I'm proud to announce the initial release of a Systemd Spawner for
JupyterHub. You can install it from PyPI as
`jupyterhub-systemdspawner`, and read the documentation at

If you want to use Linux Containers (Docker, rkt, etc) for isolation and
security benefits, but don't want the headache and complexity of
container image management, then you should use the SystemdSpawner.
It uses Systemd (https://www.freedesktop.org/wiki/Software/systemd/), a linux
init system that is used by most modern Linux distros, to provide
these features.

With the **systemdspawner**, you get to use the familiar, traditional system
administration tools, whether you love or meh them, without having to learn an
extra layer of container related tooling.

The following features are currently available:

1. Limit maximum memory permitted to each user.

   If they request more memory than this, it will not be granted (`malloc`
   will fail, which will manifest in different ways depending on the
   programming language you are using).

2. Limit maximum CPU available to each user.

3. Provide fair scheduling to users independent of the number of processes they
   are running.

   For example, if User A is running 100 CPU hogging processes, it will usually
   mean User B's 2 CPU hogging processes will never get enough CPU
time as scheduling
   is traditionally per-process. With Systemd Spawner, both these
users' processes
   will as a whole get the same amount of CPU time, regardless of
number of processes
   being run. Good news if you are User B.

4. Accurate accounting of memory and CPU usage (via cgroups, which
systemd uses internally).

   You can check this out with `systemd-cgtop`.

5. `/tmp` isolation.

   Each user gets their own `/tmp`, to prevent accidental information

6. Spawn notebook servers as specific local users on the system.

   This can replace the need for using SudoSpawner.

7. Restrict users from being able to sudo to root (or as other users)
from within the

   This is an additional security measure to make sure that a compromise of
   a jupyterhub notebook instance doesn't allow root access.

8. Restrict what paths users can write to.

   This allows making `/` read only and only granting write privileges to
   specific paths, for additional security.

9. Automatically collect logs from each individual user notebook into
   `journald`, which also handles log rotation.

You can find more information at

I'm currently working on deploying this at both UC Berkeley and at
Wikimedia, and will release a 1.0 version once they have been running
in production for a while without issues. Feature requests / Issues
welcome! I'm also available on the JupyterHub Gitter
(https://gitter.im/jupyterhub/jupyterhub) to answer questions too!

Thanks a lot to @willingc, @aculich & @ryanlovett for their helping
make this release happen! <3

Yuvi Panda T

You received this message because you are subscribed to the Google Groups 
"Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jupyter+unsubscr...@googlegroups.com.
To post to this group, send email to jupyter@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to