docker-stacks icon indicating copy to clipboard operation
docker-stacks copied to clipboard
verified publisher icon jupyter

Container startup with custom user id fails on multi-tenant system with namespace isolation

Open PALuczak opened this issue 6 years ago • 1 comments

What docker image you are using?

jupyter/datascience-notebook

What complete docker command do you run to launch the container (omitting sensitive values)?

docker run --userns=host --gpus all --rm -it -p 42424:8888 -e JUPYTER_ENABLE_LAB=yes --user $(id -u) --group-add users -v /home/username/:/files/ --name datascienceLab jupyter/datascience-notebook

and

docker run --userns=host --gpus all --rm -it -p 42424:8888 -e NB_UID=$(id -u) -e NB_GID=$(id -g) -e JUPYTER_ENABLE_LAB=yes --user root -v /home/username/:/mount/ --name datascienceLab jupyter/datascience-notebook

What steps do you take once the container is running to reproduce the issue?

Just wait for the container execution to fail, watch output in the terminal.

Docker version: Docker version 19.03.4, build 9013bf583a with namespace isolation enabled.

What do you expect to happen?

A jupyter lab instance with uid matching my host user id so that I could edit files in the mounted home directory.

What actually happens?

First command:

Container must be run with group "root" to update passwd file
Container must be run with group "users" to update files
Executing the command: jupyter lab
Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/site-packages/traitlets/traitlets.py", line 528, in get
    value = obj._trait_values[self.name]
KeyError: 'runtime_dir'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/conda/bin/jupyter-lab", line 10, in <module>
    sys.exit(main())
  File "/opt/conda/lib/python3.7/site-packages/jupyter_core/application.py", line 266, in launch_instance
    return super(JupyterApp, cls).launch_instance(argv=argv, **kwargs)
  File "/opt/conda/lib/python3.7/site-packages/traitlets/config/application.py", line 657, in launch_instance
    app.initialize(argv)
  File "</opt/conda/lib/python3.7/site-packages/decorator.py:decorator-gen-7>", line 2, in initialize
  File "/opt/conda/lib/python3.7/site-packages/traitlets/config/application.py", line 87, in catch_config_error
    return method(app, *args, **kwargs)
  File "/opt/conda/lib/python3.7/site-packages/notebook/notebookapp.py", line 1676, in initialize
    self.init_configurables()
  File "/opt/conda/lib/python3.7/site-packages/notebook/notebookapp.py", line 1349, in init_configurables
    connection_dir=self.runtime_dir,
  File "/opt/conda/lib/python3.7/site-packages/traitlets/traitlets.py", line 556, in __get__
    return self.get(obj, cls)
  File "/opt/conda/lib/python3.7/site-packages/traitlets/traitlets.py", line 535, in get
    value = self._validate(obj, dynamic_default())
  File "/opt/conda/lib/python3.7/site-packages/jupyter_core/application.py", line 99, in _runtime_dir_default
    ensure_dir_exists(rd, mode=0o700)
  File "/opt/conda/lib/python3.7/site-packages/jupyter_core/utils/__init__.py", line 13, in ensure_dir_exists
    os.makedirs(path, mode=mode)
  File "/opt/conda/lib/python3.7/os.py", line 211, in makedirs
    makedirs(head, exist_ok=exist_ok)
  File "/opt/conda/lib/python3.7/os.py", line 211, in makedirs
    makedirs(head, exist_ok=exist_ok)
  File "/opt/conda/lib/python3.7/os.py", line 211, in makedirs
    makedirs(head, exist_ok=exist_ok)
  File "/opt/conda/lib/python3.7/os.py", line 221, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/home/jovyan/.local'

Second command:

Set username to: jovyan
usermod: no changes
Set jovyan UID to: 1022
Add jovyan to group: 1018
Executing the command: jupyter lab
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

PALuczak avatar Nov 04 '19 10:11 PALuczak

There's a general Q&A section on https://discourse.jupyter.org/c/questions for cross-technology questions like this one to catch more attention from a broader community audience. You might try re-posting your question over there to see if someone with more experience in this topic can help.

parente avatar Jan 20 '20 04:01 parente

@PALuczak Hi, could you please try to reproduce this issue using the latest image? Many things have changed, so it would be nice to know if we still have this issue. If you solved the issue, please tell us how.

mathbunnyru avatar Aug 24 '23 13:08 mathbunnyru

Honestly, I don't even have the same computer I used back when submitting this issue. I have since switched from jupyter to notebooks in devcontainers over SSH, so I have no way of reproducing this issue.

PALuczak avatar Aug 24 '23 15:08 PALuczak

Thanks for the response. I think we can close this for now because it might be outdated and it's not reproducible.

mathbunnyru avatar Aug 24 '23 22:08 mathbunnyru

I have since switched from jupyter to notebooks in devcontainers over SSH

@PALuczak You might be interested in my/b-data's [CUDA-enabled] Data Science Dev Containers.

benz0li avatar Aug 25 '23 07:08 benz0li