From 0b3afdd52d1101e2f4cb0947f073ab86de7511b2 Mon Sep 17 00:00:00 2001 From: Jules Bertholet Date: Sun, 30 May 2021 16:58:33 -0400 Subject: [PATCH] Use SudoSpawner to start user instances --- conf/app-sudoers | 1 + conf/jupyterhub_config.py | 2 +- manifest.json | 2 +- scripts/_common.sh | 25 ++++++++++++++++++++++++- scripts/backup | 6 ++++++ scripts/change_url | 4 +--- scripts/install | 8 +------- scripts/remove | 8 ++++++++ scripts/restore | 8 ++++++++ scripts/upgrade | 8 +------- update_config_files.md | 2 +- 11 files changed, 53 insertions(+), 21 deletions(-) create mode 100644 conf/app-sudoers diff --git a/conf/app-sudoers b/conf/app-sudoers new file mode 100644 index 0000000..7cd4a40 --- /dev/null +++ b/conf/app-sudoers @@ -0,0 +1 @@ +__APP__ ALL=(%__APP__.main) NOPASSWD: __FINALPATH__/.venv/bin/sudospawner diff --git a/conf/jupyterhub_config.py b/conf/jupyterhub_config.py index 6e7330d..ff09546 100644 --- a/conf/jupyterhub_config.py +++ b/conf/jupyterhub_config.py @@ -469,7 +469,7 @@ c.ConfigurableHTTPProxy.api_url = 'http://127.0.0.1:__PORT_HTTP_PROXY__' # - default: jupyterhub.spawner.LocalProcessSpawner # - simple: jupyterhub.spawner.SimpleLocalProcessSpawner # - localprocess: jupyterhub.spawner.LocalProcessSpawner -#c.JupyterHub.spawner_class = 'jupyterhub.spawner.LocalProcessSpawner' +c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner' ## Path to SSL certificate file for the public facing interface of the proxy # diff --git a/manifest.json b/manifest.json index 307d494..3fed82f 100644 --- a/manifest.json +++ b/manifest.json @@ -14,7 +14,7 @@ "email": "pierre@kayou.io" }, "requirements": { - "yunohost": ">= 4.1.7" + "yunohost": ">= 4.2.4" }, "multi_instance": true, "services": [ diff --git a/scripts/_common.sh b/scripts/_common.sh index 216cc8e..df04bff 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -19,15 +19,38 @@ function python_setup { set_permissions pushd "$final_path" - sudo -u $app PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyterhub-ldapauthenticator pyzmq --three 2>&1 + sudo -u $app PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyterhub-ldapauthenticator pyzmq sudospawner --three 2>&1 sudo -u $app python3 -m pipenv run jupyterhub upgrade-db 2>&1 popd } function set_permissions { # Set permissions to app files + mkdir -p "$final_path/.venv" + chown -R $app:$app "$final_path" chmod -R g=u,g-w,o-rwx "$final_path" + + setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv" + setfacl -n -m g:$app.main:x "$final_path" +} + +function add_configs { + mkdir -p "$final_path/config" + path=${path_url%/} + + ynh_add_config --template="jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py" + ynh_add_config --template="jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py" + + ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers" + + set_config_permissions +} + +function set_config_permissions { + set_permissions + chown root:root /etc/sudoers.d/$app-sudoers + chmod 440 /etc/sudoers.d/$app-sudoers } #================================================= diff --git a/scripts/backup b/scripts/backup index 2938068..6ac6b13 100644 --- a/scripts/backup +++ b/scripts/backup @@ -55,6 +55,12 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_backup --src_path="/etc/systemd/system/$app.service" +#================================================= +# BACKUP SUDOERS +#================================================= + +ynh_backup --src_path="/etc/sudoers.d/$app-sudoers" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/change_url b/scripts/change_url index f02cc22..74f24de 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -113,9 +113,7 @@ fi domain=$new_domain path=${new_path%/} -ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py" - -set_permissions +add_configs #================================================= # GENERIC FINALISATION diff --git a/scripts/install b/scripts/install index a33a38e..a0cbd19 100644 --- a/scripts/install +++ b/scripts/install @@ -128,13 +128,7 @@ ynh_add_systemd_config # MODIFY A CONFIG FILE #================================================= -mkdir -p "$final_path/config" - -path=${path_url%/} - -ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py" - -ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py" +add_configs #================================================= # GENERIC FINALIZATION diff --git a/scripts/remove b/scripts/remove index cd5357f..74f522e 100644 --- a/scripts/remove +++ b/scripts/remove @@ -69,6 +69,14 @@ ynh_script_progression --message="Removing NGINX web server configuration..." -- # Remove the dedicated NGINX config ynh_remove_nginx_config +#================================================= +# REMOVE SUDOERS CONFIGURATION +#================================================= +ynh_script_progression --message="Removing sudoers configuration..." --weight=1 + +# Remove the dedicated NGINX config +ynh_secure_remove "/etc/sudoers.d/$app-sudoers" + #================================================= # CLOSE A PORT #================================================= diff --git a/scripts/restore b/scripts/restore index 9fd4b89..9154a81 100644 --- a/scripts/restore +++ b/scripts/restore @@ -96,6 +96,14 @@ ynh_script_progression --message="Restoring the systemd configuration..." --weig ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet +#================================================= +# RESTORE SUDOERS +#================================================= +ynh_script_progression --message="Restoring sudo configuration..." --weight=2 + +ynh_restore_file --origin_path="/etc/sudoers/$app-sudoers" +set_config_permissions + #================================================= # ADVERTISE SERVICE IN ADMIN PANEL #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 085b035..c5ca739 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -126,13 +126,7 @@ fi # STORE THE CONFIG FILE CHECKSUM #================================================= -mkdir -p "$final_path/config" - -path=${path_url%/} - -ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py" - -ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py" +add_configs #================================================= # SETUP SYSTEMD diff --git a/update_config_files.md b/update_config_files.md index c781ac6..95e753a 100644 --- a/update_config_files.md +++ b/update_config_files.md @@ -6,7 +6,7 @@ Install the new version of the app with: sudo yunohost app install https://github.com/YunoHost-Apps/jupyterlab_ynh/tree/testing ``` -Navigate to the installation path (`/opt/jupyterlab` by default), and run : +Navigate to the installation path (`/opt/yunohost/jupyterlab` by default), and run : ```bash pipenv shell