Skip to content

Advantage of using sudo spawner over adding capabilities CAP_SETUID, CAP_SETGID to JupyterHub #62

Description

@gatoniel

Hi,

I am running JupyterHub as separate non-root user with systemd without sudospawner. Instead I leverage the systemd AmbientCapabilities option. My jupyterhub.service file looks like this:

[Unit]
Description=JupyterHub
After=syslog.target network.target podman-chp.service

[Service]
User=jupyterhub
AmbientCapabilities=CAP_SETUID CAP_SETGID
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/jupyterhub/bin"
Environment="CONFIGPROXY_AUTH_TOKEN=<secret>"
ExecStart=/opt/jupyterhub/bin/jupyterhub -f /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py

[Install]
WantedBy=multi-user.target

With this I can use the PAMAuthenticator for logging in and use the standard spawner for creating the single user notebooks. My question now is: Am I missing some feature of the sudospawner configuration? Or do I get the same effects with my configuration?

NOTE: I am running on CentOS 8. Maybe this makes a difference?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions