fix

2024-09-03 19:26:35 +02:00 · 2023-02-26 19:50:58 +01:00 · 2023-02-26 19:50:58 +01:00 · c5446783ec
commit c5446783ec
parent f1c47a5942
10 changed files with 117 additions and 17 deletions
--- a/conf/app-sudoers
+++ b/conf/app-sudoers
@ -0,0 +1 @@
+__APP__ ALL=(%__APP__.main) NOPASSWD: __INSTALL_DIR__/.venv/bin/sudospawner
--- a/conf/jupyterhub_config.py
+++ b/conf/jupyterhub_config.py
@ -171,7 +171,7 @@ c.JupyterHub.bind_url = 'http://:__PORT____PATH__'
 #c.JupyterHub.cookie_secret_file = 'jupyterhub_cookie_secret'

 ## The location of jupyterhub data files (e.g. /usr/local/share/jupyterhub)
-#c.JupyterHub.data_files_path = '/opt/jupyterlab/.venv/share/jupyterhub'
+c.JupyterHub.data_files_path = '__INSTALL_DIR__/.venv/share/jupyterhub'

 ## Include any kwargs to pass to the database connection. See
 #  sqlalchemy.create_engine for details.
@ -469,7 +469,7 @@ c.ConfigurableHTTPProxy.api_url = 'http://127.0.0.1:__PORT_HTTP_PROXY__'
 #    - default: jupyterhub.spawner.LocalProcessSpawner
 #    - simple: jupyterhub.spawner.SimpleLocalProcessSpawner
 #    - localprocess: jupyterhub.spawner.LocalProcessSpawner
-#c.JupyterHub.spawner_class = 'jupyterhub.spawner.LocalProcessSpawner'
+c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner'

 ## Path to SSL certificate file for the public facing interface of the proxy
 #  
@ -685,7 +685,7 @@ c.Spawner.default_url = '/lab'
 #  This whitelist is used to ensure that sensitive information in the JupyterHub
 #  process's environment (such as `CONFIGPROXY_AUTH_TOKEN`) is not passed to the
 #  single-user server's process.
-#c.Spawner.env_keep = ['PATH', 'PYTHONPATH', 'CONDA_ROOT', 'CONDA_DEFAULT_ENV', 'VIRTUAL_ENV', 'LANG', 'LC_ALL']
+c.Spawner.env_keep = ['PATH', 'PYTHONPATH', 'CONDA_ROOT', 'CONDA_DEFAULT_ENV', 'VIRTUAL_ENV', 'LANG', 'LC_ALL', 'JUPYTERHUB_SINGLEUSER_APP']

 ## Extra environment variables to set for the single-user server's process.
 #  
@ -762,7 +762,7 @@ c.Spawner.default_url = '/lab'
 #  
 #  Note that this does *not* prevent users from accessing files outside of this
 #  path! They can do so with many other means.
-#c.Spawner.notebook_dir = ''
+c.Spawner.notebook_dir = '~'

 ## An HTML form for options a user can specify on launching their server.
 #  
--- a/conf/sudospawner-singleuser
+++ b/conf/sudospawner-singleuser
@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -e
+
+if [ __ENABLE_EXTENSIONS__ -eq 1 ]; then
+	export JUPYTERLAB_DIR="$HOME/.local/share/__APP__/lab"
+	export PATH="__NODEJS_PATH__:$PATH"
+fi
+
+
+# Delegate the notebook server launch to the jupyterhub-singleuser script.
+# this is how most sudospawner-singleuser scripts should end.
+exec "$(dirname "$0")/jupyterhub-singleuser" $@
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -10,6 +10,7 @@ Group=__APP__
 WorkingDirectory=__INSTALL_DIR__/
 Environment="LC_ALL=C.UTF-8"
 Environment="LANG=C.UTF-8"
+Environment="JUPYTERHUB_SINGLEUSER_APP=jupyter_server.serverapp.ServerApp"
 Environment="__YNH_NODE_LOAD_PATH__:__INSTALL_DIR__/.venv/bin"
 ExecStart=__INSTALL_DIR__/.venv/bin/jupyterhub -f __INSTALL_DIR__/config/jupyterhub_config.py --upgrade-db
 Restart=always
--- a/hooks/post_user_create
+++ b/hooks/post_user_create
@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -e
+
+source /usr/share/yunohost/helpers
+
+app="${0//.\/50-}"
+user=$1
+
+install_dir="$(ynh_app_setting_get --app=$app --key=install_dir)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"
+
+ynh_use_nodejs
+
+if [ $enable_extensions -eq 1 ]; then
+	export JUPYTERLAB_DIR="$(getent passwd $user | cut -d: -f6)/.local/share/$app/lab"
+	node_path="$nodejs_path:$(sudo -u $user sh -c 'echo $PATH')"
+	sudo -u $user env "PATH=$node_path:$PATH" "$install_dir/.venv/bin/jupyter" lab build --app-dir="$JUPYTERLAB_DIR"
+fi
--- a/manifest.toml
+++ b/manifest.toml
@ -47,6 +47,13 @@ ram.runtime = "50M"
    type = "boolean"
    default = true

+    [install.enable_extensions]
+    ask.en = "Allow users to install extensions?"
+    ask.fr = "Permettre aux utilisateurs d'installer des extensions ?"
+    type = "boolean"
+    default = true
+
+
 [resources]
    [resources.ports]
    main.default = 8080
--- a/scripts/change_url
+++ b/scripts/change_url
@ -34,7 +34,21 @@ ynh_change_url_nginx_config
 domain=$new_domain
 path=${new_path%/}

-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$install_dir/config/jupyterhub_config.py"
+mkdir -p "$install_dir/config"
+
+ynh_use_nodejs
+ynh_add_config --template="jupyterhub_config.py" --destination="$install_dir/config/jupyterhub_config.py"
+ynh_add_config --template="jupyter_server_config.py" --destination="$install_dir/config/jupyter_server_config.py"
+ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
+ynh_add_config --template="sudospawner-singleuser" --destination="$install_dir/.venv/bin/sudospawner-singleuser"
+
+chmod 550 "$install_dir/.venv/bin/sudospawner-singleuser"
+chown -R $app:$app "$install_dir"
+chmod -R g=u,g-w,o-rwx "$install_dir"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$install_dir/.venv"
+setfacl -n -m g:$app.main:x "$install_dir"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"

 #=================================================
 # GENERIC FINALISATION
--- a/scripts/install
+++ b/scripts/install
@ -26,11 +26,16 @@ python3 -m pip install pipenv
 #=================================================
 ynh_script_progression --message="Building app..."

-mkdir -p "$install_dir"
+# Set permissions to app files
+mkdir -p "$install_dir/.venv"
+chown -R $app:$app "$install_dir"
+chmod -R g=u,g-w,o-rwx "$install_dir"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$install_dir/.venv"
+setfacl -n -m g:$app.main:x "$install_dir"

-pushd $install_dir
-	mkdir -p .venv
-	PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true ynh_exec_warn_less python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyterhub-ldapauthenticator pyzmq jupyterlab-language-pack-fr-FR
+pushd "$install_dir"
+	sudo -u $app PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyter-server jupyterhub-ldapauthenticator pyzmq jupyterlab-language-pack-fr-FR sudospawner 2>&1
+	sudo -u $app python3 -m pipenv run jupyterhub upgrade-db 2>&1
 popd

 #=================================================
@ -39,15 +44,34 @@ popd
 ynh_script_progression --message="Adding a configuration file..."

 mkdir -p "$install_dir/config"
-
 path=${path%/}

-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$install_dir/config/jupyterhub_config.py"
-ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$install_dir/config/jupyter_notebook_config.py"
+ynh_add_config --template="jupyterhub_config.py" --destination="$install_dir/config/jupyterhub_config.py"
+ynh_add_config --template="jupyter_server_config.py" --destination="$install_dir/config/jupyter_server_config.py"
+ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
+ynh_add_config --template="sudospawner-singleuser" --destination="$install_dir/.venv/bin/sudospawner-singleuser"

-chmod 750 "$install_dir"
-chmod -R o-rwx "$install_dir"
-chown -R $app:www-data "$install_dir"
+chmod 550 "$install_dir/.venv/bin/sudospawner-singleuser"
+chown -R $app:$app "$install_dir"
+chmod -R g=u,g-w,o-rwx "$install_dir"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$install_dir/.venv"
+setfacl -n -m g:$app.main:x "$install_dir"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"
+
+#=================================================
+# BUILD USER LABS
+#=================================================
+ynh_script_progression --message="Building JupyterLab for each user..." --weight=10
+
+if [ $enable_extensions -eq 1 ]; then
+	ynh_use_nodejs
+	for user in $(ynh_user_list); do
+		JUPYTERLAB_DIR="$(getent passwd $user | cut -d: -f6)/.local/share/$app/lab"
+		node_path="$nodejs_path:$(sudo -u $user sh -c 'echo $PATH')"
+		sudo -u $user env "PATH=$node_path" "$install_dir/.venv/bin/jupyter" lab build --app-dir="$JUPYTERLAB_DIR"
+	done
+fi

 #=================================================
 # SYSTEM CONFIGURATION
--- a/scripts/remove
+++ b/scripts/remove
@ -31,6 +31,8 @@ ynh_remove_nginx_config

 ynh_remove_nodejs

+ynh_secure_remove "/etc/sudoers.d/$app-sudoers"
+
 #=================================================
 # END OF SCRIPT
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -17,8 +17,13 @@ ynh_script_progression --message="Restoring the app main directory..." --weight=

 ynh_restore_file --origin_path="$install_dir"

-chown -R root: $install_dir/
-chown -R $admin: $install_dir/.venv/
+mkdir -p "$install_dir/.venv"
+
+chown -R $app:$app "$install_dir"
+chmod -R g=u,g-w,o-rwx "$install_dir"
+
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$install_dir/.venv"
+setfacl -n -m g:$app.main:x "$install_dir"

 #=================================================
 # SPECIFIC RESTORATION
@ -45,6 +50,22 @@ systemctl enable $app.service --quiet

 yunohost service add $app --description="$app daemon"

+#=================================================
+# RESTORE SUDOERS
+#=================================================
+ynh_script_progression --message="Restoring sudoers configuration..." --weight=2
+
+ynh_restore_file --origin_path="/etc/sudoers.d/$app-sudoers"
+
+# Set permissions on app files
+chmod 550 "$install_dir/.venv/bin/sudospawner-singleuser"
+chown -R $app:$app "$install_dir"
+chmod -R g=u,g-w,o-rwx "$install_dir"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$install_dir/.venv"
+setfacl -n -m g:$app.main:x "$install_dir"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
				`@ -0,0 +1 @@`
				`__APP__ ALL=(%__APP__.main) NOPASSWD: __INSTALL_DIR__/.venv/bin/sudospawner`