/
dockerspawner.py
1522 lines (1273 loc) · 49.9 KB
/
dockerspawner.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
"""
A Spawner for JupyterHub that runs each user's server in a separate docker container
"""
import asyncio
import inspect
import os
import string
import warnings
from concurrent.futures import ThreadPoolExecutor
from functools import partial
from io import BytesIO
from pprint import pformat
from tarfile import TarFile, TarInfo
from textwrap import dedent, indent
from urllib.parse import urlparse
import docker
from docker.errors import APIError
from docker.types import Mount
from docker.utils import kwargs_from_env
from escapism import escape
from jupyterhub.spawner import Spawner
from jupyterhub.traitlets import ByteSpecification, Callable
from tornado import web
from traitlets import (
Any,
Bool,
CaselessStrEnum,
Dict,
Float,
Int,
List,
Unicode,
Union,
default,
observe,
validate,
)
from .volumenamingstrategy import default_format_volume_name
class UnicodeOrFalse(Unicode):
info_text = "a unicode string or False"
def validate(self, obj, value):
if value is False:
return value
return super().validate(obj, value)
import jupyterhub
_jupyterhub_xy = "%i.%i" % (jupyterhub.version_info[:2])
def _deep_merge(dest, src):
"""Merge dict `src` into `dest`, recursively
Modifies `dest` in-place, returns dest
"""
for key, value in src.items():
if key in dest:
dest_value = dest[key]
if isinstance(dest_value, dict) and isinstance(value, dict):
dest[key] = _deep_merge(dest_value, value)
else:
dest[key] = value
else:
dest[key] = value
return dest
class DockerSpawner(Spawner):
"""A Spawner for JupyterHub that runs each user's server in a separate docker container"""
def _eval_if_callable(self, x):
"""Evaluate x if it is callable
Or return x otherwise
"""
if callable(x):
return x(self)
return x
_executor = None
_deprecated_aliases = {
"container_ip": ("host_ip", "0.9.*"),
"container_port": ("port", "0.9.*"),
"container_image": ("image", "0.9.*"),
"container_prefix": ("prefix", "0.10.0"),
"container_name_template": ("name_template", "0.10.0*"),
"remove_containers": ("remove", "0.10.0"),
"image_whitelist": ("allowed_images", "12.0"),
}
@observe(*list(_deprecated_aliases))
def _deprecated_trait(self, change):
"""observer for deprecated traits"""
old_attr = change.name
new_attr, version = self._deprecated_aliases.get(old_attr)
new_value = getattr(self, new_attr)
if new_value != change.new:
# only warn if different
# protects backward-compatible config from warnings
# if they set the same value under both names
self.log.warning(
"{cls}.{old} is deprecated in DockerSpawner {version}, use {cls}.{new} instead".format(
cls=self.__class__.__name__,
old=old_attr,
new=new_attr,
version=version,
)
)
setattr(self, new_attr, change.new)
@property
def executor(self):
"""single global executor"""
cls = self.__class__
if cls._executor is None:
cls._executor = ThreadPoolExecutor(1)
return cls._executor
_client = None
@property
def client(self):
"""single global client instance"""
cls = self.__class__
if cls._client is None:
kwargs = {"version": "auto"}
if self.tls_config:
kwargs["tls"] = docker.tls.TLSConfig(**self.tls_config)
kwargs.update(kwargs_from_env())
kwargs.update(self.client_kwargs)
client = docker.APIClient(**kwargs)
cls._client = client
return cls._client
@default("cmd")
def _default_cmd(self):
# no default means use the image command
return None
object_id = Unicode()
# the type of object we create
object_type = "container"
# the field containing the object id
object_id_key = "Id"
@property
def container_id(self):
"""alias for object_id"""
return self.object_id
@property
def container_name(self):
"""alias for object_name"""
return self.object_name
# deprecate misleading container_ip, since
# it is not the ip in the container,
# but the host ip of the port forwarded to the container
# when use_internal_ip is False
container_ip = Unicode(
"127.0.0.1", help="Deprecated, use ``DockerSpawner.host_ip``", config=True
)
host_ip = Unicode(
"127.0.0.1",
help="""The ip address on the host on which to expose the container's port
Typically 127.0.0.1, but can be public interfaces as well
in cases where the Hub and/or proxy are on different machines
from the user containers.
Only used when ``use_internal_ip = False``.
""",
config=True,
)
@default('host_ip')
def _default_host_ip(self):
docker_host = os.getenv('DOCKER_HOST')
if docker_host:
urlinfo = urlparse(docker_host)
if urlinfo.scheme == 'tcp':
return urlinfo.hostname
return '127.0.0.1'
# unlike container_ip, container_port is the internal port
# on which the server is bound.
container_port = Int(
8888,
min=1,
max=65535,
help="Deprecated, use ``DockerSpawner.port``.",
config=True,
)
# fix default port to 8888, used in the container
@default("port")
def _port_default(self):
return 8888
# default to listening on all-interfaces in the container
@default("ip")
def _ip_default(self):
return "0.0.0.0"
container_image = Unicode(
"quay.io/jupyterhub/singleuser:%s" % _jupyterhub_xy,
help="Deprecated, use ``DockerSpawner.image``.",
config=True,
)
image = Unicode(
"quay.io/jupyterhub/singleuser:%s" % _jupyterhub_xy,
config=True,
help="""The image to use for single-user servers.
This image should have the same version of jupyterhub as
the Hub itself installed.
If the default command of the image does not launch
jupyterhub-singleuser, set ``c.Spawner.cmd`` to
launch jupyterhub-singleuser, e.g.
Any of the jupyter docker-stacks should work without additional config,
as long as the version of jupyterhub in the image is compatible.
""",
)
image_whitelist = Union(
[Any(), Dict(), List()],
help="Deprecated, use ``DockerSpawner.allowed_images``.",
config=True,
)
allowed_images = Union(
[Any(), Dict(), List()],
default_value={},
config=True,
help="""
List or dict of images that users can run.
If specified, users will be presented with a form
from which they can select an image to run.
If a dictionary, the keys will be the options presented to users
and the values the actual images that will be launched.
If a list, will be cast to a dictionary where keys and values are the same
(i.e. a shortcut for presenting the actual images directly to users).
If a callable, will be called with the Spawner instance as its only argument.
The user is accessible as spawner.user.
The callable should return a dict or list or None as above.
If empty (default), the value from ``image`` is used and
any attempt to specify the image via user_options will result in an error.
.. versionchanged:: 13
Empty allowed_images means no user-specified images are allowed.
This is the default.
Prior to 13, restricting to single image required a length-1 list,
e.g. ``allowed_images = [image]``.
.. versionadded:: 13
To allow any image, specify ``allowed_images = "*"``.
.. versionchanged:: 12.0
``DockerSpawner.image_whitelist`` renamed to ``allowed_images``
""",
)
@validate('allowed_images')
def _validate_allowed_images(self, proposal):
"""cast allowed_images to a dict
If passing a list, cast it to a {item:item}
dict where the keys and values are the same.
"""
allowed_images = proposal["value"]
if isinstance(allowed_images, str):
if allowed_images != "*":
raise ValueError(
f"'*' (all images) is the only accepted string value for allowed_images, got {allowed_images!r}. Use a list: `[{allowed_images!r}]` if you want to allow just one image."
)
elif isinstance(allowed_images, list):
allowed_images = {item: item for item in allowed_images}
return allowed_images
def _get_allowed_images(self):
"""Evaluate allowed_images callable
Always returns a dict or None
"""
if callable(self.allowed_images):
allowed_images = self.allowed_images(self)
return self._validate_allowed_images({"value": allowed_images})
return self.allowed_images
@default('options_form')
def _default_options_form(self):
allowed_images = self._get_allowed_images()
if allowed_images == "*" or len(allowed_images) <= 1:
# default form only when there are images to choose from
return ''
# form derived from wrapspawner.ProfileSpawner
option_t = '<option value="{image}" {selected}>{image}</option>'
options = [
option_t.format(
image=image, selected='selected' if image == self.image else ''
)
for image in allowed_images
]
return """
<label for="image">Select an image:</label>
<select class="form-control" name="image" required autofocus>
{options}
</select>
""".format(
options=options
)
def options_from_form(self, formdata):
"""Turn options formdata into user_options"""
options = {}
if 'image' in formdata:
options['image'] = formdata['image'][0]
return options
pull_policy = CaselessStrEnum(
["always", "ifnotpresent", "never", "skip"],
default_value="ifnotpresent",
config=True,
help="""The policy for pulling the user docker image.
Choices:
- ifnotpresent: pull if the image is not already present (default)
- always: always pull the image to check for updates,
even if it is present
- never: never perform a pull, raise if image is not present
- skip: never perform a pull, skip the step entirely
(like never, but without raising when images are not present;
default for swarm)
.. versionadded: 12.0
'skip' option added. It is the default for swarm
because pre-pulling images on swarm clusters
doesn't make sense since the container is likely not
going to run on the same node where the image was pulled.
""",
)
container_prefix = Unicode(
config=True, help="Deprecated, use ``DockerSpawner.prefix``."
)
container_name_template = Unicode(
config=True, help="Deprecated, use ``DockerSpawner.name_template``."
)
prefix = Unicode(
"jupyter",
config=True,
help=dedent(
"""
Prefix for container names. See name_template for full container name for a particular
user's server.
"""
),
)
name_template = Unicode(
config=True,
help=dedent(
"""
Name of the container or service: with {username}, {imagename}, {prefix}, {servername} replacements.
{raw_username} can be used for the original, not escaped username
(may contain uppercase, special characters).
It is important to include {servername} if JupyterHub's "named
servers" are enabled (``JupyterHub.allow_named_servers = True``).
If the server is named, the default name_template is
"{prefix}-{username}--{servername}". If it is unnamed, the default
name_template is "{prefix}-{username}".
Note: when using named servers,
it is important that the separator between {username} and {servername}
is not a character that can occur in an escaped {username},
and also not the single escape character '-'.
"""
),
)
@default('name_template')
def _default_name_template(self):
if self.name:
return "{prefix}-{username}--{servername}"
else:
return "{prefix}-{username}"
client_kwargs = Dict(
config=True,
help="Extra keyword arguments to pass to the docker.Client constructor.",
)
volumes = Dict(
config=True,
help=dedent(
"""
Map from host file/directory to container (guest) file/directory
mount point and (optionally) a mode. When specifying the
guest mount point (bind) for the volume, you may use a
dict or str. If a str, then the volume will default to a
read-write (mode="rw"). With a dict, the bind is
identified by "bind" and the "mode" may be one of "rw"
(default), "ro" (read-only), "z" (public/shared SELinux
volume label), and "Z" (private/unshared SELinux volume
label).
If format_volume_name is not set,
default_format_volume_name is used for naming volumes.
In this case, if you use {username} in either the host or guest
file/directory path, it will be replaced with the current
user's name.
"""
),
)
mounts = List(
config=True,
help=dedent(
"""
List of dict with keys to match docker.types.Mount for more advanced
configuration of mouted volumes. As with volumes, if the default
format_volume_name is in use, you can use {username} in the source or
target paths, and it will be replaced with the current user's name.
"""
),
)
move_certs_image = Unicode(
"busybox:1.30.1",
config=True,
help="""The image used to stage internal SSL certificates.
Busybox is used because we just need an empty container
that waits while we stage files into the volume via .put_archive.
""",
)
async def move_certs(self, paths):
self.log.info("Staging internal ssl certs for %s", self._log_name)
await self.pull_image(self.move_certs_image)
# create the volume
volume_name = self.format_volume_name(self.certs_volume_name, self)
# create volume passes even if it already exists
self.log.info("Creating ssl volume %s for %s", volume_name, self._log_name)
await self.docker('create_volume', volume_name)
# create a tar archive of the internal cert files
# docker.put_archive takes a tarfile and a running container
# and unpacks the archive into the container
nb_paths = {}
tar_buf = BytesIO()
archive = TarFile(fileobj=tar_buf, mode='w')
for key, hub_path in paths.items():
fname = os.path.basename(hub_path)
nb_paths[key] = '/certs/' + fname
with open(hub_path, 'rb') as f:
content = f.read()
tarinfo = TarInfo(name=fname)
tarinfo.size = len(content)
tarinfo.mtime = os.stat(hub_path).st_mtime
tarinfo.mode = 0o644
archive.addfile(tarinfo, BytesIO(content))
archive.close()
tar_buf.seek(0)
# run a container to stage the certs,
# mounting the volume at /certs/
host_config = self.client.create_host_config(
binds={
volume_name: {"bind": "/certs", "mode": "rw"},
},
)
container = await self.docker(
'create_container',
self.move_certs_image,
volumes=["/certs"],
host_config=host_config,
)
container_id = container['Id']
self.log.debug(
"Container %s is creating ssl certs for %s",
container_id[:12],
self._log_name,
)
# start the container
await self.docker('start', container_id)
# stage the archive to the container
try:
await self.docker(
'put_archive',
container=container_id,
path='/certs',
data=tar_buf,
)
finally:
await self.docker('remove_container', container_id)
return nb_paths
certs_volume_name = Unicode(
"{prefix}ssl-{username}",
config=True,
help="""Volume name
The same string-templating applies to this
as other volume names.
""",
)
read_only_volumes = Dict(
config=True,
help=dedent(
"""
Map from host file/directory to container file/directory.
Volumes specified here will be read-only in the container.
If format_volume_name is not set,
default_format_volume_name is used for naming volumes.
In this case, if you use {username} in either the host or guest
file/directory path, it will be replaced with the current
user's name.
"""
),
)
format_volume_name = Any(
help="""Any callable that accepts a string template and a DockerSpawner instance as parameters in that order and returns a string.
Reusable implementations should go in dockerspawner.VolumeNamingStrategy, tests should go in ...
"""
).tag(config=True)
@default("format_volume_name")
def _get_default_format_volume_name(self):
return default_format_volume_name
use_docker_client_env = Bool(
True,
config=True,
help="Deprecated. Docker env variables are always used if present.",
)
@observe("use_docker_client_env")
def _client_env_changed(self):
self.log.warning(
"DockerSpawner.use_docker_client_env is deprecated and ignored."
" Docker environment variables are always used if defined."
)
tls_config = Dict(
config=True,
help="""Arguments to pass to docker TLS configuration.
See docker.client.TLSConfig constructor for options.
""",
)
tls = tls_verify = tls_ca = tls_cert = tls_key = tls_assert_hostname = Any(
config=True,
help="""Deprecated, use ``DockerSpawner.tls_config`` dict to set any TLS options.""",
)
@observe(
"tls", "tls_verify", "tls_ca", "tls_cert", "tls_key", "tls_assert_hostname"
)
def _tls_changed(self, change):
self.log.warning(
"%s config ignored, use %s.tls_config dict to set full TLS configuration.",
change.name,
self.__class__.__name__,
)
remove_containers = Bool(
False, config=True, help="Deprecated, use ``DockerSpawner.remove``."
)
remove = Bool(
False,
config=True,
help="""
If ``True``, delete containers when servers are stopped.
This will destroy any data in the container not stored in mounted volumes.
""",
)
@property
def will_resume(self):
# indicate that we will resume,
# so JupyterHub >= 0.7.1 won't cleanup our API token
return not self.remove
extra_create_kwargs = Union(
[Callable(), Dict()],
config=True,
help="""Additional args to pass for container create
For example, to change the user the container is started as::
c.DockerSpawner.extra_create_kwargs = {
"user": "root" # Can also be an integer UID
}
The above is equivalent to ``docker run --user root``.
If a callable, will be called with the Spawner as the only argument,
must return the same dictionary structure, and may be async.
.. versionchanged:: 13
Added callable support.
""",
)
extra_host_config = Union(
[Callable(), Dict()],
config=True,
help="""
Additional args to create_host_config for container create.
If a callable, will be called with the Spawner as the only argument,
must return the same dictionary structure, and may be async.
.. versionchanged:: 13
Added callable support.
""",
)
escape = Any(
help="""Override escaping with any callable of the form escape(str)->str
This is used to ensure docker-safe container names, etc.
The default escaping should ensure safety and validity,
but can produce cumbersome strings in cases.
Set c.DockerSpawner.escape = 'legacy' to preserve the earlier, unsafe behavior
if it worked for you.
.. versionadded:: 12.0
.. versionchanged:: 12.0
Escaping has changed in 12.0 to ensure safety,
but existing deployments will get different container and volume names.
""",
config=True,
)
@default("escape")
def _escape_default(self):
return self._escape
@validate("escape")
def _validate_escape(self, proposal):
escape = proposal.value
if escape == "legacy":
return self._legacy_escape
if not callable(escape):
raise ValueError("DockerSpawner.escape must be callable, got %r" % escape)
return escape
@staticmethod
def _escape(text):
# Make sure a substring matches the restrictions for DNS labels
# Note: '-' cannot be in safe_chars, as it is being used as escape character
# any '-' must be escaped to '-2d' to avoid collisions
safe_chars = set(string.ascii_lowercase + string.digits)
return escape(text, safe_chars, escape_char='-').lower()
@staticmethod
def _legacy_escape(text):
"""Legacy implementation of escape
Select with config c.DockerSpawner.escape = 'legacy'
Unsafe and doesn't work in all cases,
but allows opt-in to backward compatibility for an upgrading deployment.
Do not use for new deployments.
"""
safe_chars = set(string.ascii_letters + string.digits + "-")
return escape(text, safe_chars, escape_char='_')
hub_ip_connect = Unicode(
config=True,
help="DEPRECATED since JupyterHub 0.8. Use c.JupyterHub.hub_connect_ip.",
)
@observe("hub_ip_connect")
def _ip_connect_changed(self, change):
self.log.warning(
f"Ignoring DockerSpawner.hub_ip_connect={change.new!r}, which has ben deprected since JupyterHub 0.8. Use c.JupyterHub.hub_connect_ip instead."
)
use_internal_ip = Bool(
False,
config=True,
help=dedent(
"""
Enable the usage of the internal docker ip. This is useful if you are running
jupyterhub (as a container) and the user containers within the same docker network.
E.g. by mounting the docker socket of the host into the jupyterhub container.
Default is ``True`` if using a docker network, ``False`` if bridge or host networking is used.
"""
),
)
@default("use_internal_ip")
def _default_use_ip(self):
# setting network_name to something other than bridge or host implies use_internal_ip
if self.network_name not in {"bridge", "host"}:
return True
else:
return False
use_internal_hostname = Bool(
False,
config=True,
help=dedent(
"""
Use the docker hostname for connecting.
instead of an IP address.
This should work in general when using docker networks,
and must be used when internal_ssl is enabled.
It is enabled by default if internal_ssl is enabled.
"""
),
)
@default("use_internal_hostname")
def _default_use_hostname(self):
# FIXME: replace getattr with self.internal_ssl
# when minimum jupyterhub is 1.0
return getattr(self, 'internal_ssl', False)
links = Dict(
config=True,
help=dedent(
"""
Specify docker link mapping to add to the container, e.g.
links = {'jupyterhub': 'jupyterhub'}
If the Hub is running in a Docker container,
this can simplify routing because all traffic will be using docker hostnames.
"""
),
)
network_name = Unicode(
"bridge",
config=True,
help=dedent(
"""
Run the containers on this docker network.
If it is an internal docker network, the Hub should be on the same network,
as internal docker IP addresses will be used.
For bridge networking, external ports will be bound.
"""
),
)
post_start_cmd = UnicodeOrFalse(
False,
config=True,
help="""If specified, the command will be executed inside the container
after starting.
Similar to using 'docker exec'
""",
)
async def post_start_exec(self):
"""
Execute additional command inside the container after starting it.
e.g. calling 'docker exec'
"""
container = await self.get_object()
container_id = container[self.object_id_key]
exec_kwargs = {'cmd': self.post_start_cmd, 'container': container_id}
self.log.debug(
f"Running post_start exec in {self.object_name}: {self.post_start_cmd}"
)
exec_id = await self.docker("exec_create", **exec_kwargs)
stdout, stderr = await self.docker("exec_start", exec_id=exec_id, demux=True)
# docker-py uses None for empty output instead of empty bytestring
if stdout is None:
stdout = b''
# stderr is usually None instead of empty b''
# this includes error conditions like "OCI runtime exec failed..."
# but also most successful runs
if stderr is None:
# crude check for "OCI runtime exec failed: ..."
# switch message to stderr instead of stdout for warning-level output
if b'exec failed' in stdout:
stderr = stdout
stdout = b''
else:
stderr = b''
for name, stream, level in [
("stdout", stdout, "debug"),
("stderr", stderr, "warning"),
]:
output = stream.decode("utf8", "replace").strip()
if not output:
continue
if '\n' in output:
# if multi-line, wrap to new line and indent
output = '\n' + output
output = indent(output, " ")
log = getattr(self.log, level)
log(f"post_start {name} in {self.object_name}: {output}")
@property
def tls_client(self):
"""A tuple consisting of the TLS client certificate and key if they
have been provided, otherwise None.
"""
if self.tls_cert and self.tls_key:
return (self.tls_cert, self.tls_key)
return None
@property
def volume_mount_points(self):
"""
Volumes are declared in docker-py in two stages. First, you declare
all the locations where you're going to mount volumes when you call
create_container.
Returns a sorted list of all the values in self.volumes or
self.read_only_volumes.
"""
return sorted([value["bind"] for value in self.volume_binds.values()])
@property
def volume_binds(self):
"""
The second half of declaring a volume with docker-py happens when you
actually call start(). The required format is a dict of dicts that
looks like::
{
host_location: {'bind': container_location, 'mode': 'rw'}
}
Mode may be 'ro', 'rw', 'z', or 'Z'.
"""
binds = self._volumes_to_binds(self.volumes, {})
read_only_volumes = {}
# FIXME: replace getattr with self.internal_ssl
# when minimum jupyterhub is 1.0
if getattr(self, 'internal_ssl', False):
# add SSL volume as read-only
read_only_volumes[self.certs_volume_name] = '/certs'
read_only_volumes.update(self.read_only_volumes)
return self._volumes_to_binds(read_only_volumes, binds, mode="ro")
@property
def mount_binds(self):
"""
A different way of specifying docker volumes using more advanced spec.
Converts mounts list of dict to a list of docker.types.Mount
"""
def _fmt(v):
return self.format_volume_name(v, self)
mounts = []
for mount in self.mounts:
args = dict(mount)
args["source"] = _fmt(mount["source"])
args["target"] = _fmt(mount["target"])
mounts.append(Mount(**args))
return mounts
_escaped_name = None
@property
def escaped_name(self):
"""Escape the username so it's safe for docker objects"""
if self._escaped_name is None:
self._escaped_name = self.escape(self.user.name)
return self._escaped_name
object_id = Unicode(allow_none=True)
def template_namespace(self):
escaped_image = self.image.replace("/", "-").replace(":", "-")
server_name = getattr(self, "name", "")
safe_server_name = self.escape(server_name.lower())
return {
"username": self.escaped_name,
"safe_username": self.escaped_name,
"raw_username": self.user.name,
"imagename": escaped_image,
"servername": safe_server_name,
"raw_servername": server_name,
"prefix": self.prefix,
}
object_name = Unicode()
@default("object_name")
def _object_name_default(self):
"""Render the name of our container/service using name_template"""
return self._render_templates(self.name_template)
@observe("image")
def _image_changed(self, change):
# re-render object name if image changes
self.object_name = self._object_name_default()
def load_state(self, state):
super().load_state(state)
if "container_id" in state:
# backward-compatibility for dockerspawner < 0.10
self.object_id = state.get("container_id")
else:
self.object_id = state.get("object_id", "")
# override object_name from state if defined
# to avoid losing track of running servers
self.object_name = state.get("object_name", None) or self.object_name
if self.object_id:
self.log.debug(
f"Loaded state for {self._log_name}: {self.object_type}"
f" name={self.object_name}, id={self.object_id}"
)
def get_state(self):
state = super().get_state()
if self.object_id:
state["object_id"] = self.object_id
# persist object_name if running
# so that a change in the template doesn't lose track of running servers
state["object_name"] = self.object_name
self.log.debug(
f"Persisting state for {self._log_name}: {self.object_type}"
f" name={self.object_name}, id={self.object_id}"
)
return state
def _env_keep_default(self):
"""Don't inherit any env from the parent process"""
return []
def get_env(self):
env = super().get_env()
env['JUPYTER_IMAGE_SPEC'] = self.image
return env
def _docker(self, method, *args, **kwargs):
"""wrapper for calling docker methods
to be passed to ThreadPoolExecutor
"""
m = getattr(self.client, method)
return m(*args, **kwargs)
def docker(self, method, *args, **kwargs):
"""Call a docker method in a background thread
returns a Future
"""
return asyncio.wrap_future(