Mount a GCS bucket into newly spawned notebook using s3fs

JupyterHub Zero to JupyterHub on Kubernetes
,
1

Hello All!

I’m pretty new to k8s, docker and jupyter hub so may be a trivial solution to what I’m having difficult time with…

My aim is to mount Google Cloud Storage bucket into a new spawned jupyter notebook.

I use s3fs to accomplish that (Google Cloud Storage · s3fs-fuse/s3fs-fuse Wiki · GitHub).

So when I try to run the following snippet:

echo "access-key:secret-key" > /home/jovyan/.passwd-s3fs
chmod 400 /home/jovyan/.passwd-s3fs
mkdir mount_point
chmod 600 mount_point
s3fs "my-gcs-bucket" "mount_point" -o passwd_file="/home/jovyan/.passwd-s3fs" -o nomultipart -o sigv2 -o url="https://storage.googleapis.com"

I get:

fuse: device not found, try 'modprobe fuse' first

By searching a bit in google I found this:

so I tried changing the security context but I still got the same result.

My question is:
How can I mount a given GCS bucket into a newly spawned notebook?

Many thanks in advance!

2

Have you managed to mount the bucket into a container when running it directly outside Kubernetes (ignoring JupyterHub completely)?

3

have not tried it on my pc (mac OS - since it required some settings adjustments that I did not follow), but I did managed to mount it via other docker container in kubernetes (using the same command mentioned above). In order to accomplish that I had to add the securityContext.privileged: true seetings into the manifest + I know the container is ran as root user.

4

Please could you show us your Z2JH configuration with secrets redacted, and tell us which version you’re using? Thanks!

5

Hello, I’m facing a similar issue.

Im my case I’m using gcsfuse instead of s3fs, now the error message is the same fuse: device not found, try 'modprobe fuse' first

I am able to mount GCS buckets in other containers, and as @Nativ_Issac mentions, I believe the issue is that we need to add the securityContext.privileged: true settings into the singleuser manifest

Currently, in the Helm Chart values.yaml we have keys that manage other security options of the user’s pod, like singleuser.allowPrivilegeEscalation and singleuser.uid, that will be reflected on securityContext.allowPrivilegeEscalation and securityContext.runAsUser respectively.

I can’t find a similar key for setting the value of securityContext.privileged

@manics , do you know how to set this value via values.yaml or some other method?

6

https://jupyterhub-kubespawner.readthedocs.io/en/latest/spawner.html#kubespawner.KubeSpawner.privileged

Can you try something like

hub:
  config:
    KubeSpawner:
      privileged: true

and report back?

7

It has worked perfectly.

Good to know that we can interact with the KubeSpawner API directly from the values.yaml.

Thank you very much, @manics

1 Like
8

This seem will let the container run as privileged, causing a major security violation: Pod Security Standards | Kubernetes
Privileged Containers Privileged Pods disable most security mechanisms and must be disallowed.
Restricted Fields

  • spec.containers[*].securityContext.privileged

I am wondering if jupyterhub has some build-in mechanism to ensure the security for the privileged single user pod.

We are facing same issue, but our security standard won’t allow privileged container running.

Thanks and best regards,