Hello! I'm proud to announce the initial release of a Systemd Spawner for JupyterHub. You can install it from PyPI as `jupyterhub-systemdspawner`, and read the documentation at https://github.com/jupyterhub/systemdspawner
If you want to use Linux Containers (Docker, rkt, etc) for isolation and security benefits, but don't want the headache and complexity of container image management, then you should use the SystemdSpawner. It uses Systemd (https://www.freedesktop.org/wiki/Software/systemd/), a linux init system that is used by most modern Linux distros, to provide these features. With the **systemdspawner**, you get to use the familiar, traditional system administration tools, whether you love or meh them, without having to learn an extra layer of container related tooling. The following features are currently available: 1. Limit maximum memory permitted to each user. If they request more memory than this, it will not be granted (`malloc` will fail, which will manifest in different ways depending on the programming language you are using). 2. Limit maximum CPU available to each user. 3. Provide fair scheduling to users independent of the number of processes they are running. For example, if User A is running 100 CPU hogging processes, it will usually mean User B's 2 CPU hogging processes will never get enough CPU time as scheduling is traditionally per-process. With Systemd Spawner, both these users' processes will as a whole get the same amount of CPU time, regardless of number of processes being run. Good news if you are User B. 4. Accurate accounting of memory and CPU usage (via cgroups, which systemd uses internally). You can check this out with `systemd-cgtop`. 5. `/tmp` isolation. Each user gets their own `/tmp`, to prevent accidental information leakage. 6. Spawn notebook servers as specific local users on the system. This can replace the need for using SudoSpawner. 7. Restrict users from being able to sudo to root (or as other users) from within the notebook. This is an additional security measure to make sure that a compromise of a jupyterhub notebook instance doesn't allow root access. 8. Restrict what paths users can write to. This allows making `/` read only and only granting write privileges to specific paths, for additional security. 9. Automatically collect logs from each individual user notebook into `journald`, which also handles log rotation. You can find more information at https://github.com/jupyterhub/systemdspawner/blob/master/README.md. I'm currently working on deploying this at both UC Berkeley and at Wikimedia, and will release a 1.0 version once they have been running in production for a while without issues. Feature requests / Issues welcome! I'm also available on the JupyterHub Gitter (https://gitter.im/jupyterhub/jupyterhub) to answer questions too! Thanks a lot to @willingc, @aculich & @ryanlovett for their helping make this release happen! <3 -- Yuvi Panda T http://yuvi.in/blog -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAFw%3DyShZbDZMd7PW9JKvo-nYgCfPkLLzK%2BshazkNXp6CMUKqbg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.