diff --git a/docs/howto/admin/admin-users.rst b/docs/howto/admin/admin-users.rst index 7c897bf..af0765d 100644 --- a/docs/howto/admin/admin-users.rst +++ b/docs/howto/admin/admin-users.rst @@ -78,8 +78,8 @@ admin terminal: .. code-block:: bash - sudo -E tljh-config add-item users.admin - sudo -E tljh-config reload + sudo tljh-config add-item users.admin + sudo tljh-config reload If the user is already using the JupyterHub, they might have to stop and start their server from the control panel to gain new powers. @@ -92,8 +92,8 @@ an admin terminal: .. code-block:: bash - sudo -E tljh-config remove-item users.admin - sudo -E tljh-config reload + sudo tljh-config remove-item users.admin + sudo tljh-config reload If the user is already using the JupyterHub, they will continue to have some of their admin powers until their server is stopped. Another admin diff --git a/docs/howto/admin/https.rst b/docs/howto/admin/https.rst index 7a336b2..63f102a 100644 --- a/docs/howto/admin/https.rst +++ b/docs/howto/admin/https.rst @@ -19,15 +19,15 @@ Automatic HTTPS with Let's Encrypt To enable HTTPS via letsencrypt:: - sudo -E tljh-config set https.enabled true - sudo -E tljh-config set https.letsencrypt.email you@example.com - sudo -E tljh-config add-item https.letsencrypt.domains yourhub.yourdomain.edu + sudo tljh-config set https.enabled true + sudo tljh-config set https.letsencrypt.email you@example.com + sudo tljh-config add-item https.letsencrypt.domains yourhub.yourdomain.edu where ``you@example.com`` is your email address and ``yourhub.yourdomain.edu`` is the domain where your hub will be running. Once you have loaded this, your config should look like:: - sudo -E tljh-config show + sudo tljh-config show .. sourcecode:: yaml @@ -41,7 +41,7 @@ Once you have loaded this, your config should look like:: Finally, you can reload the proxy to load the new configuration:: - sudo -E tljh-config reload proxy + sudo tljh-config reload proxy At this point, the proxy should negotiate with Let's Encrypt to set up a trusted HTTPS certificate for you. It may take a moment for the proxy to negotiate with Let's Encrypt to get your certificates, after which you can access your Hub securely at https://yourhub.yourdomain.edu. @@ -54,14 +54,14 @@ Manual HTTPS with existing key and certificate You may already have an SSL key and certificate. If so, you can tell your deployment to use these files:: - sudo -E tljh-config set https.enabled true - sudo -E tljh-config set https.tls.key /etc/mycerts/mydomain.key - sudo -E tljh-config set https.tls.cert /etc/mycerts/mydomain.cert + sudo tljh-config set https.enabled true + sudo tljh-config set https.tls.key /etc/mycerts/mydomain.key + sudo tljh-config set https.tls.cert /etc/mycerts/mydomain.cert Once you have loaded this, your config should look like:: - sudo -E tljh-config show + sudo tljh-config show .. sourcecode:: yaml @@ -74,6 +74,6 @@ Once you have loaded this, your config should look like:: Finally, you can reload the proxy to load the new configuration:: - sudo -E tljh-config reload proxy + sudo tljh-config reload proxy and now access your Hub securely at https://yourhub.yourdomain.edu. diff --git a/docs/howto/auth/dummy.rst b/docs/howto/auth/dummy.rst index 8810867..30949de 100644 --- a/docs/howto/auth/dummy.rst +++ b/docs/howto/auth/dummy.rst @@ -18,14 +18,14 @@ Enabling the authenticator .. code-block:: bash - sudo -E tljh-config set auth.DummyAuthenticator.password + sudo tljh-config set auth.DummyAuthenticator.password Remember to replace ```` with the password you choose. 2. Enable the authenticator and reload config to apply configuration: - sudo -E tljh-config set auth.type dummyauthenticator.DummyAuthenticator - sudo -E tljh-config reload + sudo tljh-config set auth.type dummyauthenticator.DummyAuthenticator + sudo tljh-config reload Users who are currently logged in will continue to be logged in. When they log out and try to log back in, they will be asked to provide a username and diff --git a/docs/howto/auth/firstuse.rst b/docs/howto/auth/firstuse.rst index 52b3766..dc9dcb9 100644 --- a/docs/howto/auth/firstuse.rst +++ b/docs/howto/auth/firstuse.rst @@ -16,8 +16,8 @@ Enabling the authenticator #. Enable the authenticator and reload config to apply the configuration: - sudo -E tljh-config set auth.type firstuseauthenticator.FirstUseAuthenticator - sudo -E tljh-config reload + sudo tljh-config set auth.type firstuseauthenticator.FirstUseAuthenticator + sudo tljh-config reload Users who are currently logged in will continue to be logged in. When they log out and try to log back in, they will be asked to provide a username and diff --git a/docs/howto/auth/github.rst b/docs/howto/auth/github.rst index 34b417f..d93cec8 100644 --- a/docs/howto/auth/github.rst +++ b/docs/howto/auth/github.rst @@ -57,19 +57,19 @@ For more information on ``tljh-config``, see :ref:`topic/tljh-config`. #. Configure the GitHub OAuthenticator to use your client ID and secret with the following commands:: - sudo -E tljh-config set auth.GitHubOAuthenticator.client_id '' + sudo tljh-config set auth.GitHubOAuthenticator.client_id '' :: - sudo -E tljh-config set auth.GitHubOAuthenticator.client_secret '' + sudo tljh-config set auth.GitHubOAuthenticator.client_secret '' #. Tell your JupyterHub to *use* the GitHub OAuthenticator for authentication:: - sudo -E tljh-config set auth.type oauthenticator.github.GitHubOAuthenticator + sudo tljh-config set auth.type oauthenticator.github.GitHubOAuthenticator #. Restart your JupyterHub so that new users see these changes:: - sudo -E tljh-config reload + sudo tljh-config reload Confirm that the new authentactor works ======================================= diff --git a/docs/howto/content/add-data.rst b/docs/howto/content/add-data.rst index 9504395..c96d67b 100644 --- a/docs/howto/content/add-data.rst +++ b/docs/howto/content/add-data.rst @@ -81,7 +81,7 @@ time. You can download it from your browser `at this link . + sudo tljh-config set auth.. Example ------- @@ -47,7 +47,7 @@ to some value, you can do that with the following command: .. code-block:: bash - sudo -E tljh-config set auth.LDAPAuthenticator.server_address = 'my-ldap-server' + sudo tljh-config set auth.LDAPAuthenticator.server_address = 'my-ldap-server' Most authenticators require you set multiple configuration options before you can enable them. Read the authenticator's documentation carefully for more information. @@ -67,13 +67,13 @@ You can accomplish the same with ``tljh-config``: .. code-block:: bash - sudo -E tljh-config set auth.type + sudo tljh-config set auth.type Once enabled, you need to reload JupyterHub for the config to take effect. .. code-block:: bash - sudo -E tljh-config reload + sudo tljh-config reload Try logging in a separate incognito window to check if your configuration works. This lets you preserve your terminal in case there were errors. If there are @@ -88,5 +88,5 @@ Assuming you have already configured it, the following commands enable LDAPAuthe .. code-block:: bash - sudo -E tljh-config set auth.type ldapauthenticator.LDAPAuthenticator - sudo -E tljh-config reload + sudo tljh-config set auth.type ldapauthenticator.LDAPAuthenticator + sudo tljh-config reload diff --git a/docs/topic/installer-actions.rst b/docs/topic/installer-actions.rst index dc50260..4959636 100644 --- a/docs/topic/installer-actions.rst +++ b/docs/topic/installer-actions.rst @@ -51,11 +51,11 @@ By default, ``sudo`` does not respect any custom environments you have activated ``tljh-config`` symlink ======================== -We create a symlink from ``/usr/local/bin/tljh-config`` to ``/opt/tljh/hub/bin/tljh-cohnfig``, so users -can run ``sudo -E tljh-config `` from their terminal. While the user environment is added +We create a symlink from ``/usr/bin/tljh-config`` to ``/opt/tljh/hub/bin/tljh-cohnfig``, so users +can run ``sudo tljh-config `` from their terminal. While the user environment is added to users' ``$PATH`` when they launch through JupyterHub, the hub environment is not. This makes it hard to access the ``tljh-config`` command used to change most config parameters. Hence we symlink the -``tljh-config`` command to ``/usr/local/bin``, so it is directly accessible with ``sudo -E tljh-config ``. +``tljh-config`` command to ``/usr/local/bin``, so it is directly accessible with ``sudo tljh-config ``. Systemd Units ============= diff --git a/docs/topic/tljh-config.rst b/docs/topic/tljh-config.rst index bfb137a..e725aa0 100644 --- a/docs/topic/tljh-config.rst +++ b/docs/topic/tljh-config.rst @@ -27,7 +27,7 @@ set a particular property with the following command: .. code-block:: bash - sudo -E tljh-config set + sudo tljh-config set where: @@ -42,7 +42,7 @@ do so with the following: .. code-block:: bash - sudo -E tljh-config set auth.DummyAuthenticator.password mypassword + sudo tljh-config set auth.DummyAuthenticator.password mypassword This can only set string and numerical properties, not lists. @@ -54,7 +54,7 @@ To see the current configuration, you can run the following command: .. code-block:: bash - sudo -E tljh-config show + sudo tljh-config show This will print the current configuration of your TLJH. This is very useful when asking for support! @@ -67,7 +67,7 @@ it to take effect. You can do so with: .. code-block:: bash - sudo -E tljh-config reload + sudo tljh-config reload This should not affect any running users. The JupyterHub will be restarted and loaded with the new configuration. diff --git a/integration-tests/test_hub.py b/integration-tests/test_hub.py index b218a1c..9d63380 100644 --- a/integration-tests/test_hub.py +++ b/integration-tests/test_hub.py @@ -12,7 +12,7 @@ import sys # Use sudo to invoke it, since this is how users invoke it. # This catches issues with PATH -TLJH_CONFIG_PATH = ['sudo', '-E', 'tljh-config'] +TLJH_CONFIG_PATH = ['sudo', 'tljh-config'] def test_hub_up(): r = requests.get('http://127.0.0.1') diff --git a/integration-tests/test_install.py b/integration-tests/test_install.py index 2c4ac70..1b27eea 100644 --- a/integration-tests/test_install.py +++ b/integration-tests/test_install.py @@ -209,4 +209,4 @@ def test_symlinks(): """ Test we symlink tljh-config to /usr/local/bin """ - assert os.path.exists('/usr/local/bin/tljh-config') \ No newline at end of file + assert os.path.exists('/usr/bin/tljh-config') \ No newline at end of file diff --git a/tljh/installer.py b/tljh/installer.py index 301e83c..a9357ef 100644 --- a/tljh/installer.py +++ b/tljh/installer.py @@ -286,22 +286,24 @@ def ensure_jupyterhub_running(times=4): def ensure_symlinks(prefix): """ - Ensure we symlink appropriate things into /usr/local/bin + Ensure we symlink appropriate things into /usr/bin We add the user conda environment to PATH for notebook terminals, but not the hub venv. This means tljh-config is not actually accessible. - We symlink to /usr/local/bin to 'fix' this. /usr/local/bin is the appropriate - place, and works with sudo -E + We symlink to /usr/bin and not /usr/local/bin, since /usr/local/bin is + not place, and works with sudo -E in sudo's search $PATH. We can work + around this with sudo -E and extra entries in the sudoers file, but this + is far more secure at the cost of upsetting some FHS purists. """ tljh_config_src = os.path.join(prefix, 'bin', 'tljh-config') - tljh_config_dest = '/usr/local/bin/tljh-config' + tljh_config_dest = '/usr/bin/tljh-config' if os.path.exists(tljh_config_dest): if os.path.realpath(tljh_config_dest) != tljh_config_src: # tljh-config exists that isn't ours. We should *not* delete this file, # instead we throw an error and abort. Deleting files owned by other people # while running as root is dangerous, especially with symlinks involved. - raise FileExistsError(f'/usr/local/bin/tljh-config exists but is not a symlink to {tljh_config_src}') + raise FileExistsError(f'/usr/bin/tljh-config exists but is not a symlink to {tljh_config_src}') else: # We have a working symlink, so do nothing return