Jupyter docker stacks with a custom user
Jupyter allows to set a custom user instead of**_jovyan_** which is the default for all containers of the [Jupyter Docker Stack][1]. You need to change this user or its UID and GID in order to get the permissions right when you mount a volume from the host into the Jupyter container. The following steps are required:
- Create an unprivileged user and an asociated group on the host. Here we call the user and the group docker_worker
- Add your host user to the group. This gives you the permissions to modify and read the files also on the host. This is useful if your working directory on the hist is under source code control (eg. git)
- Launch the container with the correct settings that change the user inside the container
It is important to know that during the launch the container needs root privileges in order to change the settings in the mounted host volume and inside the container. After the permissions have been changed, the user is switched back and does not run with root privileges, but your new user. Thus make sure to secure your Docker service, as the permissions inside the container also apply to the host.
Prepare an unprivileged user on the host
1. sudo groupadd -g 1011 docker_worker
2. sudo useradd -s /bin/false -u 1010 -g 1020 docker_worker
3. Add your user to the group: sudo usermod -a -G docker_worker stefan```
# Docker-compose Caveats
It is important to know that docker-compose supports either an array or a dictionary for environment variables ([docs][2]). In the case below we use arrays and we quote all variables. If you accidentally use a dictionary, then the quotes would be passed along to the Jupyter script. You would then see this error message:
/usr/local/bin/start-notebook.sh: ignoring /usr/local/bin/start-notebook.d/* Set username to: docker_worker Changing ownership of /home/docker_worker to 1010:1020 chown: invalid user: ‘'-R’’```
The docker-compose file
version: '2'
services:
datascience-notebook:
image: jupyter/base-notebook:latest
volumes:
- /tmp/jupyter_test_dir:/home/docker_worker/work
ports:
- 8891:8888
command: "start-notebook.sh"
user: root
environment:
NB_USER: 'docker_worker'
NB_UID: 1010
NB_GID: 1020
CHOWN_HOME: 'yes'
CHOWN_HOME_OPTS: -R```
Here you can see that we set the variables that cause the container to ditch jovyan in favor of docker_worker.
> NB\_USER: ‘docker\_worker’
> NB_UID: 1010
> NB_GID: 1020
> CHOWN_HOME: ‘yes’
> CHOWN\_HOME\_OPTS: -R
This facilitates easy version control of the working directory of Jupyter. I also added the snipped to my [Github Jupyter template][3].
<div class="twttr_buttons">
<div class="twttr_twitter">
<a href="http://twitter.com/share?text=Jupyter+docker+stacks+with+a+custom+user" class="twitter-share-button" data-via="" data-hashtags="" data-size="default" data-url="https://blog.stefanproell.at/2018/08/08/jupyter-docker-stacks-with-a-custom-user/" data-related="" target="_blank">Tweet</a>
</div>
<div class="twttr_followme">
<a href="https://twitter.com/@stefanproell" class="twitter-follow-button" data-show-count="true" data-size="default" data-show-screen-name="false" target="_blank">Follow me</a>
</div>
</div>
[1]: https://github.com/jupyter/docker-stacks
[2]: https://docs.docker.com/compose/compose-file/#environment
[3]: https://github.com/stefanproell/jupyter-notebook-docker-compose/blob/master/README.md