On Wed, Dec 21, 2016 at 2:47 PM, Andreas Hilboll <[email protected]> wrote:
> Dear Jupyter community, > > I'm planning to set up a jupyterhub instance on our HPC cluster, where > individual notebooks should be spawned on the compute nodes via SLURM. > > From what I'm reading, the batchspawner would be my way to go. However, > I would *also* like the jupyterhub process to run under a different UID > than root. For this, there seems to be the sudospawner. But it seems > that the two are mutually exclusive. > > So my question is: > > How can I have jupyterhub run as non-root user while using the > batchspawner using SLURM? > There are two default behaviors that need root permissions in the default configuration: First, is the PAMAuthenticator, which needs access to the PAM service. On a typical debian/ubuntu system, any user in the `shadow` group can check passwords. That's the actual capability that the process needs. If you are using a different Authenticator, such as an SSO/OAuth setup, you may not need any elevated permissions here. The next step is the Spawner. At a high level, the Spawner needs to be able to start notebook servers 'as' specific users. The default Spawner uses `setuid`, which requires root permissions. The `sudospawner` uses slightly complex `sudo` configuration to grant *restricted* switch-user permissions. What you will need for BatchSpawner is the ability to submit SLURM jobs on behalf of other users. I imagine the 'simplest' version of this is to setuid to the actual user, and submit these jobs. But if there's another way to submit SLURM jobs on behalf of other users without 'becoming' the user first, that should allow you to run the batch spawner without running the server as root. I'm not quite sure what that would be, though. -Min > > Cheers, > Andreas. > > -- > Dr. Andreas Hilboll > > Center for Marine Environmental Sciences (MARUM) > - AND - > Institute of Environmental Physics (IUP) > > University of Bremen > > NW1 / S3132 > Otto-Hahn-Allee 1 > D-28359 Bremen > Germany > > +49(0)421 218 62133 (phone) > +49(0)421 218 98 62133 (fax) > http://www.iup.uni-bremen.de/~hilboll > > -- > You received this message because you are subscribed to the Google Groups > "Project Jupyter" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/jupyter/6k8tr975ry.fsf%40shaula.iup.uni-bremen.de. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAHNn8BV4c1WBT-mWF%2BuJCv2g%2B4OuR_ni9n6Yjg3BGZAeekCvyg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
