What is with the weird jovyan user?

sqqqrly · July 16, 2019, 12:10am

Jovyan is not really weird, but this seems like a bug to me.

jovyan@jupyter-foo:$ groups
root users

jovyan@jupyter-foo:$ id -a
uid=1000(jovyan) gid=0(root) groups=0(root),100(users)

Why is jovyan’s group ID “root”? It should be 100, not 0.

Can someone verify they see the same? I ran this from a terminal.

rolweber · July 16, 2019, 6:10am

Could you please provide some context? I assume it’s not a user on your local system, but from some Docker image(s). But which one(s)?

The user is already in group 100, as your output shows. Are you concerned because the primary group is root rather than users, or because you think jovyan should not be in group root at all?

choldgraf · July 16, 2019, 2:37pm

Jovyan is often a special term used to describe members of the Jupyter community (https://jupyter.readthedocs.io/en/latest/community/content-community.html#what-is-a-jovyan).

tl;dr: it’s a play on “jovian” which means “a Jupiter-like planet”

sqqqrly · July 16, 2019, 5:28pm

Yes I knew where the name came from. That was not my question. It was about the user Jovyan’s Linux group membership.

sqqqrly · July 16, 2019, 5:43pm

“gid=0(root)” seems to be incorrect.

This came about while trying to enable sudo for jovyan. I changed tact and was successful by creating a file in /etc/sudoers.d/ for the user (and not the sudo group which gave me problems).

sqqqrly · July 16, 2019, 6:00pm

Anyway, thanks for the response. I am unblocked.

Strangeness… Why would I get different answers below? According to the manpage, if the user is omitted, it defaults to the current user.

jovyan@jupyter-foo:~$ id
uid=1000(jovyan) gid=0(root) groups=0(root),100(users)

jovyan@jupyter-foo:~$ id jovyan
uid=1000(jovyan) gid=100(users) groups=100(users),27(sudo)

rolweber · July 17, 2019, 5:52am

I suspect the output of id is from the current environment, while id <username> looks in configuration files for settings that would be applied to a new environment for that user.

Maybe there’s a login script that switches the primary group. Or there’s a USER jovyan:root in a Dockerfile, which fixes user and group regardless of the configuration files. You have not given any context, so we have to keep guessing instead of looking into the relevant Dockerfile.

sqqqrly · July 17, 2019, 1:22pm

I was seeing this using the docker image below from a terminal. What else would you like for a context?

  singleuser:
      image:
        name: jupyterhub/k8s-singleuser-sample
        tag: '0.9-b51ffeb'

Currently, I am also building my image using docker-stacks:

commit 6c3390a9292e8475d18026eb60f8d712b5b901db (origin/master, origin/HEAD, psdev-296/fix, master)
Merge: 1e37452 310afbf
Author: Min RK <benjaminrk@gmail.com>
Date:   Thu Jul 4 15:58:00 2019 +0200

As far as it looking in a configuration file for a new user, that would be nonstandard. At least it is not what “man id” says nor what happens on a vanilla bionic system.

   Print user and group information for the specified USER, or
   (when USER omitted) for the current user.

Have you run these from your own jupyter container? It would be interesting to see what your results are.

id
id jovyan
groups

sqqqrly · July 17, 2019, 1:49pm

Going to https://jupyter.org/try and using “try jupyterhub” gives this. The two id commands give different results there to.

jovyan@jupyter-jupyterlab-2djupyterlab-2ddemo-2doxluuao3:~$ id
uid=1000(jovyan) gid=1000(jovyan) groups=1000(jovyan),100(users)

jovyan@jupyter-jupyterlab-2djupyterlab-2ddemo-2doxluuao3:~$ id jovyan
uid=1000(jovyan) gid=1000(jovyan) groups=1000(jovyan)

jovyan@jupyter-jupyterlab-2djupyterlab-2ddemo-2doxluuao3:~$ groups
jovyan users

Still would like to see what you see on your containers.

rolweber · July 18, 2019, 12:38pm

Thanks, that’s the kind of context I was hoping for. You hadn’t mentioned Jupyter Hub before.

There are some layers of stacked images involved. Here’s where the user is created, without assigning a primary group:

github.com

jupyter/docker-stacks/blob/7a3e968dd21268c4b7a6746458ac34e5c3fc17b9/base-notebook/Dockerfile#L55


ADD fix-permissions /usr/local/bin/fix-permissions


# Enable prompt color in the skeleton .bashrc before creating the default NB_USER
RUN sed -i 's/^#force_color_prompt=yes/force_color_prompt=yes/' /etc/skel/.bashrc


# Create NB_USER wtih name jovyan user with UID=1000 and in the 'users' group
# and make sure these dirs are writable by the `users` group.
RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su && \
    sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers && \
    sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers && \
    useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
    mkdir -p $CONDA_DIR && \
    chown $NB_USER:$NB_GID $CONDA_DIR && \
    chmod g+w /etc/passwd && \
    fix-permissions $HOME && \
    fix-permissions "$(dirname $CONDA_DIR)"


USER $NB_UID
WORKDIR $HOME


# Setup work directory for backward-compatibility

The last statement in that Dockerfile is USER $NB_UID. And the Dockerfile reference for USER says that if one switches to a user without a primary group assigned, the group root is used.
And here’s the part where the primary group is added, shortly after the container starts up:

github.com

jupyter/docker-stacks/blob/7a3e968dd21268c4b7a6746458ac34e5c3fc17b9/base-notebook/start.sh#L85-L91


# Set NB_USER primary gid to NB_GID (after making the group).  Set
# supplementary gids to NB_GID and 100.
if [ "$NB_GID" != $(id -g $NB_USER) ] ; then
    echo "Add $NB_USER to group: $NB_GID"
    groupadd -g $NB_GID -o ${NB_GROUP:-${NB_USER}}
    usermod  -g $NB_GID -aG 100 $NB_USER
fi

The “user and group information for the specified USER” comes from configuration files such as /etc/group. That script modifies /etc/group, but the process executing the script won’t be affected. At least not to the point that its primary group changes while it’s running. So when you call id jovyan, you get the updated information from /etc/groups, but id shows the actual information of the running process.

The containers I work with are built from scratch, and the user I create there does have a primary group assigned in the Dockerfile. The results wouldn’t compare to yours.

sqqqrly · July 18, 2019, 4:27pm

Very helpful. Thanks!. I am new to JH, but learning.

kevin-bates · July 18, 2019, 4:50pm

Have you enabled the RunAsGroup feature gate and set run_as_gid?

From the docs (via PR 297):

run_as_gid – The GID used to run single-user pods. The default is to run as the primary group of the user specified in the Dockerfile, if this is set to None. Setting this parameter requires that feature-gate RunAsGroup be enabled, otherwise the effective GID of the pod will be 0 (root). In addition, not setting run_as_gid once feature-gate RunAsGroup is enabled will also result in an effective GID of 0 (root).

parente · August 3, 2019, 4:32am

The history of why the jovyan user in the jupyter/docker-stacks images is in the gid=0(root) group starts in jupyter/docker-stacks issue #188 from 2016. Various follow-on issues and PRs with additional conversation about the configuration are linked from there.

Topic		Replies	Views
What do `NB_UID` and `NB_GID` mean in `DockerFile` in `docker-stacks-foundation`? JupyterHub	2	175	December 8, 2023
Jupyter/base-notebook user permission issue JupyterHub community , release , communication , jupyterhub , how-to	14	12948	June 23, 2020
Jupyter Docker Stack Advice for Mac JupyterLab jupyterlab , help-wanted	3	278	January 14, 2024
How to change jovyan to {username} in jupyter single user image JupyterHub	2	2681	November 30, 2021
How tu run the notebook as a different user than the default one jovyan JupyterLab	3	2895	December 17, 2020

What is with the weird jovyan user?

Related Topics