Running jupyterlab as root instead of jovyan when running in rootless docker mode

[anil-resero]

What docker image(s) is this feature applicable to?

datascience-notebook

What change(s) are you proposing?

When running the container in rootless docker mode, running Jupyterlab as Jovyan or any other user creates files with subuid and subgid. As a result, deleting these files or updating them requires sudo permissions. If we are able to run jupyterlab in the docker container as root, in the rootless docker environment, the UID/GID of the root in the container will map to the UID/GID of the host user.

How does this affect the user?

The host user can access the files created by the Jupyterlab without any permission issues as the UID/GID for the host user will map to UID/GID (0/0) of the root user in the container (in rootless docker environment)

Anything else?

No response

[benz0li]

@anil-resero You may be interested in my/b-data's [CUDA-enabled] JupyterLab Python docker stack, which supports running in rootless mode as root.

[anil-resero]

@benz0li thank you for the pull request. I tried the new image quay.io/jupyter/datascience-notebook:2023-11-22 and it worked as expected.

[benz0li]

@benz0li thank you for the pull request. I tried the new image quay.io/jupyter/datascience-notebook:2023-11-22 and it worked as expected.

@anil-resero PR #2039 is not merged yet. One can already start the container with the triplet -e NB_USER=root -e NB_UID=0 -e NB_GID=0.

But the crucial part is, that the home directory of root is modified to /home/root in /etc/passwd. Otherwise, not everything will work as expected.

[anil-resero]

@benz0li thank you for the pull request. I tried the new image quay.io/jupyter/datascience-notebook:2023-11-22 and it worked as expected.

@anil-resero PR #2039 is not merged yet. One can already start the container with the triplet -e NB_USER=root -e NB_UID=0 -e NB_GID=0.

But the crucial part is, that the home directory of root is modified to /home/root in /etc/passwd. Otherwise, not everything will work as expected.

@benz0li thanks for the clarification. The simple notebooks I tried worked fine even without changing the home directory. I customized the image as shown below:

# Start from a core stack version
FROM quay.io/jupyter/datascience-notebook:2023-11-22

USER root
RUN echo "Installing System Packages" && \
    apt update && \
    apt install git-lfs --yes && \
    echo "Clean apt cache and unneeded pkgs" && \
    apt-get clean autoclean --yes && \
    apt-get autoremove --yes && \
    rm -rf /var/lib/{apt,dpkg,cache,log}/

# Install from the requirements.txt file
RUN pip install --no-cache-dir jupyterlab-code-formatter==2.2.1 black==23.11.0 isort==5.12.0 boto3==1.29.5 boto3-stubs[essentials]==1.29.5 awswrangler==3.4.2

The /home/jovyan directory has few directories but doesn't seem to have a lot of content in them:

(base) root@e28920112943:~# pwd
/home/jovyan
(base) root@e28920112943:~# ls -a
.  ..  .bash_logout  .bashrc  .cache  .conda  .config  .jupyter  .npm  .profile  work
(base) root@e28920112943:~# 

Not sure how important is to copy those files in start.sh to /home/root.

Instead of changing the root users' home directory, I wonder if the following makes sense:

• Treat the root user differently: i) if the user specifies NB_USER, NB_UID, and NB_GID, and NB_USER is root, then assert that NB_UID and NB_GID are 0 ii) if the user specifies only NB_USER and it is root set NB_UID and NB_GID to 0. Basically, ensure that NB_UID and NB_GID of 0 is reserved for root
• If the NB_USER is root copy /home/jovyan to /root - keep the standard Linux convention for root home directory.

[benz0li]

IMHO we do not want to use (and touch) the original /root directory.

For my explanation, see #2039 (comment) ff.

Cross reference: #2042 (comment)

[Mr-Qiuqi]

@benz0li thank you for the pull request. I tried the new image quay.io/jupyter/datascience-notebook:2023-11-22 and it worked as expected.

@anil-resero PR #2039 is not merged yet. One can already start the container with the triplet -e NB_USER=root -e NB_UID=0 -e NB_GID=0.

But the crucial part is, that the home directory of root is modified to /home/root in /etc/passwd. Otherwise, not everything will work as expected.

@benz0li thank you for the pull request. I tried the new image quay.io/jupyter/datascience-notebook:2023-11-22 and it worked as expected.

@anil-resero PR #2039 is not merged yet. One can already start the container with the triplet -e NB_USER=root -e NB_UID=0 -e NB_GID=0.

But the crucial part is, that the home directory of root is modified to /home/root in /etc/passwd. Otherwise, not everything will work as expected.

Thanks too much , it work for me ， But I still need to add sh-c "start-notebook.sh -- allow-root" to be effective, cause the docker logs ： ”Running as root is not recommended. Use --allow-root to bypass.“

[Sieboldianus]

I tested Jupyterlab in Docker rootless and my perception is that -e NB_USER=root -e NB_UID=0 -e NB_GID=0 are not necessary. If you are logged in to the rootless user and start jupyter docker (docker compose up -d), NB_UID and NB_UID will match the uid/gid of the user running the docker command. See my notes regarding rootless Docker setup here. I am using Jupyter installed with conda in docker (see the stack here).

[benz0li]

If you are logged in to the rootless user and start jupyter docker (docker compose up -d), NB_UID and NB_UID will match the uid/gid of the user running the docker command.

@Sieboldianus

1. When starting the container, bind mount a directory from the host to e.g. /var/tmp inside the container
2. Inside the container: Create a file in folder /var/tmp as jovyan (uid=1000, gid=100)¹
3. Oh the host: Check the uid and gid of that created file in the directory

Footnotes

1. IMHO this will result in Permission denied ↩

[Sieboldianus]

If you are logged in to the rootless user and start jupyter docker (docker compose up -d), NB_UID and NB_UID will match the uid/gid of the user running the docker command.

@Sieboldianus

1. When starting the container, bind mount a directory from the host to e.g. /var/tmp inside the container
2. Inside the container: Create a file in folder /var/tmp as jovyan (uid=1000, gid=100)1
3. Oh the host: Check the uid and gid of that created file in the directory

Footnotes

1. IMHO this will result in Permission denied ↩

Exactly:

id
> uid=999(adu) gid=987(adu) groups=987(adu),4(adm)

adu/999 is my rootless user in Debian. It has gid/uid mapping enabled.

grep adu: /etc/subuid
> adu:362144:65536

I bind the jovian home folder in docker-compose.yml:

services:
  jupyterlab:
    volumes:
      - ~/notebooks:/home/jovyan/work

Let's look inside the container:

docker compose exec jupyterlab /bin/bash
ls -alh /home/jovyan/work
> total 4.0K
> drwx------ 5 root root  82 Sep  3 11:39 .
> drwxr-xr-x 3 root root  18 Sep  4 01:25 ..
> drwx------ 4 root root  31 Jul 26 10:00 .Trash-0
> drwxr-xr-x 8 root root 166 Sep  3 11:39 .git
> drwxr-xr-x 2 root root  39 Sep  3 11:39 .ipynb_checkpoints
> -rw-r--r-- 1 root root 972 Sep  3 11:39 Untitled.ipynb

Outside:

ls -alh ~/notebooks
total 4.0K
> drwx------ 5 adu adu  82 Sep  3 11:39 .
> drwxr-x--- 9 adu adu 197 Sep  2 12:10 ..
> drwxr-xr-x 8 adu adu 166 Sep  3 11:39 .git
> drwxr-xr-x 2 adu adu  39 Sep  3 11:39 .ipynb_checkpoints
> drwx------ 4 adu adu  31 Jul 26 10:00 .Trash-0
> -rw-r--r-- 1 adu adu 972 Sep  3 11:39 Untitled.ipynb

The rootfull jovian user in the container becomes the rootless user outside the container.

[benz0li]

@Sieboldianus What does id return in the container?

It can only be uid=0 and gid=0. I wonder why that is the case.

Because the default is uid=1000 (NB_UID) and gid=100 (NB_GID).

[Sieboldianus]

Of course it is root:

docker compose exec jupyterlab /bin/bash
id
> uid=0(root) gid=0(root) groups=0(root)
whoami
> root

That is because the rootless user starts docker with (faked) root privileges, so inside root is outside non-root. I think that's the whole advantage of using a rootless docker setup because it makes it easier to manage permissions inside/outside docker and one does not have to care about UID/GID settings in docker-compose.yml.

[Edit]

Ah, maybe the difference is that I am not using one of the jupyter docker containers but building my own from scratch. See the corresponding Dockerfile here:
https://gitlab.vgiscience.de/lbsn/tools/jupyterlab/-/blob/master-latest/Dockerfile?ref_type=heads

(Carto-Lab Docker is meant to be run as root, in docker rootless)

[benz0li]

Maybe the difference is that I am not using one of the jupyter docker containers but building my own from scratch.

Ahhh... Your container runs as root by default. The ones from this repository do not.

Yes, containers are meant to be run as root in rootless Docker/Podman.

[benz0li]

If you are logged in to the rootless user and start jupyter docker (docker compose up -d), NB_UID and NB_UID will match the uid/gid of the user running the docker command

No, there is no magical matching of NB_UID and NB_UID (container) to uid and gid of the rootless user (host).

[Sieboldianus]

Sorry for the confusion, my fault. But fully agree, docker rootless should be the default (which is what docker states in their docs!).