Skip to content

Instantly share code, notes, and snippets.

@gdamjan gdamjan/
Last active Mar 16, 2018

What would you like to do?
run jupyter in a cheap container using nspawn


  • based on debian stretch (arch is possible too)
  • backports installed, including latest systemd
  • usrmerge enabled, so whole distro is in /usr
  • python3 and python3-pip installed



sudo mkdir /srv/jupyter /srv/jupyter/rootfs /srv/jupyter/rootfs/etc /srv/jupyter/rootfs/usr /srv/jupyter/workdir
sudo chown nobody /srv/jupyter/workdir
grep nobody /etc/passwd | sudo tee -a /srv/jupyter/rootfs/etc/passwd
grep nogroup /etc/group  | sudo tee -a /srv/jupyter/rootfs/etc/group # nobody on arch
sudo ln -s usr/lib /srv/jupyter/rootfs/lib # lib64 on arch
sudo ln -s ../usr/share/zoneinfo/Etc/UTC /srv/jupyter/rootfs/etc/localtime

sudo PYTHONUSERBASE=/srv/jupyter/py-env pip3 install --user jupyterlab


sudo systemd-nspawn --as-pid2 \
    --drop-capability=all \
    --directory=/srv/jupyter/rootfs \
    --bind-ro=/usr \
    --bind-ro=/srv/jupyter/py-env:/run/jupyter/py-env \
    --bind=/srv/jupyter/workdir:/workdir \
    --chdir=/workdir \
    --user=nobody \
    -E HOME=/workdir \
    -E PYTHONUSERBASE=/run/jupyter/py-env \
    /run/jupyter/py-env/bin/jupyter lab --no-browser


  • network namespace - dnat or inherited socket
  • remove suids - NoNewPrivileges=yes?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.