Systemd Spawner for JupyterHub released
288 views
Skip to first unread message
Yuvi Panda
Oct 14, 2016, 7:45:16 PM10/14/16
to Project Jupyter
Hello!
I'm proud to announce the initial release of a Systemd Spawner for
JupyterHub. You can install it from PyPI as
`jupyterhub-systemdspawner`, and read the documentation at
https://github.com/jupyterhub/systemdspawner
If you want to use Linux Containers (Docker, rkt, etc) for isolation and
security benefits, but don't want the headache and complexity of
container image management, then you should use the SystemdSpawner.
It uses Systemd (https://www.freedesktop.org/wiki/Software/systemd/), a linux
init system that is used by most modern Linux distros, to provide
these features.
With the **systemdspawner**, you get to use the familiar, traditional system
administration tools, whether you love or meh them, without having to learn an
extra layer of container related tooling.
The following features are currently available:
1. Limit maximum memory permitted to each user.
If they request more memory than this, it will not be granted (`malloc`
will fail, which will manifest in different ways depending on the
programming language you are using).
2. Limit maximum CPU available to each user.
3. Provide fair scheduling to users independent of the number of processes they
are running.
For example, if User A is running 100 CPU hogging processes, it will usually
mean User B's 2 CPU hogging processes will never get enough CPU
time as scheduling
is traditionally per-process. With Systemd Spawner, both these
users' processes
will as a whole get the same amount of CPU time, regardless of
number of processes
being run. Good news if you are User B.
4. Accurate accounting of memory and CPU usage (via cgroups, which
systemd uses internally).
You can check this out with `systemd-cgtop`.
5. `/tmp` isolation.
Each user gets their own `/tmp`, to prevent accidental information
leakage.
6. Spawn notebook servers as specific local users on the system.
This can replace the need for using SudoSpawner.
7. Restrict users from being able to sudo to root (or as other users)
from within the
notebook.
This is an additional security measure to make sure that a compromise of
a jupyterhub notebook instance doesn't allow root access.
8. Restrict what paths users can write to.
This allows making `/` read only and only granting write privileges to
specific paths, for additional security.
9. Automatically collect logs from each individual user notebook into
`journald`, which also handles log rotation.
You can find more information at
https://github.com/jupyterhub/systemdspawner/blob/master/README.md.
I'm currently working on deploying this at both UC Berkeley and at
Wikimedia, and will release a 1.0 version once they have been running
in production for a while without issues. Feature requests / Issues
welcome! I'm also available on the JupyterHub Gitter
(https://gitter.im/jupyterhub/jupyterhub) to answer questions too!
Thanks a lot to @willingc, @aculich & @ryanlovett for their helping
make this release happen! <3
--
Yuvi Panda T
http://yuvi.in/blog
I'm proud to announce the initial release of a Systemd Spawner for
JupyterHub. You can install it from PyPI as
`jupyterhub-systemdspawner`, and read the documentation at
https://github.com/jupyterhub/systemdspawner
If you want to use Linux Containers (Docker, rkt, etc) for isolation and
security benefits, but don't want the headache and complexity of
container image management, then you should use the SystemdSpawner.
It uses Systemd (https://www.freedesktop.org/wiki/Software/systemd/), a linux
init system that is used by most modern Linux distros, to provide
these features.
With the **systemdspawner**, you get to use the familiar, traditional system
administration tools, whether you love or meh them, without having to learn an
extra layer of container related tooling.
The following features are currently available:
1. Limit maximum memory permitted to each user.
If they request more memory than this, it will not be granted (`malloc`
will fail, which will manifest in different ways depending on the
programming language you are using).
2. Limit maximum CPU available to each user.
3. Provide fair scheduling to users independent of the number of processes they
are running.
For example, if User A is running 100 CPU hogging processes, it will usually
mean User B's 2 CPU hogging processes will never get enough CPU
time as scheduling
is traditionally per-process. With Systemd Spawner, both these
users' processes
will as a whole get the same amount of CPU time, regardless of
number of processes
being run. Good news if you are User B.
4. Accurate accounting of memory and CPU usage (via cgroups, which
systemd uses internally).
You can check this out with `systemd-cgtop`.
5. `/tmp` isolation.
Each user gets their own `/tmp`, to prevent accidental information
leakage.
6. Spawn notebook servers as specific local users on the system.
This can replace the need for using SudoSpawner.
7. Restrict users from being able to sudo to root (or as other users)
from within the
notebook.
This is an additional security measure to make sure that a compromise of
a jupyterhub notebook instance doesn't allow root access.
8. Restrict what paths users can write to.
This allows making `/` read only and only granting write privileges to
specific paths, for additional security.
9. Automatically collect logs from each individual user notebook into
`journald`, which also handles log rotation.
You can find more information at
https://github.com/jupyterhub/systemdspawner/blob/master/README.md.
I'm currently working on deploying this at both UC Berkeley and at
Wikimedia, and will release a 1.0 version once they have been running
in production for a while without issues. Feature requests / Issues
welcome! I'm also available on the JupyterHub Gitter
(https://gitter.im/jupyterhub/jupyterhub) to answer questions too!
Thanks a lot to @willingc, @aculich & @ryanlovett for their helping
make this release happen! <3
--
Yuvi Panda T
http://yuvi.in/blog
Kyle Kelley
Oct 15, 2016, 11:17:01 AM10/15/16
to jup...@googlegroups.com
That's awesome Yuvi. Love seeing the embrace of systemd.
--
--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAFw%3DyShZbDZMd7PW9JKvo-nYgCfPkLLzK%2BshazkNXp6CMUKqbg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
Kyle Kelley (@rgbkrk; lambdaops.com)
Brian Granger
Oct 15, 2016, 1:21:28 PM10/15/16
to jup...@googlegroups.com
Woohoo! Super excited to try this out - perfectly matches our usage case
Sent from my iPhone
Sent from my iPhone
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CA%2BtbMaXSpqsZB9tL6x8caKzpZQGXJj79pKALwiNCRwEDV-n7Cg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages