What is with the weird jovyan user?

rolweber · July 18, 2019, 12:38pm

Thanks, that’s the kind of context I was hoping for. You hadn’t mentioned Jupyter Hub before.

There are some layers of stacked images involved. Here’s where the user is created, without assigning a primary group:

jupyter/docker-stacks/blob/7a3e968dd21268c4b7a6746458ac34e5c3fc17b9/base-notebook/Dockerfile#L55


ADD fix-permissions /usr/local/bin/fix-permissions


# Enable prompt color in the skeleton .bashrc before creating the default NB_USER
RUN sed -i 's/^#force_color_prompt=yes/force_color_prompt=yes/' /etc/skel/.bashrc


# Create NB_USER wtih name jovyan user with UID=1000 and in the 'users' group
# and make sure these dirs are writable by the `users` group.
RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su && \
    sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers && \
    sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers && \
    useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
    mkdir -p $CONDA_DIR && \
    chown $NB_USER:$NB_GID $CONDA_DIR && \
    chmod g+w /etc/passwd && \
    fix-permissions $HOME && \
    fix-permissions "$(dirname $CONDA_DIR)"


USER $NB_UID
WORKDIR $HOME


# Setup work directory for backward-compatibility

The last statement in that Dockerfile is USER $NB_UID. And the Dockerfile reference for USER says that if one switches to a user without a primary group assigned, the group root is used.
And here’s the part where the primary group is added, shortly after the container starts up:

github.com

jupyter/docker-stacks/blob/7a3e968dd21268c4b7a6746458ac34e5c3fc17b9/base-notebook/start.sh#L85-L91


# Set NB_USER primary gid to NB_GID (after making the group).  Set
# supplementary gids to NB_GID and 100.
if [ "$NB_GID" != $(id -g $NB_USER) ] ; then
    echo "Add $NB_USER to group: $NB_GID"
    groupadd -g $NB_GID -o ${NB_GROUP:-${NB_USER}}
    usermod  -g $NB_GID -aG 100 $NB_USER
fi

The “user and group information for the specified USER” comes from configuration files such as /etc/group. That script modifies /etc/group, but the process executing the script won’t be affected. At least not to the point that its primary group changes while it’s running. So when you call id jovyan, you get the updated information from /etc/groups, but id shows the actual information of the running process.

The containers I work with are built from scratch, and the user I create there does have a primary group assigned in the Dockerfile. The results wouldn’t compare to yours.

Topic		Replies	Views
Remove root group membership from NB_USER Zero to JupyterHub on Kubernetes	1	129	April 12, 2024
Incorrect gid (main group lost) within jupyter kernel (python) JupyterLab	2	160	January 8, 2024
How to change jovyan to {username} in jupyter single user image JupyterHub	2	3813	November 30, 2021
User container fails to start JupyterHub jupyterhub , help-wanted , question	1	866	August 5, 2020
How to set two gid use SystemUserSpawner JupyterHub	2	507	October 22, 2021

What is with the weird jovyan user?

Related topics