zhangyiss/the-littlest-jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/the-littlest-jupyterhub.git synced 2025-12-18 21:54:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Move tljh-config symlink to /usr/bin

Browse Source 
Removes a lot of 'sudo -E' usage, and eventually should
let us get rid of the $PATH override for jupyterhub-admins,
which arguably is less secure than just dropping stuff into
/usr/bin

Also remove sudo -E from apt and mkdir calls. Not necessary.
This commit is contained in:
yuvipanda
2018-08-12 21:52:04 -07:00
parent 1b19e5bfc6
commit 28af89a381
14 changed files with 50 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/howto/admin/admin-users.rst
View File

@@ -78,8 +78,8 @@ admin terminal:
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config add-item users.admin <username> sudo tljh-config add-item users.admin <username>
sudo -E tljh-config reload sudo tljh-config reload
If the user is already using the JupyterHub, they might have to stop and If the user is already using the JupyterHub, they might have to stop and
start their server from the control panel to gain new powers. start their server from the control panel to gain new powers.
@@ -92,8 +92,8 @@ an admin terminal:
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config remove-item users.admin <username> sudo tljh-config remove-item users.admin <username>
sudo -E tljh-config reload sudo tljh-config reload
If the user is already using the JupyterHub, they will continue to have If the user is already using the JupyterHub, they will continue to have
some of their admin powers until their server is stopped. Another admin some of their admin powers until their server is stopped. Another admin

20
docs/howto/admin/https.rst
View File

@@ -19,15 +19,15 @@ Automatic HTTPS with Let's Encrypt
To enable HTTPS via letsencrypt:: To enable HTTPS via letsencrypt::
sudo -E tljh-config set https.enabled true sudo tljh-config set https.enabled true
sudo -E tljh-config set https.letsencrypt.email you@example.com sudo tljh-config set https.letsencrypt.email you@example.com
sudo -E tljh-config add-item https.letsencrypt.domains yourhub.yourdomain.edu sudo tljh-config add-item https.letsencrypt.domains yourhub.yourdomain.edu
where ``you@example.com`` is your email address and ``yourhub.yourdomain.edu`` is the domain where your hub will be running. where ``you@example.com`` is your email address and ``yourhub.yourdomain.edu`` is the domain where your hub will be running.
Once you have loaded this, your config should look like:: Once you have loaded this, your config should look like::
sudo -E tljh-config show sudo tljh-config show
.. sourcecode:: yaml .. sourcecode:: yaml
@@ -41,7 +41,7 @@ Once you have loaded this, your config should look like::
Finally, you can reload the proxy to load the new configuration:: Finally, you can reload the proxy to load the new configuration::
sudo -E tljh-config reload proxy sudo tljh-config reload proxy
At this point, the proxy should negotiate with Let's Encrypt to set up a trusted HTTPS certificate for you. At this point, the proxy should negotiate with Let's Encrypt to set up a trusted HTTPS certificate for you.
It may take a moment for the proxy to negotiate with Let's Encrypt to get your certificates, after which you can access your Hub securely at https://yourhub.yourdomain.edu. It may take a moment for the proxy to negotiate with Let's Encrypt to get your certificates, after which you can access your Hub securely at https://yourhub.yourdomain.edu.
@@ -54,14 +54,14 @@ Manual HTTPS with existing key and certificate
You may already have an SSL key and certificate. You may already have an SSL key and certificate.
If so, you can tell your deployment to use these files:: If so, you can tell your deployment to use these files::
sudo -E tljh-config set https.enabled true sudo tljh-config set https.enabled true
sudo -E tljh-config set https.tls.key /etc/mycerts/mydomain.key sudo tljh-config set https.tls.key /etc/mycerts/mydomain.key
sudo -E tljh-config set https.tls.cert /etc/mycerts/mydomain.cert sudo tljh-config set https.tls.cert /etc/mycerts/mydomain.cert
Once you have loaded this, your config should look like:: Once you have loaded this, your config should look like::
sudo -E tljh-config show sudo tljh-config show
.. sourcecode:: yaml .. sourcecode:: yaml
@@ -74,6 +74,6 @@ Once you have loaded this, your config should look like::
Finally, you can reload the proxy to load the new configuration:: Finally, you can reload the proxy to load the new configuration::
sudo -E tljh-config reload proxy sudo tljh-config reload proxy
and now access your Hub securely at https://yourhub.yourdomain.edu. and now access your Hub securely at https://yourhub.yourdomain.edu.

6
docs/howto/auth/dummy.rst
View File

@@ -18,14 +18,14 @@ Enabling the authenticator
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config set auth.DummyAuthenticator.password <password> sudo tljh-config set auth.DummyAuthenticator.password <password>
Remember to replace ``<password>`` with the password you choose. Remember to replace ``<password>`` with the password you choose.
2. Enable the authenticator and reload config to apply configuration: 2. Enable the authenticator and reload config to apply configuration:
sudo -E tljh-config set auth.type dummyauthenticator.DummyAuthenticator sudo tljh-config set auth.type dummyauthenticator.DummyAuthenticator
sudo -E tljh-config reload sudo tljh-config reload
Users who are currently logged in will continue to be logged in. When they Users who are currently logged in will continue to be logged in. When they
log out and try to log back in, they will be asked to provide a username and log out and try to log back in, they will be asked to provide a username and

4
docs/howto/auth/firstuse.rst
View File

@@ -16,8 +16,8 @@ Enabling the authenticator
#. Enable the authenticator and reload config to apply the configuration: #. Enable the authenticator and reload config to apply the configuration:
sudo -E tljh-config set auth.type firstuseauthenticator.FirstUseAuthenticator sudo tljh-config set auth.type firstuseauthenticator.FirstUseAuthenticator
sudo -E tljh-config reload sudo tljh-config reload
Users who are currently logged in will continue to be logged in. When they Users who are currently logged in will continue to be logged in. When they
log out and try to log back in, they will be asked to provide a username and log out and try to log back in, they will be asked to provide a username and

8
docs/howto/auth/github.rst
View File

@@ -57,19 +57,19 @@ For more information on ``tljh-config``, see :ref:`topic/tljh-config`.
#. Configure the GitHub OAuthenticator to use your client ID and secret with the following commands:: #. Configure the GitHub OAuthenticator to use your client ID and secret with the following commands::
sudo -E tljh-config set auth.GitHubOAuthenticator.client_id '<my-tljh-client-id>' sudo tljh-config set auth.GitHubOAuthenticator.client_id '<my-tljh-client-id>'
:: ::
sudo -E tljh-config set auth.GitHubOAuthenticator.client_secret '<my-tljh-client-secret>' sudo tljh-config set auth.GitHubOAuthenticator.client_secret '<my-tljh-client-secret>'
#. Tell your JupyterHub to *use* the GitHub OAuthenticator for authentication:: #. Tell your JupyterHub to *use* the GitHub OAuthenticator for authentication::
sudo -E tljh-config set auth.type oauthenticator.github.GitHubOAuthenticator sudo tljh-config set auth.type oauthenticator.github.GitHubOAuthenticator
#. Restart your JupyterHub so that new users see these changes:: #. Restart your JupyterHub so that new users see these changes::
sudo -E tljh-config reload sudo tljh-config reload
Confirm that the new authentactor works Confirm that the new authentactor works
======================================= =======================================

2
docs/howto/content/add-data.rst
View File

@@ -81,7 +81,7 @@ time. You can download it from your browser `at this link <https://swcarpentry.g
.. code-block:: bash .. code-block:: bash
sudo -E apt-get install unzip sudo apt install unzip
#. Finally, unzip the the file: #. Finally, unzip the the file:

2
docs/howto/content/share-data.rst
View File

@@ -37,7 +37,7 @@ steps:
.. code-block:: bash .. code-block:: bash
sudo -E mkdir -p /srv/data/my_shared_data_folder sudo mkdir -p /srv/data/my_shared_data_folder
#. **Download the data** into this folder. See :ref:`howto/content/add-data` for #. **Download the data** into this folder. See :ref:`howto/content/add-data` for
details on how to do this. details on how to do this.

6
docs/howto/env/notebook-interfaces.rst vendored
View File

@@ -36,19 +36,19 @@ You can change the default interface users get when they log in by modifying
.. code-block:: yaml .. code-block:: yaml
sudo -E tljh-config set user_environment.default_app jupyterlab sudo tljh-config set user_environment.default_app jupyterlab
#. Alternatively, to launch **nteract** when users log in, run the following in the admin console: #. Alternatively, to launch **nteract** when users log in, run the following in the admin console:
.. code-block:: yaml .. code-block:: yaml
sudo -E tljh-config set user_environment.default_app nteract sudo tljh-config set user_environment.default_app nteract
#. Apply the changes by restarting JupyterHub. This should not disrupt current users. #. Apply the changes by restarting JupyterHub. This should not disrupt current users.
.. code-block:: yaml .. code-block:: yaml
sudo -E tljh-config reload sudo tljh-config reload
If this causes problems, check the :ref:`troubleshoot_logs_jupyterhub` for clues If this causes problems, check the :ref:`troubleshoot_logs_jupyterhub` for clues
on what went wrong. on what went wrong.

12
docs/topic/authenticator-configuration.rst
View File

@@ -35,7 +35,7 @@ You can set these with ``tljh-config`` with:
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config set auth.<AuthenticatorName>.<property-name> <some-value> sudo tljh-config set auth.<AuthenticatorName>.<property-name> <some-value>
Example Example
------- -------
@@ -47,7 +47,7 @@ to some value, you can do that with the following command:
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config set auth.LDAPAuthenticator.server_address = 'my-ldap-server' sudo tljh-config set auth.LDAPAuthenticator.server_address = 'my-ldap-server'
Most authenticators require you set multiple configuration options before you can Most authenticators require you set multiple configuration options before you can
enable them. Read the authenticator's documentation carefully for more information. enable them. Read the authenticator's documentation carefully for more information.
@@ -67,13 +67,13 @@ You can accomplish the same with ``tljh-config``:
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config set auth.type <fully-qualified-authenticator-name> sudo tljh-config set auth.type <fully-qualified-authenticator-name>
Once enabled, you need to reload JupyterHub for the config to take effect. Once enabled, you need to reload JupyterHub for the config to take effect.
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config reload sudo tljh-config reload
Try logging in a separate incognito window to check if your configuration works. This Try logging in a separate incognito window to check if your configuration works. This
lets you preserve your terminal in case there were errors. If there are lets you preserve your terminal in case there were errors. If there are
@@ -88,5 +88,5 @@ Assuming you have already configured it, the following commands enable LDAPAuthe
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config set auth.type ldapauthenticator.LDAPAuthenticator sudo tljh-config set auth.type ldapauthenticator.LDAPAuthenticator
sudo -E tljh-config reload sudo tljh-config reload

6
docs/topic/installer-actions.rst
View File

@@ -51,11 +51,11 @@ By default, ``sudo`` does not respect any custom environments you have activated
``tljh-config`` symlink ``tljh-config`` symlink
======================== ========================
We create a symlink from ``/usr/local/bin/tljh-config`` to ``/opt/tljh/hub/bin/tljh-cohnfig``, so users We create a symlink from ``/usr/bin/tljh-config`` to ``/opt/tljh/hub/bin/tljh-cohnfig``, so users
can run ``sudo -E tljh-config <somethihng>`` from their terminal. While the user environment is added can run ``sudo tljh-config <somethihng>`` from their terminal. While the user environment is added
to users' ``$PATH`` when they launch through JupyterHub, the hub environment is not. This makes it to users' ``$PATH`` when they launch through JupyterHub, the hub environment is not. This makes it
hard to access the ``tljh-config`` command used to change most config parameters. Hence we symlink the hard to access the ``tljh-config`` command used to change most config parameters. Hence we symlink the
``tljh-config`` command to ``/usr/local/bin``, so it is directly accessible with ``sudo -E tljh-config <command>``. ``tljh-config`` command to ``/usr/local/bin``, so it is directly accessible with ``sudo tljh-config <command>``.
Systemd Units Systemd Units
============= =============

8
docs/topic/tljh-config.rst
View File

@@ -27,7 +27,7 @@ set a particular property with the following command:
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config set <property-path> <value> sudo tljh-config set <property-path> <value>
where: where:
@@ -42,7 +42,7 @@ do so with the following:
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config set auth.DummyAuthenticator.password mypassword sudo tljh-config set auth.DummyAuthenticator.password mypassword
This can only set string and numerical properties, not lists. This can only set string and numerical properties, not lists.
@@ -54,7 +54,7 @@ To see the current configuration, you can run the following command:
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config show sudo tljh-config show
This will print the current configuration of your TLJH. This is very This will print the current configuration of your TLJH. This is very
useful when asking for support! useful when asking for support!
@@ -67,7 +67,7 @@ it to take effect. You can do so with:
.. code-block:: bash .. code-block:: bash
sudo -E tljh-config reload sudo tljh-config reload
This should not affect any running users. The JupyterHub will be This should not affect any running users. The JupyterHub will be
restarted and loaded with the new configuration. restarted and loaded with the new configuration.

2
integration-tests/test_hub.py
View File

@@ -12,7 +12,7 @@ import sys
# Use sudo to invoke it, since this is how users invoke it. # Use sudo to invoke it, since this is how users invoke it.
# This catches issues with PATH # This catches issues with PATH
TLJH_CONFIG_PATH = ['sudo', '-E', 'tljh-config'] TLJH_CONFIG_PATH = ['sudo', 'tljh-config']
def test_hub_up(): def test_hub_up():
r = requests.get('http://127.0.0.1') r = requests.get('http://127.0.0.1')

2
integration-tests/test_install.py
View File

@@ -209,4 +209,4 @@ def test_symlinks():
""" """
Test we symlink tljh-config to /usr/local/bin Test we symlink tljh-config to /usr/local/bin
""" """
assert os.path.exists('/usr/local/bin/tljh-config') assert os.path.exists('/usr/bin/tljh-config')

12
tljh/installer.py
View File

@@ -286,22 +286,24 @@ def ensure_jupyterhub_running(times=4):
def ensure_symlinks(prefix): def ensure_symlinks(prefix):
""" """
Ensure we symlink appropriate things into /usr/local/bin Ensure we symlink appropriate things into /usr/bin
We add the user conda environment to PATH for notebook terminals, We add the user conda environment to PATH for notebook terminals,
but not the hub venv. This means tljh-config is not actually accessible. but not the hub venv. This means tljh-config is not actually accessible.
We symlink to /usr/local/bin to 'fix' this. /usr/local/bin is the appropriate We symlink to /usr/bin and not /usr/local/bin, since /usr/local/bin is
place, and works with sudo -E not place, and works with sudo -E in sudo's search $PATH. We can work
around this with sudo -E and extra entries in the sudoers file, but this
is far more secure at the cost of upsetting some FHS purists.
""" """
tljh_config_src = os.path.join(prefix, 'bin', 'tljh-config') tljh_config_src = os.path.join(prefix, 'bin', 'tljh-config')
tljh_config_dest = '/usr/local/bin/tljh-config' tljh_config_dest = '/usr/bin/tljh-config'
if os.path.exists(tljh_config_dest): if os.path.exists(tljh_config_dest):
if os.path.realpath(tljh_config_dest) != tljh_config_src: if os.path.realpath(tljh_config_dest) != tljh_config_src:
# tljh-config exists that isn't ours. We should *not* delete this file, # tljh-config exists that isn't ours. We should *not* delete this file,
# instead we throw an error and abort. Deleting files owned by other people # instead we throw an error and abort. Deleting files owned by other people
# while running as root is dangerous, especially with symlinks involved. # while running as root is dangerous, especially with symlinks involved.
raise FileExistsError(f'/usr/local/bin/tljh-config exists but is not a symlink to {tljh_config_src}') raise FileExistsError(f'/usr/bin/tljh-config exists but is not a symlink to {tljh_config_src}')
else: else:
# We have a working symlink, so do nothing # We have a working symlink, so do nothing
return return