Getting docker running in spawned user container

[Analect]

@benz0li .. thanks for your efforts with these resources.

I am running up a user container using your glcr.b-data.ch/jupyterlab/r/verse:4.3.2-devtools-docker-root-linux-amd64 image. This looked like it was going to give me access to a running docker capability for user jovyan. While the docker executable is installed, I am getting Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?. I tried some of the obvious fixes like:

docker exec -it <spawned-user-container> bin/sh #to enable root access to the container
# then from within the container
sudo groupadd docker
sudo usermod -aG docker jovyan

However, this doesn't appear to fix. Any suggestions, if indeed this is possible. Thanks.

[benz0li]

There is just docker-ce-cli, docker-buildx-plugin, docker-compose-plugin (and docker-scan-plugin, amd64 only) installed – no Docker container engine (i.e. docker-ce):

jupyterlab-r-docker-stack/common/subtags/docker/Dockerfile

Lines 28 to 31 in 663f021

	docker-ce-cli \
	docker-buildx-plugin \
	docker-compose-plugin \
	"$(test "$dpkgArch" = "amd64" && echo docker-scan-plugin)" \

---

One option is to run the container in rootless mode and use the hosts Docker engine.

docker run -it --rm \
  -p 8888:8888 \
  -u root \
  -v "${PWD}/jupyterlab-root":/home/root \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e NB_USER=root \
  -e NB_UID=0 \
  -e NB_GID=0 \
  glcr.b-data.ch/jupyterlab/r/verse:4.3.2-devtools-docker start-notebook.sh --allow-root

There are also other options.

[Analect]

@benz0li . Thanks for the info. So I'm using your deployment set-up per https://gitlab.com/b-data/docker/deployments/jupyter ... is there a setting for jupyterhub_config.py that would allow me to achieve this?

A quick search on github ... https://github.com/UCSC-Treehouse/hub/blob/master/jupyterhub_config.py#L18 ... would suggest that maybe its possible to use the gitlab spawner to attach volumes, akin to what you are doing on the command-line above. Does the user have to run as root, or could the default jovyan user be accommodated?

[Analect]

Just as an update, I modified the jupyterhub_config.py as follows:

c.Spawner.volumes = { 'jupyterhub-user-{username}': notebook_dir, '/var/run/docker.sock': '/var/run/docker.sock'}

Then I performed these steps manually, so I could get docker working with jovyan. Ideally, I would capture those steps as part of the jupyterhub_config.py too.

docker exec -it <spawned-container> /bin/bash
# this inserts me in the container as root automatically
sudo groupadd docker
sudo usermod -aG docker jovyan
sudo chmod 666 /var/run/docker.sock

This allowed me to piggy-back off the docker installation on the host machine.

[benz0li]

(Don't touch /var/run/docker.sock)

Does the user have to run as root, or could the default jovyan user be accommodated?

In this case you should use the -root image and go for jovyan with passwordless sudo capabilities:

docker run -it --rm \
  -p 8888:8888 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e GRANT_SUDO=yes \
  glcr.b-data.ch/jupyterlab/r/verse:4.3.2-devtools-docker-root

---

jupyterhub_config.py:

c.Spawner.environment = {
    'GRANT_SUDO': 'yes'
}

---

If you do not want to type sudo docker any time, add line

alias docker="sudo docker"

to file ~/.zshrc.

[benz0li]

I strongly advise against using this method on a multi-user JupyterHub server because it enables root access to the host.

[Analect]

@benz0li .. thanks for follow-up. I'll keep that in mind.

[benz0li]

With b-data's/my JupyterLab docker stacks¹, I prefer using a docker:dind container.

.env:

NB_USER=benz0li

docker-compose.yml:

name: jupyter

services:
  docker:
    image: docker:dind
    hostname: docker
    restart: always
    networks:
      - jupyter
    volumes:
      - docker-certs:/var/tmp/docker/certs
      - docker-data:/var/lib/docker
      - ./home:/home
    environment:
      - HOME=/home/${NB_USER}
      - DOCKER_TLS_CERTDIR=/var/tmp/docker/certs
    privileged: true

  jupyterlab:
    image: glcr.b-data.ch/jupyterlab/python/scipy:latest-docker
    restart: always
    ports:
      - "127.0.0.1:8888:8888"
    networks:
      - jupyter
    volumes:
      - docker-certs:/var/tmp/docker/certs
      - ./home:/home
    environment:
      - DOCKER_HOST=tcp://docker:2376
      - DOCKER_CERT_PATH=/var/tmp/docker/certs/client
      - DOCKER_TLS_VERIFY=1
      - NB_USER=${NB_USER}
      - NOTEBOOK_ARGS=--LabApp.token=''
    user: root

networks:
  jupyter:
    external: true

volumes:
  docker-certs:
  docker-data:

Then, execute

docker network create jupyter
docker compose up -d

and access on http://127.0.0.1:8888.

Originally posted by @benz0li in jupyter/docker-stacks#2137 (comment)

Footnotes

1. subtag docker: includes docker-ce-cli, docker-buildx-plugin, docker-compose-plugin and docker-scan-plugin (amd64 only) ↩ ↩