Isolating a Jupyterhub deployment

Hello JupyterHub Community,

In my setup, I managed to set up JupyterHub on my server and it is accessed without any issues. However, I have an issue. I am trying to block users from accessing the host’s network. The current setup would allow users to access services that can be misused by an untrusted user. I need to find a way to disallow network communication from the docker containers.

This is the current docker-compose file:

version: "3"

    restart: always
    build: ./jupyterhub
    hostname: jupyterhub
      - "8080:8000"
      - "/var/run/docker.sock:/var/run/docker.sock"
      DOCKER_NOTEBOOK_IMAGE: "exam-scipy-notebook"
      DOCKER_NETWORK_NAME: "jupyterhub-network"
      DOCKER_JUPYTER_IMAGE: "jupyterhub/singleuser:latest"
      HUB_IP: "jupyterhub"

      name: "jupyterhub-network"

I am not sure what I need to edit to remove the communication between the docker containers created and the host network.

Your help would be highly appreciated.

This is the networking part in the file:

from dockerspawner import DockerSpawner 

# Spawn single-user servers as Docker containers
c.JupyterHub.spawner_class = DockerSpawner
c.DockerSpawner.remove_containers = True

# Spawn containers from this image
c.DockerSpawner.image = os.environ['DOCKER_NOTEBOOK_IMAGE']

# Connect containers to this Docker network
network_name = os.environ['DOCKER_NETWORK_NAME']
c.DockerSpawner.use_internal_ip = True
c.DockerSpawner.network_name = network_name
# Pass the network name as argument to spawned containers
c.DockerSpawner.extra_host_config = { 'network_mode': network_name }

# Remove containers once they are stopped
c.DockerSpawner.remove_containers = True
# For debugging arguments passed to spawned containers
c.DockerSpawner.debug = True

# User containers will access hub by container name on the Docker network
c.JupyterHub.hub_ip = os.environ['HUB_IP']
c.JupyterHub.hub_port = 8080