I'm proud to announce the initial release of a Systemd Spawner for
JupyterHub. You can install it from PyPI as
`jupyterhub-systemdspawner`, and read the documentation at
If you want to use Linux Containers (Docker, rkt, etc) for isolation and
security benefits, but don't want the headache and complexity of
container image management, then you should use the SystemdSpawner.
It uses Systemd (https://www.freedesktop.org/wiki/Software/systemd/), a linux
init system that is used by most modern Linux distros, to provide
With the **systemdspawner**, you get to use the familiar, traditional system
administration tools, whether you love or meh them, without having to learn an
extra layer of container related tooling.
The following features are currently available:
1. Limit maximum memory permitted to each user.
If they request more memory than this, it will not be granted (`malloc`
will fail, which will manifest in different ways depending on the
programming language you are using).
2. Limit maximum CPU available to each user.
3. Provide fair scheduling to users independent of the number of processes they
For example, if User A is running 100 CPU hogging processes, it will usually
mean User B's 2 CPU hogging processes will never get enough CPU
time as scheduling
is traditionally per-process. With Systemd Spawner, both these
will as a whole get the same amount of CPU time, regardless of
number of processes
being run. Good news if you are User B.
4. Accurate accounting of memory and CPU usage (via cgroups, which
systemd uses internally).
You can check this out with `systemd-cgtop`.
5. `/tmp` isolation.
Each user gets their own `/tmp`, to prevent accidental information
6. Spawn notebook servers as specific local users on the system.
This can replace the need for using SudoSpawner.
7. Restrict users from being able to sudo to root (or as other users)
from within the
This is an additional security measure to make sure that a compromise of
a jupyterhub notebook instance doesn't allow root access.
8. Restrict what paths users can write to.
This allows making `/` read only and only granting write privileges to
specific paths, for additional security.
9. Automatically collect logs from each individual user notebook into
`journald`, which also handles log rotation.
You can find more information at
I'm currently working on deploying this at both UC Berkeley and at
Wikimedia, and will release a 1.0 version once they have been running
in production for a while without issues. Feature requests / Issues
welcome! I'm also available on the JupyterHub Gitter
(https://gitter.im/jupyterhub/jupyterhub) to answer questions too!
Thanks a lot to @willingc, @aculich & @ryanlovett for their helping
make this release happen! <3
Yuvi Panda T
You received this message because you are subscribed to the Google Groups
"Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.