How to create persistent storage for docker-stacks containers with correct permissions (or how to avoid starting the single-server container as root)?

Hello dear jupyter community,

i am currently trying to setup a jupyterhub/docker-stacks solution running on Ubuntu 22.04.

For authentication I derived from LDAPAuthenticator, as i want to create a home directory (inside a mounted volume) on the host in case a new user authenticates using LDAP credentials.

The user should then be able to access his or her home folder. The idea was to change the username, UID and GID inside the single-server docker container to the UID and GID on the host.

According to the docker-stacks documentation (Common Features — Docker Stacks documentation)
this is only possible by starting the container as root?
Is this the proper way to do this, or is there some workaround that i am not aware of? (I would like to avoid starting the container as root if possible, as my IT/Linux knowledge is rather limited and i want to avoid possible security issues)

How do I properly give users persistent storage with correct access rights?

Thanks a lot for reading! Any advice and pointers in the right direction are very welcome :slightly_smiling_face:

Best, Simone

Do the home directories need to be accessed from outside Docker/JupyterLab? If they don’t you can use Docker volumes or similar:
You may need to add a VOLUME statement to get the permissions correct:

This means it shouldn’t be necessary to run as root.

Thanks a lot for your answer, unfortunately the home folders should also be accessible from outside (not only home folders are mapped, but also some shared folders which are mounted network drives)

I stumbled upon user namespaces (Isolate containers with a user namespace | Docker Documentation) and will check if this might be a solution for me.

Also in the docker stacks docs they mention the following:

  • --user 5000 --group-add users - Launches the container with a specific user ID and adds that user to the users group so that it can modify files in the default home directory and /opt/conda. You can use these arguments as alternatives to setting ${NB_UID} and ${NB_GID}.

I tried to give ‘user’ and ‘group-add’ like this, but did not have any effect:
spawner.extra_create_kwargs.update({‘user’: ‘5000’})

Again, thanks a lot for reading and answering,

I don’t see how user1 can start a docker container, mount user2’s home directory, and then use it in any fashion without user1 being root.