Cannot use Sudo / have root access using Jupyterhub with Kubernetes

Hi. I’ve tried adding the following lines to my config.yaml file:

singleuser:
  extraEnv:
    GRANT_SUDO: "yes"
  uid: 0

Running on an Oracle Cluster on the Oracle Cloud Services

From what I’ve heard this should give me passwordless SUDO access on my terminal?

It depends on the rest of your configuration, and also how your Kubernetes cluster is configured. For example, if you’ve built your own Docker image you may not have the scripts from

In addition your cluster may block containers from running as root.

Can you:

  • Show us your full config with secrets redacted
  • Turn on debug logging and show us the singleuser server logs
  • Show us any error messages or warnings

Thanks!

Hi, sorry have just logged in and saw your response. Running on an Oracle Kubernetes Cluster created using OKE (Oracle Kubernetes Engine)

config.yaml

hub:
  config:
    Authenticator:
      admin_users:
        - $user1
        - $user2
        - $user3
    GitHubOAuthenticator:
      client_id: **snip**
      client_secret: **snip**
      oauth_callback_url: **snip**
    JupyterHub:
      authenticator_class: github

## Try instantiating a SingleUser server 
singleuser:
  image:
    name: jupyter/tensorflow-notebook
    tag: latest
  extraEnv:
    GRANT_SUDO: "yes"
  uid: 0

helm update command

helm upgrade --cleanup-on-fail \
   --install neuro-jupyterhub-1 jupyterhub/jupyterhub \
   --namespace neuro-k1 \
   --create-namespace \
   --version=1.2.0 \
   --values config.yaml

We were able to get it working using basically the same configuration:

singleuser:
  extraEnv:
    GRANT_SUDO: "yes"
    NOTEBOOK_ARGS: "--allow-root"
  uid: 0
  cmd: start-singleuser.sh

But we’re not using OKE

The default Z2JH cmd vs the container’s default cmd is a known point of confusion. In the forthcoming Z2JH 2.0 it’ll default to the container’s cmd which should be more intuitive! https://github.com/jupyterhub/zero-to-jupyterhub-k8s/pull/2449

Also see https://github.com/jupyter/docker-stacks/issues/1528 for more background

Note you shouldn’t need --allow-root since you’re not running the notebook as root, only the container which should drop to the unprivileged user after enabling sudo.

Thanks @manics for the response. How do I use this?

I’m afraid I don’t understand what you’re asking… how do you use what?

I just ran into a similar issue, except I am using a custom notebook image. In the Jupyter docker-stacks Dockerfiles, they seem to deny access to the the root user via this command.

We created a new image on top of it and removed this from the /etc/pam.d/su file by adding:

RUN sed -i "s/auth requisite pam_deny.so//g" /etc/pam.d/su

to the end of our Dockerfile and then creating the new image. Now we can login as root. I am not sure if this is necessary or if there are other ways to enable root access.

@manics how do I use the scripts that you’ve mentioned to grant passwordless sudo access?

There was a configuration snippet in the earlier post: