Hello JupyterHub Community,
In my setup, I managed to set up JupyterHub on my server and it is accessed without any issues. However, I have an issue. I am trying to block users from accessing the host’s network. The current setup would allow users to access services that can be misused by an untrusted user. I need to find a way to disallow network communication from the docker containers.
This is the current docker-compose file:
version: "3"
services:
jupyterhub:
restart: always
build: ./jupyterhub
hostname: jupyterhub
ports:
- "8080:8000"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DOCKER_NOTEBOOK_IMAGE: "exam-scipy-notebook"
DOCKER_NETWORK_NAME: "jupyterhub-network"
DOCKER_JUPYTER_IMAGE: "jupyterhub/singleuser:latest"
HUB_IP: "jupyterhub"
LTI_CLIENT_KEY: "${LTI_CLIENT_KEY}"
LTI_SHARED_SECRET: "${LTI_SHARED_SECRET}"
networks:
default:
external:
name: "jupyterhub-network"
I am not sure what I need to edit to remove the communication between the docker containers created and the host network.
Your help would be highly appreciated.
This is the networking part in the jupyterhub_config.py file:
from dockerspawner import DockerSpawner
# Spawn single-user servers as Docker containers
c.JupyterHub.spawner_class = DockerSpawner
c.DockerSpawner.remove_containers = True
# Spawn containers from this image
c.DockerSpawner.image = os.environ['DOCKER_NOTEBOOK_IMAGE']
# Connect containers to this Docker network
network_name = os.environ['DOCKER_NETWORK_NAME']
c.DockerSpawner.use_internal_ip = True
c.DockerSpawner.network_name = network_name
# Pass the network name as argument to spawned containers
c.DockerSpawner.extra_host_config = { 'network_mode': network_name }
# Remove containers once they are stopped
c.DockerSpawner.remove_containers = True
# For debugging arguments passed to spawned containers
c.DockerSpawner.debug = True
# User containers will access hub by container name on the Docker network
c.JupyterHub.hub_ip = os.environ['HUB_IP']
c.JupyterHub.hub_port = 8080