Merge pull request #21 from parente/costerwi-start-notebook

Add user in script + fixes

all-spark-notebook/Dockerfile

@@ -43,8 +43,6 @@ RUN cd /tmp && \
     apt-get remove -y sbt && \
     apt-get clean
 
-USER jovyan
-
 # Spark and Mesos pointers
 ENV SPARK_HOME /usr/local/spark
 ENV R_LIBS_USER $SPARK_HOME/R/lib
@@ -74,7 +72,7 @@ RUN conda create -p $CONDA_DIR/envs/python2 python=2.7 \
     && conda clean -yt
 RUN $CONDA_DIR/envs/python2/bin/python \
     $CONDA_DIR/envs/python2/bin/ipython \
-    kernelspec install-self --user
+    kernelspec install-self
 
 # R packages
 RUN conda config --add channels r
@@ -85,9 +83,5 @@ RUN conda install --yes \
     'r-rcurl=1.95*' && conda clean -yt
 
 # Scala Spark kernel spec
-RUN mkdir -p $HOME/.ipython/kernels/scala
-COPY kernel.json $HOME/.ipython/kernels/scala/
-
-# Switch back to root so that supervisord runs under that user
-USER root
-RUN chown -R $NB_USER:$NB_USER $HOME/.ipython/kernels/scala/
\ No newline at end of file
+RUN mkdir -p /usr/local/share/jupyter/kernels/scala
+COPY kernel.json /usr/local/share/jupyter/kernels/scala/

all-spark-notebook/README.md

@@ -203,6 +203,7 @@ You may customize the execution of the Docker container and the Notebook server
 
 * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks.
 * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you.
+* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership.
 * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.**
 * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade).
 * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server.

datascience-notebook/Dockerfile

@@ -2,6 +2,8 @@ FROM jupyter/minimal-notebook
 
 MAINTAINER Jupyter Project <jupyter@googlegroups.com>
 
+USER root
+
 # R pre-requisites
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
@@ -16,8 +18,6 @@ RUN apt-get update && \
     julia \
     libnettle4 && apt-get clean
 
-USER jovyan
-
 # Install Python 3 packages
 RUN conda install --yes \
     'ipywidgets=4.0*' \
@@ -59,7 +59,7 @@ RUN conda create -p $CONDA_DIR/envs/python2 python=2.7 \
     && conda clean -yt
 RUN $CONDA_DIR/envs/python2/bin/python \
     $CONDA_DIR/envs/python2/bin/ipython \
-    kernelspec install-self --user
+    kernelspec
 
 # R packages
 RUN conda config --add channels r
@@ -85,6 +85,3 @@ RUN conda install --yes \
 # IJulia and Julia packages
 RUN julia -e 'Pkg.add("IJulia")'
 RUN julia -e 'Pkg.add("Gadfly")' && julia -e 'Pkg.add("RDatasets")'
-
-# Switch back to root so that supervisord runs under that user
-USER root

datascience-notebook/README.md

@@ -24,6 +24,7 @@ You may customize the execution of the Docker container and the Notebook server
 
 * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks.
 * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you.
+* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership.
 * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.**
 * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade).
 * `-v /some/host/folder/for/server.pem:/home/jovyan/.local/share/jupyter/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server.

minimal-notebook/Dockerfile

@@ -3,6 +3,8 @@ FROM debian:jessie
 
 MAINTAINER Jupyter Project <jupyter@googlegroups.com>
 
+USER root
+
 # Install all OS dependencies for fully functional notebook server
 ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update && apt-get install -yq --no-install-recommends \
@@ -24,49 +26,28 @@ RUN apt-get update && apt-get install -yq --no-install-recommends \
     sudo \
     && apt-get clean
 
+# Configure environment
 ENV CONDA_DIR /opt/conda
-ENV NB_USER jovyan
+ENV PATH $CONDA_DIR/bin:$PATH
 
 # Install conda
-RUN echo 'export PATH=$CONDA_DIR/bin:$PATH' > /etc/profile.d/conda.sh && \
+RUN echo export PATH=$CONDA_DIR/bin:'$PATH' > /etc/profile.d/conda.sh && \
     wget --quiet https://repo.continuum.io/miniconda/Miniconda3-3.9.1-Linux-x86_64.sh && \
     /bin/bash /Miniconda3-3.9.1-Linux-x86_64.sh -b -p $CONDA_DIR && \
     rm Miniconda3-3.9.1-Linux-x86_64.sh && \
     $CONDA_DIR/bin/conda install --yes conda==3.14.1
 
-# Create non-root user
-RUN useradd -m -s /bin/bash $NB_USER
-RUN chown -R $NB_USER:$NB_USER $CONDA_DIR
-RUN chown $NB_USER:$NB_USER /home/$NB_USER -R
-
-# Configure user environment
-USER $NB_USER
-ENV HOME /home/$NB_USER
-ENV SHELL /bin/bash
-ENV USER $NB_USER
-ENV PATH $CONDA_DIR/bin:$PATH
-
-# Setup a work directory rooted in home for ease of volume mounting
-ENV WORK $HOME/work
-RUN mkdir -p $WORK
-WORKDIR $WORK
-
 # Install Jupyter notebook
 RUN conda install --yes \
     'notebook=4.0*' \
     terminado \
     && conda clean -yt
 
-# Configure Jupyter
-RUN jupyter notebook --generate-config
-
 # Configure container startup
 EXPOSE 8888
-USER root
-CMD ["supervisord", "-n", "-c", "/etc/supervisor/supervisord.conf"]
+CMD [ "start-notebook.sh" ]
 
 # Add local files as late as possible to avoid cache busting
-COPY jupyter_notebook_config.py $HOME/.jupyter/
+COPY start-notebook.sh /usr/local/bin/
 COPY notebook.conf /etc/supervisor/conf.d/
-COPY enable_sudo.sh /usr/local/bin/
-RUN chown $NB_USER:$NB_USER $HOME/.jupyter/jupyter_notebook_config.py
\ No newline at end of file
+COPY jupyter_notebook_config.py /etc/skel/.jupyter/

minimal-notebook/README.md

@@ -21,6 +21,7 @@ You may customize the execution of the Docker container and the Notebook server
 
 * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks.
 * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not provided (see below), the container will generate a self-signed certificate for you.
+* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership.
 * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.**
 * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade).
 * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server.

minimal-notebook/enable_sudo.sh

-#!/bin/bash
-if [ ! -z "$GRANT_SUDO" ]; then
-    echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook
-fi
\ No newline at end of file

minimal-notebook/notebook.conf

@@ -7,12 +7,4 @@ autostart=true
 autorestart=true
 stdout_logfile=/var/log/supervisor/%(program_name)s.log
 redirect_stderr=true
-
-[program:sudoers]
-command=enable_sudo.sh
-autostart=true
-autorestart=false
-stdout_logfile=/var/log/supervisor/%(program_name)s.log
-redirect_stderr=true
-startretries=0
-startsecs=0
+environment=HOME="/home/jovyan",USER="jovyan",SHELL="/bin/bash"

minimal-notebook/start-notebook.sh

+#!/bin/bash
+
+# Constants
+NB_USER=jovyan
+NB_HOME=/home/$NB_USER
+NB_WORK=$NB_HOME/work
+
+# Create non-root NB_USER if one doesn't exist
+id -u $NB_USER && user_exists=true
+if [ -z "$user_exists" ] ; then
+    useradd -m -s /bin/bash -u ${NB_UID:-1000} $NB_USER
+
+    # Setup a work directory rooted in the NB_USER home
+    mkdir -p $NB_WORK
+    chown -R $NB_USER.$NB_USER $NB_HOME
+
+    # Allow NB_USER group to update conda root env
+    chown -R root.$NB_USER $CONDA_DIR
+    chmod g+w $CONDA_DIR
+fi
+
+# Copy skeleton files if useradd didn't do it (e.g., volume mounted dir
+# residing in NB_HOME prevented it)
+if [ ! -d $NB_HOME/.jupyter ]; then
+    cp -r /etc/skel/. $NB_HOME
+    chown -R $NB_USER.$NB_USER $NB_HOME
+fi
+
+# Enable sudo if requested
+if [ ! -z "$GRANT_SUDO" ]; then
+    echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook
+fi
+
+# Start supervisord in foreground, PID1
+exec supervisord -n -c /etc/supervisor/supervisord.conf

pyspark-notebook/Dockerfile

@@ -22,8 +22,6 @@ RUN apt-key adv --keyserver keyserver.ubuntu.com --recv E56151BF && \
     apt-get --no-install-recommends -y --force-yes install mesos=0.22.1-1.0.debian78 && \
     apt-get clean
 
-USER jovyan
-
 # Spark and Mesos pointers
 ENV SPARK_HOME /usr/local/spark
 ENV PYTHONPATH $SPARK_HOME/python:$SPARK_HOME/python/lib/py4j-0.8.2.1-src.zip
@@ -52,7 +50,4 @@ RUN conda create -p $CONDA_DIR/envs/python2 python=2.7 \
     && conda clean -yt
 RUN $CONDA_DIR/envs/python2/bin/python \
     $CONDA_DIR/envs/python2/bin/ipython \
-    kernelspec install-self --user
-
-# Switch back to root so that supervisord runs under that user
-USER root
\ No newline at end of file
+    kernelspec install-self
\ No newline at end of file

pyspark-notebook/README.md

@@ -93,6 +93,7 @@ You may customize the execution of the Docker container and the Notebook server
 
 * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks.
 * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you.
+* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership.
 * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.**
 * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade).
 * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server.

r-notebook/Dockerfile

@@ -3,6 +3,8 @@ FROM jupyter/minimal-notebook
 
 MAINTAINER Jupyter Project <jupyter@googlegroups.com>
 
+USER root
+
 # R pre-requisites
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
@@ -11,8 +13,6 @@ RUN apt-get update && \
     gfortran \
     gcc && apt-get clean
 
-USER jovyan
-
 # R packages
 RUN conda config --add channels r
 RUN conda install --yes \
@@ -33,6 +33,3 @@ RUN conda install --yes \
     'r-caret=6.0*' \
     'r-rcurl=1.95*' \
     'r-randomforest=4.6*' && conda clean -yt
-
-# Switch back to root so that supervisord runs under that user
-USER root
\ No newline at end of file

r-notebook/README.md

@@ -21,6 +21,7 @@ You may customize the execution of the Docker container and the Notebook server
 
 * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks.
 * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you.
+* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership.
 * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.**
 * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade).
 * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server.

scipy-notebook/Dockerfile

@@ -3,7 +3,7 @@ FROM jupyter/minimal-notebook
 
 MAINTAINER Jupyter Project <jupyter@googlegroups.com>
 
-USER jovyan
+USER root
 
 # Install Python 3 packages
 RUN conda install --yes \
@@ -46,7 +46,4 @@ RUN conda create -p $CONDA_DIR/envs/python2 python=2.7 \
     && conda clean -yt
 RUN $CONDA_DIR/envs/python2/bin/python \
     $CONDA_DIR/envs/python2/bin/ipython \
-    kernelspec install-self --user
-
-# Switch back to root so that supervisord runs under that user
-USER root
\ No newline at end of file
+    kernelspec install-self

scipy-notebook/README.md

@@ -21,6 +21,7 @@ You may customize the execution of the Docker container and the Notebook server
 
 * `-e PASSWORD="YOURPASS"` - Configures Jupyter Notebook to require the given password. Should be conbined with `USE_HTTPS` on untrusted networks.
 * `-e USE_HTTPS=yes` - Configures Jupyter Notebook to accept encrypted HTTPS connections. If a `pem` file containing a SSL certificate and key is not found in `/home/jovyan/.ipython/profile_default/security/notebook.pem`, the container will generate a self-signed certificate for you.
+* **(v4.0.x)** `-e NB_UID=1000` - Specify the uid of the `jovyan` user. Useful to mount host volumes with specific file ownership.
 * `-e GRANT_SUDO=yes` - Gives the `jovyan` user passwordless `sudo` capability. Useful for installing OS packages. **You should only enable `sudo` if you trust the user or if the container is running on an isolated host.**
 * `-v /some/host/folder/for/work:/home/jovyan/work` - Host mounts the default working directory on the host to preserve work even when the container is destroyed and recreated (e.g., during an upgrade).
 * **(v3.2.x)** `-v /some/host/folder/for/server.pem:/home/jovyan/.ipython/profile_default/security/notebook.pem` - Mounts a SSL certificate plus key for `USE_HTTPS`. Useful if you have a real certificate for the domain under which you are running the Notebook server.