Skip to content

Instantly share code, notes, and snippets.

@shadiakiki1986

shadiakiki1986/README.md

Last active June 21, 2018 05:11
Show Gist options
  • Save shadiakiki1986/22bdddb4293b672145bae431164a1267 to your computer and use it in GitHub Desktop.
Save shadiakiki1986/22bdddb4293b672145bae431164a1267 to your computer and use it in GitHub Desktop.
Download ZIP
steps for installing jupyterhub
Raw
README.md

These are my notes while installing jupyterhub on an AWS EC2 instance running Ubuntu 16.04

Prerequisites

  • install python3, pip3
    • sudo apt-get update && sudo apt-get install python3 python3-pip
  • - ~~~`pip3 install pew`~~~

  • - ~~~run all `pip install *` commands below from this new environment~~~
  • using pew as striked out above would create an environment within the user's home directory with the installed dependencies
    • this is not suitable in this situation since we're looking for global packages for all users on the system
    • just make sure to use pip3 instead of pip in all below commands
  • Install nodejs using nvm
  • install jupyter's jupyterhub and notebook server
  • test commands are installed: command -v nvm && nvm list && jupyterhub -h && configurable-http-proxy -h
- ~~~follow instructions in Digital Ocean's suggestion in [this SO answer](https://stackoverflow.com/a/29903645/4126114)~~~
  - ~~~because of [nvm issue#43](https://github.com/creationix/nvm/issues/43)~~~
- ~~~launch jupyterhub (`sudo pew in TEST_JUPTERHUB jupyterhub`)~~~


Otherwise, follow [Using sudo to run JupyterHub without root privileges](https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges) (read below notes first)
- all commands are run from whichever user is logged into the server to begin with
- wherever `$USER` is encountered, replace it with the username that you are testing as a jupyterhub user
- `useradd -G ...` is currently `useradd --ingroup ...` on ubuntu 16.04
- ~~~`sudo pip install sudospawner` can be without `sudo` since using `pew` to manage environments (check above)~~~
  - ~~~this goes with replacing `/usr/local/bin/sudospawner` with something like `/home/ubuntu/.local/share/virtualenvs/SSOC18/bin/sudospawner`~~~
  - for details on why this is striked out, check the note above about `pew`
- softlink the installed node and node package for the http proxy
```
sudo ln -s /home/ubuntu/.nvm/versions/node/v10.5.0/bin/configurable-http-proxy /usr/local/bin/
sudo ln -s /home/ubuntu/.nvm/versions/node/v10.5.0/bin/node /usr/local/bin/
```
- in this option's case, just launch jupyterhub with `launch.sh` below


Finally, some basic security testing, check `test_security.sh` below
Raw
launch.sh
#!/bin/sh
# after following steps from https://gist.github.com/shadiakiki1986/22bdddb4293b672145bae431164a1267
# and choosing the final step to be "Using sudo to run JupyterHub without root privileges"
cd /etc/jupyterhub
sudo -u rhea jupyterhub --JupyterHub.spawner_class=sudospawner.SudoSpawner
Raw
test_security.py
import subprocess
# system calls that do not need to fail
subprocess.call(["ls", "-l"])
subprocess.call("exit 1", shell=True)
subprocess.check_output(["echo", "Hello World!"])
subprocess.check_output(["whoami"])
subprocess.check_output(["ls", "-al", "/etc/jupyterhub/jupyterhub_cookie_secret"]) # The "cat ..." counterpart should fail. Check below
# system calls that should fail
subprocess.check_output(["sudo", "ls"])
subprocess.check_output(["cat", "/etc/sudoers"])
subprocess.check_output(["cat", "/etc/jupyterhub/jupyterhub_cookie_secret"])
subprocess.check_output(["touch", "/home/ubuntu/delete_me_1"])
subprocess.check_output(["rm", "/home/ubuntu/delete_me_2"]) # this is a file that was created by the user "ubuntu"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment