Adding a user with sudo privileges to a singleuser instance spawned on z2jh-based cluster

widlarizer · March 17, 2024, 5:38pm

Hello.

I’m trying to add a user with elevated privileges to every user’s Lab instance so that I can do things like mount volumes, add Linux user groups, assign users to Linux groups, mount volumes, create symbolic links etc. The whole thing is running on k8s, z2jh configuration.

This is what I’ve tried this far:

Singleuser Helm config (Not sure if this is needed for the thing I’m trying to achieve):

...
singleuser:
  ...
  extraEnv:
    # ...
    GRANT_SUDO: "yes"
    NOTEBOOK_ARGS: "--allow-root"
    CHOWN_HOME: "yes"
    CHOWN_HOME_OPTS: "-R"
  allowPrivilegeEscalation: true
...

Dockerfile for the JupyterLab image:

...
RUN apt-get install -y passwd sudo
...
RUN useradd -ms /bin/bash adminuser
RUN echo "adminuser:adminpassword" | chpasswd
RUN usermod -aG sudo adminuser
RUN chmod 777 /usr/bin/su
RUN chmod 777 /bin/su
...

Base Image I’m using: jupyter/base-notebook:hub-4.0.2

When I try to log in as adminuser, this is what I get after I type in the specified password:

su: Authentication failure

So, what am I doing wrong? Why won’t the credentials worked?

I tried the same setup on local docker, and it worked without any issues. I even had a brief moment of success on JLab, but after some fiddling with the config, it stopped working, and I can’t figure out why

Is there a more streamlined way of achieving this that I’m not aware of?

A working simple example of a Dockerfile, which I am not able to translate to JLab image:

FROM python:3.11.4-slim-bookworm

# Installing deps
RUN pip install --upgrade pip
RUN pip install flask

USER root

# Installing deps
RUN apt-get update && \
    apt-get -y install sudo passwd \
    && apt-get clean

# Creating a sudo user
RUN useradd -ms /bin/bash adminuser
RUN echo 'adminuser:adminpass5ord' | chpasswd
RUN usermod -aG sudo adminuser

# Creating user / home
RUN useradd -ms /bin/bash flask
ARG HOME=/home/flask

# Copying the code
WORKDIR ${HOME}
RUN mkdir -p ${HOME}/app
ADD main.py ${HOME}/app/main.py

# Runtime stuff
USER flask
ENV FLASK_APP ${HOME}/app/main.py
CMD ["flask", "run"]

EDIT:

I figured out that if I add this part locally, the su command no longer works as well:

RUN chmod 777 /usr/bin/su
RUN chmod 777 /bin/su

However, even after removing them lines, the problem remains.

consideRatio · March 17, 2024, 6:40pm

You need to start the user server as a root user, otherwise it can’t first grant root via a script (jupyter/docker-stacks containers respect this GRANT_SUDO environment variable, not all containers).

So, singleuser.uid=0 is needed as well i think.

Note i think a github issue in z2jh’s github repo has an working example about this i think, search foe grant sudo etc maybe. / From mobile

Topic		Replies	Views
Cannot use Sudo / have root access using Jupyterhub with Kubernetes Zero to JupyterHub on Kubernetes jupyterhub , help-wanted	11	6935	February 26, 2024
Issue using "sudo" in container: 'The "no new privileges" flag is set' Zero to JupyterHub on Kubernetes	4	15209	March 4, 2024
Trying to Add Administrator Through Kubernetes Engine on Google Cloud JupyterHub how-to	5	679	May 5, 2020
Creating an admin user automatically with NativeAuthenticator JupyterHub jupyterhub , help-wanted	3	1596	August 5, 2022
How to provide jovyan user passwordless sudo priviledge Zero to JupyterHub on Kubernetes jupyterhub , how-to	1	906	May 5, 2024

Adding a user with sudo privileges to a singleuser instance spawned on z2jh-based cluster

Related topics