How do you run a JupterLab Docker container in privileged mode?

General
1

I have setup JupyterHub with DockerSpawner and Auth0, this is working well with stock JupyterLab images.

Now I am trying to use my own custom JupyterLab image which is based off of base-notebaook. However as I want to be able to access the hardware on the host machine I have enabled UDEV in the image. This means that I need to run the JupterLab container in privileged mode.

I have tried to use variations of the following to get this to work:

# Attempt to use extra_create_kwargs
c.DockerSpawner.extra_create_kwargs = {
   "privilege": True
}

# Attempt use extra_host_config
c.DockerSpawner.extra_host_config = {
   "privilege": True
}

I am pretty sure that I have got the name of the configuration item wrong and where it is set but I cannot work it out and I have not been able to find it in the documentation anywhere online.

So how can this be achieved?

2

Can you try privileged (d on the end) in extra_host_config?:
https://docker-py.readthedocs.io/en/4.2.2/api.html?highlight=privileged

3

@manics Thanks again you have sorted it

I thought I had tried it with privileged but obviously not.

1 Like
6

Hello,
I tried several cases for "privileged": True with DockerSpawner (version 12) but without any success.
I always got error rmessage “unexpected keyword argument ” whatever I tried to set it
via .extra_container_spec or .extra_host_config or .extra_create_kwargs

Do I miss something ?

I also have the same problem with another keyword, I talk about "cap-add": "SYS_PTRACE" (to be allowed to run strace inside a container)
But this is ok if I run the container via docker run, I mean docker run --cap-add=SYS_PTRACE ...
Any feedback on this would also be appreciated

Regards,
Bernard

1 Like
8

Hello, Is it possible to have privileged mode when using the swarmspawner ? (not dockerspawner)
This question because with swarmspawner, JupyterLab container are launched as docker services and as far I know docker service create doesn’t allow nor privileged nor security_opt options.

So I would tend to think that by usingswarmspawner in a cluster/swarm wont’ allow to have the required permissions for running apptainer commands in a Jupterlab terminal (my objective) Am I right?

To move forward, I tried with cap-add option docker service ... --cap-add=SYS_ADMIN option (options possible with docker service create) , but on worker node side, when testing via docker exec -it abcdefgh apptainer run docker://alpine echo "Hello world" I get error like ‘failed to attach loop device’

My last attempt was to start dockerd, on a worker node, with user namespaces allowed, but consequently the worker disappears from the swarm cluster.

Any tips for another solution ? Or is it definitely impossible to run apptainer commands from jupyterLab’s terminal, launch in a docker/swarm cluster ?

Regards