search

jupyterhub / systemdspawner

Spawn JupyterHub single-user notebook servers with systemd
BSD 3-Clause "New" or "Revised" License
92 stars 49 forks source link

Fix example jupyterhub.service file #81

Open mangecoeur opened 3 years ago

mangecoeur commented 3 years ago

The example jupyterhub.service file is out of date and has a mistake anyway (readwrite set on /var/lib/jupyterhub but workingdir /var/local/lib)

On the other hand it would be great to get the best practices for a correct systemd service (or maybe there is another one in a different repo?). I've been writing mine sort of from scraps of advice around the internet without really knowing what I'm doing.

It currently looks like this:

[Unit]
Description=Jupyterhub
After=syslog.target network.target

[Service]
ExecStart=/opt/jupyterhub/bin/jupyterhub --no-ssl --config /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py
WorkingDirectory=/var/lib/jupyterhub/
ProtectSystem=strict
ReadWriteDirectories=/var/lib/jupyterhub/ /var/log/ /proc/self/ /run/
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/jupyterhub/bin"
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_AUDIT_WRITE CAP_SETGID CAP_SETUID
PrivateDevices=yes
PrivateTmp=yes
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectKernelModules=true

[Install]
WantedBy=multi-user.target

Including all the Protect* lines which i literally copy pasted from somewhere that suggested it was a good idea 🤣

welcome[bot] commented 3 years ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

yuvipanda commented 3 years ago

The Littlest JupyterHub is the primary distro using systemdspawner. The systemd unit file it uses for JupyterHub is at https://github.com/jupyterhub/the-littlest-jupyterhub/blob/master/tljh/systemd-units/jupyterhub.service. Perhaps we can adapt that to be the example here?

mangecoeur commented 3 years ago

That would be a good idea... I'm also interested in what hearing some deeper knowledge of systemd, for instance how much sandboxing/protection is turned on by default or is it a good idea to add as much as possible. e.g. I recently learned about the ProtectSystem directive which seems relevant.

behrmann commented 3 years ago

I run the singleuser servers with 

PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=read-only
ProtectKernelTunables=yes
ProtectControlGroups=yes

and explicit ReadWritePaths=. It just works.

mangecoeur commented 3 years ago

and explicit ReadWritePaths=

This for example, it would be good to document what paths need to be writable (at least on a typical host e.g. Ubuntu LTS). e.g. I discovered by trial and error that I needed to add /run/ to the readwritepaths.

behrmann commented 3 years ago

You can usually get away with just the user's home, if the singleuser server doesn't start a PAM session, then you would probably need /run/user/%U as well.

mangecoeur commented 3 years ago

just to be clear - we are talking about the jupyerhub service not the singleuser servers. w.r.t the jupyterhub.service sample file, this commit causes Jhub to store data in /run/ which means it needs RW access to that folder, even if the singlusers don't need it.