyter /srv/jupyter/rootfs /srv/jupyter/rootfs/etc /srv/jupyter/rootfs/usr /srv/jupyter/workdir
sudo chown nobody /srv/jupyter/workdir
grep nobody /etc/passwd | sudo tee -a /srv/jupyter/rootfs/etc/passwd
grep nogroup /etc/group  | sudo tee -a /srv/jupyter/rootfs/etc/group # nobody on arch
sudo ln -s usr/lib /srv/jupyter/rootfs/lib # lib64 on arch
sudo ln -s ../usr/share/zoneinfo/Etc/UTC /srv/jupyter/rootfs/etc/localtime

sudo PYTHONUSERBASE=/srv/jupyter/py-env pip3 install --user jupyterlab

Run:

sudo systemd-nspawn --as-pid2 \
    --drop-capability=all \
    --directory=/srv/jupyter/rootfs \
    --bind-ro=/usr \
    --bind-ro=/srv/jupyter/py-env:/run/jupyter/py-env \
    --bind=/srv/jupyter/workdir:/workdir \
    --chdir=/workdir \
    --user=nobody \
    -E HOME=/workdir \
    -E PYTHONUSERBASE=/run/jupyter/py-env \
    /run/jupyter/py-env/bin/jupyter lab --no-browser

TODO

  • network namespace - dnat or inherited socket
  • remove suids - NoNewPrivileges=yes?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment