Using GRANT_SUDO and --allow-root crashes notebook

[haf]

Bug description

According to the documentation here #1021 (comment) — the way to make it possible for users of this project to install dependencies, is to configure singleuser like this:

singleuser:
  defaultUrl: /lab

  image:
    # You should replace the "latest" tag with a fixed version from:
    # https://hub.docker.com/r/jupyter/datascience-notebook/tags/
    # Inspect the Dockerfile at:
    # https://github.com/jupyter/docker-stacks/tree/master/datascience-notebook/Dockerfile
    name: jupyter/datascience-notebook
    tag: latest

  uid: 0

  extraEnv:
    GRANT_SUDO: "yes"
    NOTEBOOK_ARGS: "--allow-root"

However, when a pod is launched and has a browser connected to it, it immediately exists with logs:

jupyter-henrik notebook [I 2021-05-05 15:59:43.348 LabApp] JupyterLab application directory is /opt/conda/share/jupyter/lab
jupyter-henrik notebook [I 2021-05-05 15:59:43.354 SingleUserNotebookApp mixins:567] Starting jupyterhub-singleuser server version 1.4.0
jupyter-henrik notebook [W 2021-05-05 15:59:43.363 SingleUserNotebookApp _version:70] jupyterhub version 1.3.0 != jupyterhub-singleuser version 1.4.0. This could cause failure to authenticate and result in redirect loops!
jupyter-henrik notebook [C 2021-05-05 15:59:43.364 SingleUserNotebookApp notebookapp:2297] Running as root is not recommended. Use --allow-root to bypass.
- jupyter-henrik › notebook

The minus here denotes the exiting of the notebook.

Why? Because I want to mimick how colab works, and because the roles that 1) update the infrastructure, and 2) work with notebooks are two different ones — requiring the infra person to upgrade a dockerfile to install a package is more work than needed — instead the infra role can use network policies, istio network security and other mechanisms to have trusted co-workers being able to sudo inside a container.

Thera are some issues at play here:

• Except the linked comment, I can't find documentation on how to run the notebook as root
• The notebook crashes immediately when used according to the comment/docs
• The NOTEBOOK_ARGS flag doesn't seem to work, or the notebook shouldn't crash as it does

Expected behaviour

It should be documented how to opt-out of the extra security. Furthermore, the documented way to do it should work.

Actual behaviour

It's not documented (besides the comment) and the notebook crashes immediately.

I'm documenting it here, and I'm going to try not to set uid now, to see whether the default user can sudo from the GRANT_SUDO flag alone. The NOTEBOOK_ARGS flag doesn't seem to work (since the crash tells me to do something I'm already doing), so I'm going to remove it

How to reproduce

With the config above, do:

helm template jhub jupyterhub/jupyterhub --namespace flows --version 0.11.1 --values config.yaml --output-dir k8s/template
cp -r k8s/template/jupyterhub/templates/ k8s/base/
kustomize build k8s/prod | kubectl apply -f -
open https://jhub.example.com

Your personal set up

Latest Helm chart on GKE with the above configuration.

Configuration

# https://zero-to-jupyterhub.readthedocs.io/en/stable/administrator/authentication.html#google
hub:
  config:
    GoogleOAuthenticator:
      client_id: 326xxxxxxxxxxxxxxxxppcqpfhglr1vbft5b64ni8.apps.googleusercontent.com
      client_secret: -xxxxxxxxxxxxxxx
      oauth_callback_url: https://jhub.xxxxxxx.xxx/hub/oauth_callback
      hosted_domain:
      - xxxxxx.xxx
      login_service: XXXX
    JupyterHub:
      authenticator_class: google
      authenticate_prometheus: False
    admin:
      users:
      - henrik
      - max

• As a side-note: /lab only shows a white page, but going to /tree lets you see the default interface when testing without uid in the config.yaml file.

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[manics]

You missed one key parameter from the comment you linked, singleuser.cmd=start-singleuser.sh.
See jupyterhub/kubespawner#493 for the background.

In general Z2JH isn't responsible for features or limitations of the singleuser server (e.g Jupyter notebook or lab). For example, GRANT_SUDO is a feature of the docker-stacks start-up scripts:
https://github.com/jupyter/docker-stacks/blob/28817a61f490d97fcad71fb2a9f72355611ba6f5/base-notebook/start.sh#L90-L93
But there's no requirement for images in Z2JH to be based on those.

[haf]

@manics I see, thanks! I presumed wrong; that the singleuser pod started "singleuser.sh" and was therefore unnecessary, and I wasn't able to find the Dockerfiles.