From 28bfbf4e0f0d0daa1b5041b3c9cfb3eef6115fff Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Fri, 23 May 2025 13:53:42 +0530 Subject: [PATCH 1/9] Try defining volumes and volume mounts as dict --- config/clusters/maap/staging.values.yaml | 94 ++++++++++++------------ 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index 3b391c1a0b..4dc271ac8b 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -44,6 +44,8 @@ jupyterhub: - name: home mountPath: /home/jovyan/shared-group subPath: _shared-group + storage: + type: null profileList: - display_name: Choose your environment and resources @@ -229,6 +231,51 @@ jupyterhub: config: JupyterHub: authenticator_class: generic-oauth + KubeSpawner: + volumes: + 00-home-nfs: + name: home + persistentVolumeClaim: + claimName: home-nfs + 01-dev-shm: + name: dev-shm + emptyDir: + medium: Memory + volume_mounts: + 00-home-nfs: + name: home + mountPath: /home/jovyan + subPath: "{escaped_username}" + 01-home-shared: + name: home + mountPath: /home/jovyan/shared + subPath: _shared + readOnly: true + 02-home-shared-public: + name: home + mountPath: /home/jovyan/shared-public + subPath: _shared-public + 03-dev-shm: + name: dev-shm + mountPath: /dev/shm + group_overrides: + 00-group-CPU-L-extra-volume-mounts: + groups: ["CPU:L"] + spawner_override: + volume_mounts: + 00-group-CPU-L-shared-dir: + name: home + mountPath: /home/jovyan/shared-group/CPU_L + subPath: _shared-group/CPU_L + 01-group-GPU-T4-extra-volume-mounts: + groups: ["GPU:T4"] + spawner_override: + volume_mounts: + 00-group-GPU-T4-shared-dir: + name: home + mountPath: /home/jovyan/shared-group/GPU_T4 + subPath: _shared-group/GPU_T4 + Authenticator: admin_users: [] GitHubOAuthenticator: @@ -261,53 +308,6 @@ jupyterhub: - CPU:XXL - CPU:XXXL - GPU:T4 - extraConfig: - 00-volumes-and-volume-mounts-as-dict: | - # The base jupyterhub config in zero-to-jupyterhub defines - # volumes and volume_mounts as lists. - # But we can't add new volumes or volume_mounts to the list - # as that replaces the entire list. - # So we convert them to dictionaries, which allows us to - # add new volumes and volume_mounts as needed. - if isinstance(c.KubeSpawner.volumes, list): - existing_volumes = c.KubeSpawner.volumes - c.KubeSpawner.volumes = {} - for volume in existing_volumes: - c.KubeSpawner.volumes[volume["name"]] = volume - if isinstance(c.KubeSpawner.volume_mounts, list): - existing_volume_mounts = c.KubeSpawner.volume_mounts - c.KubeSpawner.volume_mounts = {} - for idx, volume_mount in enumerate(existing_volume_mounts): - c.KubeSpawner.volume_mounts[f"{idx}-{volume_mount['name']}"] = volume_mount - 01-group-shared-directories: | - c.KubeSpawner.group_overrides = { - "00-group-CPU-L-extra-volume-mounts": { - "groups": ["CPU:L"], - "spawner_override": { - "volume_mounts": { - "00-group-CPU-L-shared-dir": { - "name": "home", - "mountPath": "/home/jovyan/shared-group/CPU_L", - "subPath": "_shared-group/CPU_L", - "readOnly": False - }, - } - }, - }, - "01-group-GPU-T4-extra-volume-mounts": { - "groups": ["GPU:T4"], - "spawner_override": { - "volume_mounts": { - "00-group-GPU-T4-shared-dir": { - "name": "home", - "mountPath": "/home/jovyan/shared-group/GPU_T4", - "subPath": "_shared-group/GPU_T4", - "readOnly": False - }, - } - }, - } - } ingress: hosts: [staging.hub.maap.2i2c.cloud] tls: From d5f15d4ac2587ab3c3824314d1b1b242b8dfff8c Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Tue, 27 May 2025 14:33:10 +0530 Subject: [PATCH 2/9] Explicitly mount the extraFiles volumes --- config/clusters/maap/staging.values.yaml | 88 +++++++++++++++++------- 1 file changed, 65 insertions(+), 23 deletions(-) diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index 4dc271ac8b..ab0ef5ccf0 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -14,25 +14,25 @@ jupyterhub: nodeSelector: 2i2c/hub-name: staging initContainers: - - &volume_ownership_fix_initcontainer - name: volume-mount-ownership-fix - image: busybox:1.36.1 - command: - - sh - - -c - - > - id && - chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public /home/jovyan/shared-group && - if [ -d "/home/jovyan/shared-group" ] && [ "$(ls -A /home/jovyan/shared-group)" ]; then - chown 1000:1000 /home/jovyan/shared-group/* || true; - fi && - ls -lhd /home/jovyan - securityContext: - runAsUser: 0 - volumeMounts: - - name: home - mountPath: /home/jovyan - subPath: '{escaped_username}' + - &volume_ownership_fix_initcontainer + name: volume-mount-ownership-fix + image: busybox:1.36.1 + command: + - sh + - -c + - > + id && + chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && + if [ -d "/home/jovyan/shared-group" ] && [ "$(ls -A /home/jovyan/shared-group)" ]; then + chown 1000:1000 /home/jovyan/shared-group/* || true; + fi && + ls -lhd /home/jovyan + securityContext: + runAsUser: 0 + volumeMounts: + - name: home + mountPath: /home/jovyan + subPath: "{escaped_username}" # Mounted without readonly attribute here, # so we can chown it appropriately - name: home @@ -241,6 +241,25 @@ jupyterhub: name: dev-shm emptyDir: medium: Memory + 02-extra-files: + name: files + secret: + secretName: singleuser + items: + - key: ghsa-w3vc-fx9p-wp4v-check-patch-run + mode: 493 + path: ghsa-w3vc-fx9p-wp4v-check-patch-run + - key: ipython_kernel_config.json + path: ipython_kernel_config.json + - key: jupyter_notebook_config.json + path: jupyter_notebook_config.json + - key: jupyter_server_config.json + path: jupyter_server_config.json + 03-shared-group: + name: shared-group-placeholder + emptyDir: + medium: Memory + sizeLimit: 1Mi volume_mounts: 00-home-nfs: name: home @@ -251,19 +270,42 @@ jupyterhub: mountPath: /home/jovyan/shared subPath: _shared readOnly: true - 02-home-shared-public: + 02-home-shared-group: + # overrides the root of the shared-group folder with an empty dir + # so that the user can't see the contents of other groups' folders + # that the user is not a member of + name: shared-group-placeholder + mountPath: /home/jovyan/shared-group + 03-home-shared-public: name: home mountPath: /home/jovyan/shared-public subPath: _shared-public - 03-dev-shm: + 04-dev-shm: name: dev-shm mountPath: /dev/shm + 05-mount-ghsa-patch: + name: files + mountPath: /mnt/ghsa-w3vc-fx9p-wp4v/check-patch-run + subPath: ghsa-w3vc-fx9p-wp4v-check-patch-run + 06-mount-ipython-config: + name: files + mountPath: /usr/local/etc/ipython/ipython_kernel_config.json + subPath: ipython_kernel_config.json + 07-mount-jupyter-notebook-config: + name: files + mountPath: /usr/local/etc/jupyter/jupyter_notebook_config.json + subPath: jupyter_notebook_config.json + 08-mount-jupyter-server-config: + name: files + mountPath: /usr/local/etc/jupyter/jupyter_server_config.json + subPath: jupyter_server_config.json group_overrides: + # Explicitly mount the shared group folders based on group membership 00-group-CPU-L-extra-volume-mounts: groups: ["CPU:L"] spawner_override: volume_mounts: - 00-group-CPU-L-shared-dir: + 00-group-CPU-L-extra-volume-mounts: name: home mountPath: /home/jovyan/shared-group/CPU_L subPath: _shared-group/CPU_L @@ -271,7 +313,7 @@ jupyterhub: groups: ["GPU:T4"] spawner_override: volume_mounts: - 00-group-GPU-T4-shared-dir: + 01-group-GPU-T4-extra-volume-mounts: name: home mountPath: /home/jovyan/shared-group/GPU_T4 subPath: _shared-group/GPU_T4 From b5613b814abd48124bbfe5e81413d24f27899f86 Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Tue, 27 May 2025 17:02:33 +0530 Subject: [PATCH 3/9] create group shared folders if they dont exist --- config/clusters/maap/staging.values.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index ab0ef5ccf0..38e40a8a3b 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -20,12 +20,14 @@ jupyterhub: command: - sh - -c + # create the shared group directories and fix ownership + # so that they are owned by the user - > id && + mkdir -p /home/jovyan/shared-group/CPU_L && + mkdir -p /home/jovyan/shared-group/GPU_T4 && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && - if [ -d "/home/jovyan/shared-group" ] && [ "$(ls -A /home/jovyan/shared-group)" ]; then - chown 1000:1000 /home/jovyan/shared-group/* || true; - fi && + chown 1000:1000 /home/jovyan/shared-group/* && ls -lhd /home/jovyan securityContext: runAsUser: 0 From 1b2f5e132321040af22e93218baecb9709863c8a Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Tue, 27 May 2025 17:13:30 +0530 Subject: [PATCH 4/9] fix indentation --- config/clusters/maap/staging.values.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index 38e40a8a3b..fa6c15b998 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -248,15 +248,15 @@ jupyterhub: secret: secretName: singleuser items: - - key: ghsa-w3vc-fx9p-wp4v-check-patch-run - mode: 493 - path: ghsa-w3vc-fx9p-wp4v-check-patch-run - - key: ipython_kernel_config.json - path: ipython_kernel_config.json - - key: jupyter_notebook_config.json - path: jupyter_notebook_config.json - - key: jupyter_server_config.json - path: jupyter_server_config.json + - key: ghsa-w3vc-fx9p-wp4v-check-patch-run + mode: 493 + path: ghsa-w3vc-fx9p-wp4v-check-patch-run + - key: ipython_kernel_config.json + path: ipython_kernel_config.json + - key: jupyter_notebook_config.json + path: jupyter_notebook_config.json + - key: jupyter_server_config.json + path: jupyter_server_config.json 03-shared-group: name: shared-group-placeholder emptyDir: From 6267ef0aed5ba87ec2a41f100b0331dcb60f012f Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Tue, 27 May 2025 22:01:58 +0530 Subject: [PATCH 5/9] Mount individual group shared folders separately --- config/clusters/maap/staging.values.yaml | 52 ++++++++++++------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index fa6c15b998..7fad8bb214 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -18,34 +18,35 @@ jupyterhub: name: volume-mount-ownership-fix image: busybox:1.36.1 command: - - sh - - -c - # create the shared group directories and fix ownership - # so that they are owned by the user - - > - id && - mkdir -p /home/jovyan/shared-group/CPU_L && - mkdir -p /home/jovyan/shared-group/GPU_T4 && - chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && - chown 1000:1000 /home/jovyan/shared-group/* && - ls -lhd /home/jovyan + - sh + - -c + # create the shared group directories and fix ownership + # so that they are owned by the user + - > + id && + chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && + chown 1000:1000 /home/jovyan/shared-group/* && + ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: - - name: home - mountPath: /home/jovyan - subPath: "{escaped_username}" - # Mounted without readonly attribute here, - # so we can chown it appropriately - - name: home - mountPath: /home/jovyan/shared - subPath: _shared - - name: home - mountPath: /home/jovyan/shared-public - subPath: _shared-public - - name: home - mountPath: /home/jovyan/shared-group - subPath: _shared-group + - name: home + mountPath: /home/jovyan + subPath: "{escaped_username}" + # Mounted without readonly attribute here, + # so we can chown it appropriately + - name: home + mountPath: /home/jovyan/shared + subPath: _shared + - name: home + mountPath: /home/jovyan/shared-public + subPath: _shared-public + - name: home + mountPath: /home/jovyan/shared-group/CPU_L + subPath: _shared-group/CPU_L + - name: home + mountPath: /home/jovyan/shared-group/GPU_T4 + subPath: _shared-group/GPU_T4 storage: type: null @@ -319,7 +320,6 @@ jupyterhub: name: home mountPath: /home/jovyan/shared-group/GPU_T4 subPath: _shared-group/GPU_T4 - Authenticator: admin_users: [] GitHubOAuthenticator: From e0088064713153d4cc93da5c3d149f30b084ac14 Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Thu, 29 May 2025 12:38:44 +0530 Subject: [PATCH 6/9] Fix linting errors --- config/clusters/maap/staging.values.yaml | 84 ++++++++++++------------ 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index 7fad8bb214..59161bc508 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -14,41 +14,41 @@ jupyterhub: nodeSelector: 2i2c/hub-name: staging initContainers: - - &volume_ownership_fix_initcontainer - name: volume-mount-ownership-fix - image: busybox:1.36.1 - command: - - sh - - -c + - &volume_ownership_fix_initcontainer + name: volume-mount-ownership-fix + image: busybox:1.36.1 + command: + - sh + - -c # create the shared group directories and fix ownership # so that they are owned by the user - - > - id && - chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && - chown 1000:1000 /home/jovyan/shared-group/* && - ls -lhd /home/jovyan - securityContext: - runAsUser: 0 - volumeMounts: - - name: home - mountPath: /home/jovyan - subPath: "{escaped_username}" + - > + id && + chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && + chown 1000:1000 /home/jovyan/shared-group/* && + ls -lhd /home/jovyan + securityContext: + runAsUser: 0 + volumeMounts: + - name: home + mountPath: /home/jovyan + subPath: '{escaped_username}' # Mounted without readonly attribute here, # so we can chown it appropriately - - name: home - mountPath: /home/jovyan/shared - subPath: _shared - - name: home - mountPath: /home/jovyan/shared-public - subPath: _shared-public - - name: home - mountPath: /home/jovyan/shared-group/CPU_L - subPath: _shared-group/CPU_L - - name: home - mountPath: /home/jovyan/shared-group/GPU_T4 - subPath: _shared-group/GPU_T4 + - name: home + mountPath: /home/jovyan/shared + subPath: _shared + - name: home + mountPath: /home/jovyan/shared-public + subPath: _shared-public + - name: home + mountPath: /home/jovyan/shared-group/CPU_L + subPath: _shared-group/CPU_L + - name: home + mountPath: /home/jovyan/shared-group/GPU_T4 + subPath: _shared-group/GPU_T4 storage: - type: null + type: profileList: - display_name: Choose your environment and resources @@ -249,15 +249,15 @@ jupyterhub: secret: secretName: singleuser items: - - key: ghsa-w3vc-fx9p-wp4v-check-patch-run - mode: 493 - path: ghsa-w3vc-fx9p-wp4v-check-patch-run - - key: ipython_kernel_config.json - path: ipython_kernel_config.json - - key: jupyter_notebook_config.json - path: jupyter_notebook_config.json - - key: jupyter_server_config.json - path: jupyter_server_config.json + - key: ghsa-w3vc-fx9p-wp4v-check-patch-run + mode: 493 + path: ghsa-w3vc-fx9p-wp4v-check-patch-run + - key: ipython_kernel_config.json + path: ipython_kernel_config.json + - key: jupyter_notebook_config.json + path: jupyter_notebook_config.json + - key: jupyter_server_config.json + path: jupyter_server_config.json 03-shared-group: name: shared-group-placeholder emptyDir: @@ -267,7 +267,7 @@ jupyterhub: 00-home-nfs: name: home mountPath: /home/jovyan - subPath: "{escaped_username}" + subPath: '{escaped_username}' 01-home-shared: name: home mountPath: /home/jovyan/shared @@ -305,7 +305,7 @@ jupyterhub: group_overrides: # Explicitly mount the shared group folders based on group membership 00-group-CPU-L-extra-volume-mounts: - groups: ["CPU:L"] + groups: [CPU:L] spawner_override: volume_mounts: 00-group-CPU-L-extra-volume-mounts: @@ -313,7 +313,7 @@ jupyterhub: mountPath: /home/jovyan/shared-group/CPU_L subPath: _shared-group/CPU_L 01-group-GPU-T4-extra-volume-mounts: - groups: ["GPU:T4"] + groups: [GPU:T4] spawner_override: volume_mounts: 01-group-GPU-T4-extra-volume-mounts: From ecc0b4886890c938e02158dab3f8523dfa0fd22f Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Thu, 29 May 2025 12:41:21 +0530 Subject: [PATCH 7/9] remove stray comment --- config/clusters/maap/staging.values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index 59161bc508..c55410cece 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -20,8 +20,6 @@ jupyterhub: command: - sh - -c - # create the shared group directories and fix ownership - # so that they are owned by the user - > id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && From 132b01c7c7c3ecd6d3286aca042ae4815fe59dbf Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Wed, 18 Jun 2025 12:55:17 +0530 Subject: [PATCH 8/9] Set storage.type to the string 'none'; not null --- config/clusters/maap/staging.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index c55410cece..d7efed8838 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -46,7 +46,7 @@ jupyterhub: mountPath: /home/jovyan/shared-group/GPU_T4 subPath: _shared-group/GPU_T4 storage: - type: + type: 'none' profileList: - display_name: Choose your environment and resources From ae51aedbc534db83788346c71f43cab9b05c7ee1 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 18 Jun 2025 07:27:13 +0000 Subject: [PATCH 9/9] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- config/clusters/maap/staging.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index d7efed8838..25e2b3c0e3 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -46,7 +46,7 @@ jupyterhub: mountPath: /home/jovyan/shared-group/GPU_T4 subPath: _shared-group/GPU_T4 storage: - type: 'none' + type: none profileList: - display_name: Choose your environment and resources