Use SudoSpawner to start user instances

conf/app-sudoers

@@ -0,0 +1 @@
+__APP__ ALL=(%__APP__.main) NOPASSWD: __FINALPATH__/.venv/bin/sudospawner

conf/jupyterhub_config.py

@@ -469,7 +469,7 @@ c.ConfigurableHTTPProxy.api_url = 'http://127.0.0.1:__PORT_HTTP_PROXY__'
 #    - default: jupyterhub.spawner.LocalProcessSpawner
 #    - simple: jupyterhub.spawner.SimpleLocalProcessSpawner
 #    - localprocess: jupyterhub.spawner.LocalProcessSpawner
-#c.JupyterHub.spawner_class = 'jupyterhub.spawner.LocalProcessSpawner'
+c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner'
 
 ## Path to SSL certificate file for the public facing interface of the proxy
 #  

manifest.json

@@ -14,7 +14,7 @@
         "email": "pierre@kayou.io"
     },
     "requirements": {
-        "yunohost": ">= 4.1.7"
+        "yunohost": ">= 4.2.4"
     },
     "multi_instance": true,
     "services": [

scripts/_common.sh

@@ -19,15 +19,38 @@ function python_setup {
 	set_permissions
 	
 	pushd "$final_path"
-		sudo -u $app PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyterhub-ldapauthenticator pyzmq --three 2>&1
+		sudo -u $app PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyterhub-ldapauthenticator pyzmq sudospawner --three 2>&1
 		sudo -u $app python3 -m pipenv run jupyterhub upgrade-db 2>&1
 	popd
 }
 
 function set_permissions {
 	# Set permissions to app files
+	mkdir -p "$final_path/.venv"
+
 	chown -R $app:$app "$final_path"
 	chmod -R g=u,g-w,o-rwx "$final_path"
+
+	setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+	setfacl -n -m g:$app.main:x "$final_path"
+}
+
+function add_configs {
+	mkdir -p "$final_path/config"
+	path=${path_url%/}
+
+	ynh_add_config --template="jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+	ynh_add_config --template="jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py"
+
+	ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
+
+	set_config_permissions
+}
+
+function set_config_permissions {
+	set_permissions
+	chown root:root /etc/sudoers.d/$app-sudoers
+	chmod 440 /etc/sudoers.d/$app-sudoers
 }
 
 #=================================================

scripts/backup

@@ -55,6 +55,12 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 
 ynh_backup --src_path="/etc/systemd/system/$app.service"
 
+#=================================================
+# BACKUP SUDOERS
+#=================================================
+
+ynh_backup --src_path="/etc/sudoers.d/$app-sudoers"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/change_url

@@ -113,9 +113,7 @@ fi
 domain=$new_domain
 path=${new_path%/}
 
-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+add_configs
-
-set_permissions
 
 #=================================================
 # GENERIC FINALISATION

scripts/install

@@ -128,13 +128,7 @@ ynh_add_systemd_config
 # MODIFY A CONFIG FILE
 #=================================================
 
-mkdir -p "$final_path/config"
+add_configs
-
-path=${path_url%/}
-
-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
-
-ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py"
 
 #=================================================
 # GENERIC FINALIZATION

scripts/remove

@@ -69,6 +69,14 @@ ynh_script_progression --message="Removing NGINX web server configuration..." --
 # Remove the dedicated NGINX config
 ynh_remove_nginx_config
 
+#=================================================
+# REMOVE SUDOERS CONFIGURATION
+#=================================================
+ynh_script_progression --message="Removing sudoers configuration..." --weight=1
+
+# Remove the dedicated NGINX config
+ynh_secure_remove "/etc/sudoers.d/$app-sudoers"
+
 #=================================================
 # CLOSE A PORT
 #=================================================

scripts/restore

@@ -96,6 +96,14 @@ ynh_script_progression --message="Restoring the systemd configuration..." --weig
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 systemctl enable $app.service --quiet
 
+#=================================================
+# RESTORE SUDOERS
+#=================================================
+ynh_script_progression --message="Restoring sudo configuration..." --weight=2
+
+ynh_restore_file --origin_path="/etc/sudoers/$app-sudoers"
+set_config_permissions
+
 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL
 #=================================================

scripts/upgrade

@@ -126,13 +126,7 @@ fi
 # STORE THE CONFIG FILE CHECKSUM
 #=================================================
 
-mkdir -p "$final_path/config"
+add_configs
-
-path=${path_url%/}
-
-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
-
-ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py"
 
 #=================================================
 # SETUP SYSTEMD

update_config_files.md

@@ -6,7 +6,7 @@ Install the new version of the app with:
 sudo yunohost app install https://github.com/YunoHost-Apps/jupyterlab_ynh/tree/testing  
 ```
 
-Navigate to the installation path (`/opt/jupyterlab` by default), and run :
+Navigate to the installation path (`/opt/yunohost/jupyterlab` by default), and run :
 
 ```bash
 pipenv shell