Problem running with podman on HPC

[benz0li]

You could give glcr.b-data.ch/jupyterlab/r/geospatial a try, i.e.

podman run --rm \
  -p 8888:8888 \
  glcr.b-data.ch/jupyterlab/r/geospatial

This just gives me: Error: OCI runtime error: crun: cannot setresgid to `100`: Invalid argument

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/geospatial

This seems to do much more:

Entered start.sh with args: start-notebook.sh
Running hooks in: /usr/local/bin/start-notebook.d as uid: 0 gid: 0
Sourcing shell script: /usr/local/bin/start-notebook.d/10-populate.sh
Done running hooks in: /usr/local/bin/start-notebook.d
Updated the jovyan user:
- username: jovyan       -> root
- home dir: /home/jovyan -> /home/root
Attempting to copy /home/jovyan to /home/root...
Success!
Changing working directory to /home/root/
Running hooks in: /usr/local/bin/before-notebook.d as uid: 0 gid: 0
Sourcing shell script: /usr/local/bin/before-notebook.d/10-env.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/11-home.sh

But there is an error in the "end": runuser: cannot set groups: Operation not permitted

Originally posted by @bernt-matthias in rocker-org/rocker-versioned2#838 (comment)

[benz0li]

Most likely due to run_user_group, i.e.

jupyterlab-r-docker-stack/base/scripts/usr/local/bin/before-notebook.d/11-home.sh

Lines 9 to 10 in bfcd656

	run_user_group mkdir -p "/home/$NB_USER${DOMAIN:+@$DOMAIN}/projects"
	run_user_group mkdir -p "/home/$NB_USER${DOMAIN:+@$DOMAIN}/workspaces"

[benz0li]

jupyterlab-r-docker-stack/base/scripts/usr/local/bin/start.sh

Lines 13 to 15 in bfcd656

	function run_user_group() {
	runuser -u "${NB_USER}" -g "$(id -gn "${NB_USER}")" -G "users" -- "$@"
	}

This might not be required when run as root with -e NB_USER=root -e NB_UID=0 -e NB_GID=0.

@bernt-matthias I will look into this and provide a patched image so you can test it on the HPC.

[bernt-matthias]

Excellent. Thanks a lot

[benz0li]

@bernt-matthias Try with

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base:test-hpc

Thanks for your feedback.

[bernt-matthias]

Seems that it gets closer, but there is still some error:

Entered start.sh with args: start-notebook.sh
Running hooks in: /usr/local/bin/start-notebook.d as uid: 0 gid: 0
Sourcing shell script: /usr/local/bin/start-notebook.d/10-populate.sh
Done running hooks in: /usr/local/bin/start-notebook.d
Updated the jovyan user:
- username: jovyan       -> root
- home dir: /home/jovyan -> /home/root
Attempting to copy /home/jovyan to /home/root...
Success!
Changing working directory to /home/root/
Running hooks in: /usr/local/bin/before-notebook.d as uid: 0 gid: 0
Sourcing shell script: /usr/local/bin/before-notebook.d/10-env.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/11-home.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/12-r.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/13-update-cran.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/30-code-server.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/50-rstudio.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/71-tensorboard.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/90-limits.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/95-misc.sh
Done running hooks in: /usr/local/bin/before-notebook.d
Running as root: start-notebook.sh
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Invalid argument
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit

[benz0li]

That is due to sudo in start.sh:

jupyterlab-r-docker-stack/base/scripts/usr/local/bin/start.sh

Lines 240 to 244 in bfcd656

	exec sudo --preserve-env --set-home --user "${NB_USER}" \
	LD_LIBRARY_PATH="${LD_LIBRARY_PATH}" \
	PATH="${PATH}" \
	PYTHONPATH="${PYTHONPATH:-}" \
	"${cmd[@]}"

sudo is not required when run as root with -e NB_USER=root -e NB_UID=0 -e NB_GID=0.

Let me see what I can do...

[benz0li]

@bernt-matthias I patched the image once more.

Please pull glcr.b-data.ch/jupyterlab/r/base:test-hpc and try again.

[bernt-matthias]

There seem to be two files with unexpected permissions:

Executing: jupyter lab --allow-root
[I 2024-08-08 11:59:57.298 ServerApp] jupyter_lsp | extension was successfully linked.
[I 2024-08-08 11:59:57.310 ServerApp] jupyter_server_mathjax | extension was successfully linked.
[I 2024-08-08 11:59:57.310 ServerApp] jupyter_server_proxy | extension was successfully linked.
[I 2024-08-08 11:59:57.317 ServerApp] jupyter_server_terminals | extension was successfully linked.
[I 2024-08-08 11:59:57.324 ServerApp] jupyterlab | extension was successfully linked.
[I 2024-08-08 11:59:57.324 ServerApp] jupyterlab_git | extension was successfully linked.
[I 2024-08-08 11:59:57.329 ServerApp] nbclassic | extension was successfully linked.
[I 2024-08-08 11:59:57.329 ServerApp] nbdime | extension was successfully linked.
[I 2024-08-08 11:59:57.334 ServerApp] notebook | extension was successfully linked.
[I 2024-08-08 11:59:57.343 ServerApp] Writing Jupyter server cookie secret to /home/root/.local/share/jupyter/runtime/jupyter_cookie_secret
[W 2024-08-08 11:59:57.344 ServerApp] notebook_shim | error linking extension: Permissions assignment failed for secure file: '/home/root/.local/share/jupyter/runtime/jupyter_cookie_secret'. Got '0o655' instead of '0o0600'.
    Traceback (most recent call last):
      File "/usr/local/lib/python3.12/site-packages/traitlets/traitlets.py", line 632, in get
        value = obj._trait_values[self.name]
                ~~~~~~~~~~~~~~~~~^^^^^^^^^^^
    KeyError: 'cookie_secret'
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/extension/manager.py", line 346, in link_extension
        extension.link_all_points(self.serverapp)
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/extension/manager.py", line 228, in link_all_points
        self.link_point(point_name, serverapp)
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/extension/manager.py", line 218, in link_point
        point.link(serverapp)
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/extension/manager.py", line 140, in link
        linker(serverapp)
      File "/usr/local/lib/python3.12/site-packages/notebook_shim/nbserver.py", line 109, in _link_jupyter_server_extension
        members = diff_members(serverapp, nbapp)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/notebook_shim/nbserver.py", line 62, in diff_members
        m1 = public_members(obj1)
             ^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/notebook_shim/nbserver.py", line 56, in public_members
        members = inspect.getmembers(obj)
                  ^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/inspect.py", line 608, in getmembers
        return _getmembers(object, predicate, getattr)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/inspect.py", line 586, in _getmembers
        value = getter(object, key)
                ^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/traitlets/traitlets.py", line 687, in __get__
        return t.cast(G, self.get(obj, cls))  # the G should encode the Optional
                         ^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/traitlets/traitlets.py", line 635, in get
        default = obj.trait_defaults(self.name)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/traitlets/traitlets.py", line 1897, in trait_defaults
        return t.cast(Sentinel, self._get_trait_default_generator(names[0])(self))
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/traitlets/traitlets.py", line 1241, in __call__
        return self.func(*args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/serverapp.py", line 1158, in _default_cookie_secret
        self._write_cookie_secret_file(key)
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/serverapp.py", line 1167, in _write_cookie_secret_file
        with secure_write(self.cookie_secret_file, True) as f:
      File "/usr/local/lib/python3.12/contextlib.py", line 137, in __enter__
        return next(self.gen)
               ^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jupyter_core/paths.py", line 1007, in secure_write
        raise RuntimeError(msg)
    RuntimeError: Permissions assignment failed for secure file: '/home/root/.local/share/jupyter/runtime/jupyter_cookie_secret'. Got '0o655' instead of '0o0600'.
[I 2024-08-08 11:59:57.464 ServerApp] notebook_shim | extension was successfully loaded.
[I 2024-08-08 11:59:57.469 ServerApp] jupyter_lsp | extension was successfully loaded.
[I 2024-08-08 11:59:57.469 ServerApp] jupyter_server_mathjax | extension was successfully loaded.
[I 2024-08-08 11:59:57.512 ServerApp] jupyter_server_proxy | extension was successfully loaded.
[I 2024-08-08 11:59:57.516 ServerApp] jupyter_server_terminals | extension was successfully loaded.
[I 2024-08-08 11:59:57.618 LabApp] JupyterLab extension loaded from /usr/local/lib/python3.12/site-packages/jupyterlab
[I 2024-08-08 11:59:57.618 LabApp] JupyterLab application directory is /usr/local/share/jupyter/lab
[I 2024-08-08 11:59:57.620 LabApp] Extension Manager is 'pypi'.
[I 2024-08-08 11:59:57.674 ServerApp] jupyterlab | extension was successfully loaded.
[I 2024-08-08 11:59:57.678 ServerApp] jupyterlab_git | extension was successfully loaded.
[I 2024-08-08 11:59:57.691 ServerApp] nbclassic | extension was successfully loaded.
[I 2024-08-08 11:59:58.207 ServerApp] nbdime | extension was successfully loaded.
[I 2024-08-08 11:59:58.219 ServerApp] notebook | extension was successfully loaded.
[I 2024-08-08 11:59:58.220 ServerApp] Serving notebooks from local directory: /home/root
[I 2024-08-08 11:59:58.220 ServerApp] Jupyter Server 2.14.2 is running at:
[I 2024-08-08 11:59:58.220 ServerApp] http://fee50fb4c9d3:8888/lab?token=3f9ffcf78e92c325035d3a158fc13976b6b8f4e03e1debf3
[I 2024-08-08 11:59:58.220 ServerApp]     http://127.0.0.1:8888/lab?token=3f9ffcf78e92c325035d3a158fc13976b6b8f4e03e1debf3
[I 2024-08-08 11:59:58.220 ServerApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).

  _   _          _      _
 | | | |_ __  __| |__ _| |_ ___
 | |_| | '_ \/ _` / _` |  _/ -_)
  \___/| .__/\__,_\__,_|\__\___|
       |_|
                                                                           
Read the migration plan to Notebook 7 to learn about the new features and the actions to take if you are using extensions.

https://jupyter-notebook.readthedocs.io/en/latest/migrate_to_notebook7.html

Please note that updating to Notebook 7 might break some of your extensions.

Traceback (most recent call last):
  File "/usr/local/bin/jupyter-lab", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.12/site-packages/jupyter_server/extension/application.py", line 623, in launch_instance
    serverapp.start()
  File "/usr/local/lib/python3.12/site-packages/jupyter_server/serverapp.py", line 3120, in start
    self.start_app()
  File "/usr/local/lib/python3.12/site-packages/jupyter_server/serverapp.py", line 3021, in start_app
    self.write_server_info_file()
  File "/usr/local/lib/python3.12/site-packages/jupyter_server/serverapp.py", line 2827, in write_server_info_file
    with secure_write(self.info_file) as f:
  File "/usr/local/lib/python3.12/contextlib.py", line 137, in __enter__
    return next(self.gen)
           ^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/jupyter_core/paths.py", line 1007, in secure_write
    raise RuntimeError(msg)
RuntimeError: Permissions assignment failed for secure file: '/home/root/.local/share/jupyter/runtime/jpserver-2.json'. Got '0o655' instead of '0o0600'.

[benz0li]

@bernt-matthias Try with

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_UMASK=0077 \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base:test-hpc

[benz0li]

Or (better)

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e JUPYTER_ALLOW_INSECURE_WRITES=true \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base:test-hpc

[benz0li]

Or (alternatively)

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e JUPYTER_RUNTIME_DIR=/directory/not/in/mounted/filesystem \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base:test-hpc

should /home/root be mounted somehow.

Cross reference:

• Kernel error when creating new jupyter notebook jupyter/notebook#5536 (comment)

[benz0li]

You have quite an edge case here... (Openshift?)

Because on a regular Linux machine, the mentioned files have permission 0o0600 inside the container – with both Docker and Podman.

[bernt-matthias]

Or (better)

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e JUPYTER_ALLOW_INSECURE_WRITES=true \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base:test-hpc

This worked :)

[bernt-matthias]

Could you explain to me the connection between jupyter and rocker/rstudio?

[benz0li]

Could you explain to me the connection between jupyter and rocker/rstudio?

There is none. These are separate projects.

[benz0li]

rocker/binder uses jupyter to serve RStudio.

The Jupyter Docker Stacks do not include RStudio.

[benz0li]

What makes this project different:

1. Multi-arch: linux/amd64, linux/arm64/v8
   ℹ️ Runs on Apple M series using Docker Desktop.
2. Base image: Debian instead of Ubuntu
   ℹ️ CUDA-based images use Ubuntu.
3. IDE: code-server next to RStudio
   ℹ️ code-server = Code - OSS in the browser.
4. Just Python – no Conda / Mamba

[benz0li]

Does everything work as expected when you access in a browser?

What about the permissions? Could you please open the JupyterLab Terminal, execute

mkdir test-folder
touch test-file
ls -al

and post the output here?

---

Alternative:

podman run -it --rm \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e JUPYTER_ALLOW_INSECURE_WRITES=true \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base:test-hpc bash

(For direct Zsh access you should install the recommended font on the host)

[benz0li]

@bernt-matthias I will do some further tests. If nothing unexpected occurs, all JupyterLab docker stacks will be patched tomorrow.

[bernt-matthias]

and post the output here?

Everything as expected:

total 328
drwxr-xr-x 12 root root   4096 Aug  8 15:36 .
drwxr-xr-x  4 root root   4096 Aug  8 15:34 ..
-rwxr-xr-x  1 root root    220 Mar 29 19:40 .bash_logout
-rwxr-xr-x  1 root root   3971 Aug  8 08:34 .bashrc
drwxr-xr-x  3 root root   4096 Aug  8 15:36 .cache
drwxr-xr-x  3 root root   4096 May 22 17:30 .config
drwxr-xr-x  2 root root   4096 Aug  8 15:35 .ipython
drwxr-xr-x  3 root root   4096 Aug  8 15:35 .jupyter
drwxr-xr-x  4 root root   4096 Mar 17  2023 .local
drwxr-xr-x 12 root root   4096 Aug  8 08:34 .oh-my-zsh
-rwxr-xr-x  1 root root  95862 Jun 21 11:20 .p10k.zsh
-rwxr-xr-x  1 root root     26 Aug  8 08:34 .populated
-rwxr-xr-x  1 root root    850 Jan 25  2024 .profile
drwxr-xr-x  2 root root   4096 Aug  8 15:34 projects
-rwxr-xr-x  1 root root      0 Aug  8 15:36 test-file
drwxr-xr-x  2 root root   4096 Aug  8 15:36 test-folder
drwxr-xr-x  2 root root   4096 Aug  8 15:34 working
drwxr-xr-x  2 root root   4096 Aug  8 15:34 workspaces
-rwxr-xr-x  1 root root  50755 Aug  8 15:36 .zcompdump-03e37b91b62c-5.9
-rwxr-xr-x  1 root root 117616 Aug  8 15:36 .zcompdump-03e37b91b62c-5.9.zwc
-rwxr-xr-x  1 root root     86 Aug  8 15:36 .zsh_history
-rwxr-xr-x  1 root root   4590 Aug  8 08:34 .zshrc

[bernt-matthias]

But I did not notice the following in the terminal running the container

[W 2024-08-08 15:38:13.640 ServerApp] 403 GET /api/events/subscribe (@10.0.2.100) 116.88ms referer=None
[W 2024-08-08 15:38:14.004 LabApp] Could not determine jupyterlab build status without nodejs
[W 2024-08-08 15:38:14.224 ServerApp] Couldn't authenticate WebSocket connection
[W 2024-08-08 15:38:14.226 ServerApp] 403 GET /api/events/subscribe (@10.0.2.100) 11.86ms referer=None
[E 2024-08-08 15:38:14.655 ServerApp] Uncaught exception in write_error
    Traceback (most recent call last):
      File "/usr/local/lib/python3.12/site-packages/tornado/web.py", line 1298, in send_error
        self.write_error(status_code, **kwargs)
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/base/handlers.py", line 741, in write_error
        html = self.render_template("error.html", **ns)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/base/handlers.py", line 667, in render_template
        return template.render(**ns)
               ^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jinja2/environment.py", line 1304, in render
        self.environment.handle_exception()
      File "/usr/local/lib/python3.12/site-packages/jinja2/environment.py", line 939, in handle_exception
        raise rewrite_traceback_stack(source=source)
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/templates/error.html", line 1, in top-level template code
        {% extends "page.html" %}
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/templates/page.html", line 9, in top-level template code
        {% block favicon %}<link id="favicon" rel="shortcut icon" type="image/x-icon" href="{{ static_url("favicon.ico") }}">
        ^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/templates/page.html", line 9, in block 'favicon'
        {% block favicon %}<link id="favicon" rel="shortcut icon" type="image/x-icon" href="{{ static_url("favicon.ico") }}">
        ^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jupyter_server/extension/handler.py", line 118, in static_url
        raise Exception(msg) from None
    Exception: This extension doesn't have any static paths listed. Check that the extension's `static_paths` trait is set.

[benz0li]

There will be one or the other error message. The question is whether code-server and RStudio work smoothly.

[bernt-matthias]

Code server worked. RStudio failed.

[benz0li]

Code server worked. RStudio failed.

What does it output/log?

[bernt-matthias]

After the link + token is reported the output is:

[I 2024-08-08 20:54:58.846 ServerApp] Skipped non-installed server(s): bash-language-server, dockerfile-language-server-nodejs, javascript-typescript-langserver, jedi-language-server, julia-language-server, pyright, python-language-server, sql-language-server, texlab, typescript-language-server, unified-language-server, vscode-css-languageserver-bin, vscode-html-languageserver-bin, vscode-json-languageserver-bin, yaml-language-server
[W 2024-08-08 20:55:09.487 LabApp] Could not determine jupyterlab build status without nodejs
[E 2024-08-08 20:55:42.250 ServerApp] Uncaught exception GET /rstudio/ (10.0.2.100)
    HTTPServerRequest(protocol='http', host='127.0.0.1:8888', method='GET', uri='/rstudio/', version='HTTP/1.1', remote_ip='10.0.2.100')
    Traceback (most recent call last):
      File "/usr/local/lib/python3.12/site-packages/tornado/web.py", line 1790, in _execute
        result = await result
                 ^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jupyter_server_proxy/websocket.py", line 101, in get
        return await self.http_get(*args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jupyter_server_proxy/handlers.py", line 727, in http_get
        return await ensure_async(self.proxy(self.port, path))
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jupyter_core/utils/__init__.py", line 198, in ensure_async
        result = await obj
                 ^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/jupyter_server_proxy/handlers.py", line 899, in proxy
        await self.ensure_process()
      File "/usr/local/lib/python3.12/site-packages/jupyter_server_proxy/handlers.py", line 891, in ensure_process
        await proc.kill()
      File "/usr/local/lib/python3.12/site-packages/simpervisor/process.py", line 307, in kill
        return await self._signal_and_wait(signum)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/local/lib/python3.12/site-packages/simpervisor/process.py", line 275, in _signal_and_wait
        self.proc.send_signal(signum)
      File "/usr/local/lib/python3.12/site-packages/simpervisor/process.py", line 59, in send_signal
        self._proc.send_signal(signum)
      File "/usr/local/lib/python3.12/asyncio/subprocess.py", line 140, in send_signal
        self._transport.send_signal(signal)
      File "/usr/local/lib/python3.12/asyncio/base_subprocess.py", line 145, in send_signal
        self._check_proc()
      File "/usr/local/lib/python3.12/asyncio/base_subprocess.py", line 142, in _check_proc
        raise ProcessLookupError()
    ProcessLookupError
[E 2024-08-08 20:55:42.377 ServerApp] {
      "Host": "127.0.0.1:8888",
      "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
      "Referer": "http://127.0.0.1:8888/lab",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
    }
[E 2024-08-08 20:55:42.377 ServerApp] 500 GET /rstudio/ (d02bd556b6c0433e8ecec3c1a6c98f98@10.0.2.100) 15372.30ms referer=http://127.0.0.1:8888/lab
[W 2024-08-08 20:56:30.160 ServerApp] Couldn't authenticate WebSocket connection
[W 2024-08-08 20:56:30.162 ServerApp] 403 GET /api/events/subscribe (@10.0.2.100) 7.34ms referer=None
[W 2024-08-08 20:56:30.639 LabApp] Could not determine jupyterlab build status without nodejs
[W 2024-08-08 20:56:31.341 ServerApp] Couldn't authenticate WebSocket connection
[W 2024-08-08 20:56:31.343 ServerApp] 403 GET /api/events/subscribe (@10.0.2.100) 3.04ms referer=None

[benz0li]

RStudio should work once v2024.10 is out and

• [osolete] Adds support for unix_socket jupyterhub/jupyter-rsession-proxy#151
• Support communicating with rstudio via unix socket instead of tcp socket jupyterhub/jupyter-rsession-proxy#159

is merged.

[benz0li]

My fault: Seems that I have forgotten the -ti...

podman run --rm \
  --entrypoint /bin/bash \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e JUPYTER_ALLOW_INSECURE_WRITES=true \
  -e NOTEBOOK_ARGS="--allow-root" \
  -ti glcr.b-data.ch/jupyterlab/r/base

[bernt-matthias]

This worked (i.e. failed as expected):

Entered start.sh with args:
Running hooks in: /usr/local/bin/start-notebook.d as uid: 0 gid: 0
Sourcing shell script: /usr/local/bin/start-notebook.d/10-populate.sh
Done running hooks in: /usr/local/bin/start-notebook.d
Updated the jovyan user:
- username: jovyan       -> root
- home dir: /home/jovyan -> /home/root
usermod: cannot open /etc/shadow

[benz0li]

@bernt-matthias Please check the permissions on /etc/shadow.

I.e. what does ls -al /etc/shadow return?

[benz0li]

@bernt-matthias What does lsattr /etc/shadow return?

Cross references:

• https://linuxhandbook.com/lsattr-command/
• https://linuxhandbook.com/chattr-command/

[bernt-matthias]

root@7fdf6734bf28:~# ls -la /etc/shadow
-rw-r----- 1 root nogroup 531 Jan 28 10:15 /etc/shadow
root@7fdf6734bf28:~# lsattr /etc/shadow 
lsattr: Operation not supported While reading flags on /etc/shadow

This could be caused by Network file system detected as backing store., isn't it?

Btw. thanks a lot for all the time you invest here.

[benz0li]

@bernt-matthias Maybe.

If

sed -i '82,93d' /usr/local/bin/start.sh
start.sh

works from within the container, I might be able to fix this.

Because there is no need to call usermod when starting the container with the triplet -e NB_USER=root -e NB_UID=0 -e NB_GID=0.

[bernt-matthias]

Then I have:

Entered start.sh with args:
Running hooks in: /usr/local/bin/start-notebook.d as uid: 0 gid: 0
Sourcing shell script: /usr/local/bin/start-notebook.d/10-populate.sh
Done running hooks in: /usr/local/bin/start-notebook.d
usermod: cannot open /etc/shadow

Just to be sure, here is the diff introduced by the sed command (seems as intended):

83,94d82
<     # Refit the jovyan user to the desired the user (NB_USER)
<     if id jovyan &> /dev/null; then
<         if ! usermod --home "/home/${NB_USER}${DOMAIN:+@$DOMAIN}" --login "${NB_USER}" jovyan 2>&1 | grep "no changes" > /dev/null; then
<             _log "Updated the jovyan user:"
<             _log "- username: jovyan       -> ${NB_USER}"
<             _log "- home dir: /home/jovyan -> /home/${NB_USER}${DOMAIN:+@$DOMAIN}"
<         fi
<     elif ! id -u "${NB_USER}" &> /dev/null; then
<         _log "ERROR: Neither the jovyan user nor '${NB_USER}' exists. This could be the result of stopping and starting, the container with a different NB_USER environment variable."
<         exit 1
<     fi
< 

[benz0li]

@bernt-matthias The other (unneccessary) usermod is triggered, too...

Try

sed -i '118,122d' /usr/local/bin/start.sh
sed -i '82,93d' /usr/local/bin/start.sh
start.sh

[bernt-matthias]

This seems to solve this issue (running in the next):

root@3387b1c678cd:~# start.sh
Entered start.sh with args:
Running hooks in: /usr/local/bin/start-notebook.d as uid: 0 gid: 0
Sourcing shell script: /usr/local/bin/start-notebook.d/10-populate.sh
Done running hooks in: /usr/local/bin/start-notebook.d
Attempting to copy /home/jovyan to /home/root...
Success!
Changing working directory to /home/root/
Running hooks in: /usr/local/bin/before-notebook.d as uid: 0 gid: 0
Sourcing shell script: /usr/local/bin/before-notebook.d/10-env.sh
TZ is set to Etc/UTC (/etc/localtime and /etc/timezone remain unchanged)
LANG is set to en_US.UTF-8
Sourcing shell script: /usr/local/bin/before-notebook.d/11-home.sh
Sourcing shell script: /usr/local/bin/before-notebook.d/12-r.sh
mkdir: cannot create directory ‘/home/jovyan/R’: Permission denied

root@3387b1c678cd:~# ls -la /home/jovyan/
total 133
drwxr-xr-x  6 nobody nogroup  4096 Jan 28 10:11 .
drwxr-xr-x  4 root   root     4096 Jan 29 12:06 ..
-rw-r--r--  1 nobody nogroup   220 Mar 29  2024 .bash_logout
-rw-r--r--  1 nobody nogroup  3971 Jan 28 10:22 .bashrc
drwxr-xr-x  3 nobody nogroup  4096 Jan 28 10:22 .cache
drwxr-xr-x  3 nobody nogroup  4096 Jan 28 10:11 .config
drwxr-xr-x  4 nobody nogroup  4096 Jan 28 10:11 .local
drwxr-xr-x 13 nobody nogroup  4096 Jan 28 10:22 .oh-my-zsh
-rw-r--r--  1 nobody nogroup 95862 Jan 28 10:11 .p10k.zsh
-rw-rw-rw-  1 nobody nogroup    26 Jan 28 10:22 .populated
-rw-r--r--  1 nobody nogroup   850 Jan 28 10:11 .profile
-rw-r--r--  1 nobody nogroup  4590 Jan 28 10:22 .zshrc

[benz0li]

I have created image glcr.b-data.ch/jupyterlab/r/base:test-hpc again.

@bernt-matthias Try

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e JUPYTER_ALLOW_INSECURE_WRITES=true \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base:test-hpc

[bernt-matthias]

Still

mkdir: cannot create directory ‘/home/jovyan/R’: Permission denied

If I source /usr/local/bin/before-notebook.d/12-r.sh separately I see a bash: run_user_group: command not found.

[benz0li]

I found the culprit. Please command

podman pull glcr.b-data.ch/jupyterlab/r/base:test-hpc

and then

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e JUPYTER_ALLOW_INSECURE_WRITES=true \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base:test-hpc

[bernt-matthias]

This solved the error and fails now at:

Sourcing shell script: /usr/local/bin/before-notebook.d/50-rstudio.sh
/usr/local/bin/before-notebook.d/50-rstudio.sh: line 10: /usr/local/lib/R/etc/Renviron.site: Permission denied

root@d10fa83afb13:~# ls -la /usr/local/lib/R/etc/Renviron.site
-rw-rw-r-- 1 root nogroup 21 Oct 31 10:38 /usr/local/lib/R/etc/Renviron.site

[benz0li]

This solved the error and fails now at:

Sourcing shell script: /usr/local/bin/before-notebook.d/50-rstudio.sh
/usr/local/bin/before-notebook.d/50-rstudio.sh: line 10: /usr/local/lib/R/etc/Renviron.site: Permission denied

root@d10fa83afb13:~# ls -la /usr/local/lib/R/etc/Renviron.site
-rw-rw-r-- 1 root nogroup 21 Oct 31 10:38 /usr/local/lib/R/etc/Renviron.site

@bernt-matthias root should have read-write permission on this file.

What does

id
ls -aln $HOME
ls -aln /usr/local/lib/R/etc/Renviron.site

return?

[benz0li]

I could chmod go+w at

jupyterlab-r-docker-stack/base/latest.Dockerfile

Line 458 in 9fa345e

&& chmod g+w "$(R RHOME)/etc" "$(R RHOME)/etc/"*.site \

but chmod g+w is also used at other places.

[bernt-matthias]

root@d5e50f5a588d:~# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

root@d5e50f5a588d:~# ls -aln $HOME
total 133
drwxr-xr-x  6 65534 65534  4096 Jan 25  2024 .
drwxr-xr-x  3     0     0  4096 Jan 29 11:58 ..
-rw-r--r--  1 65534 65534   220 Mar 29  2024 .bash_logout
-rw-r--r--  1 65534 65534  3971 Jan 29 12:08 .bashrc
drwxr-xr-x  3 65534 65534  4096 Jan 29 12:08 .cache
drwxr-xr-x  3 65534 65534  4096 May 22  2024 .config
drwxr-xr-x  4 65534 65534  4096 Mar 17  2023 .local
drwxr-xr-x 13 65534 65534  4096 Jan 29 12:08 .oh-my-zsh
-rw-r--r--  1 65534 65534 95862 Jun 21  2024 .p10k.zsh
-rw-rw-rw-  1 65534 65534    26 Jan 29 12:08 .populated
-rw-r--r--  1 65534 65534   850 Jan 25  2024 .profile
-rw-r--r--  1 65534 65534  4590 Jan 29 12:08 .zshrc

root@d5e50f5a588d:~# ls -aln /usr/local/lib/R/etc/Renviron.site
-rw-rw-r-- 1 0 65534 21 Oct 31 10:38 /usr/local/lib/R/etc/Renviron.site

Oddly writing to /usr/local/lib/R/etc/repositories which has group root seems to work... which should not even matter since the group has no write permission

-rw-r--r--  1 root root    1173 Oct 31 10:38 repositories

[benz0li]

ls -aln $HOME seems to be ls -aln /home/jovyan.

What does ls -aln /home/root return?

[bernt-matthias]

ls -aln $HOME seems to be ls -aln /home/jovyan.

Indeed. $HOME is `/home/jovyan

What does ls -aln /home/root return?

Does not exist, its /root

root@afd6ae1aa989:~# ls -aln /home/root
ls: cannot access '/home/root': No such file or directory
root@afd6ae1aa989:~# ls -aln /root
total 2
drwx------  2 0 0 4096 Jan 29 12:08 .
drwx------ 17 0 0 4096 Jan 29 16:23 ..
-rw-r--r--  1 0 0  571 Apr 10  2021 .bashrc
-rw-r--r--  1 0 0  161 Jul  9  2019 .profile

[benz0li]

Closed in favour of containers/podman#25177.

[bernt-matthias]

With the fixed configuration (see) the following command was now successful:

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e JUPYTER_ALLOW_INSECURE_WRITES=true \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base

[benz0li]

@bernt-matthias What about #5 (comment), i.e. not being able to start RStudio. Does is work now?
ℹ jupyter-rsession-proxy is now configured to communicate with RStudio via unix socket.

[bernt-matthias]

@bernt-matthias What about #5 (comment), i.e. not being able to start RStudio. Does is work now? ℹ jupyter-rsession-proxy is now configured to communicate with RStudio via unix socket.

Sorry for the delay. Had technical difficulties to get a browser running on the machine.

Everything -- including RStudio and VSCode -- runs now with

podman run --rm \
  -p 8888:8888 \
  -u root \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  -e JUPYTER_ALLOW_INSECURE_WRITES=true \
  -e NOTEBOOK_ARGS="--allow-root" \
  glcr.b-data.ch/jupyterlab/r/base

[benz0li]

Everything -- including RStudio and VSCode -- runs now

This is great news! Thank you for confirming.