Published by

Posted on August 25, 2018


JupyterHub setup

Created by OpenKB.org

1. Installation . Step 1 and 2 can be placed in a bash script.

yum -y update && yum -y install epel-release.noarch npm gcc
gcc-c++ python36 python34 python34-devel python34-pip python36-setuptools
python36-libs vim git pandoc texlive texlive-*.noarch

pip3 install –upgrade pip

2. Juypter related

python3 -m pip install pandoc
python3 -m pip install jupyterhub
npm install -g configurable-http-proxy
python3 -m pip install notebook

3. Validation

jupyterhub -h
configurable-http-proxy -h

4. Generate a config file

Path : /etc/jupyterhub
mkdir /etc/jupterhub ; cd /etc/jupterhub ; jupyterhub –generate-config

5. Generate a SSL certificate

using the script https://github.com/loganstellway/self-signed-ssl
Add the pem crt and key filenames to the config file

6. Start the process


Bugs :
The documentation states we need to add any admin users to the below variable.
and set this to true

Upon doing so, the user we specified to be the admin was a regular user.
We had to manually update the db and set the boolean to true.
I will test this setup again and confirm if this is a true bug

SElinux & Systemd

In [ ]:
1. Example Systemd config file 
save this as /lib/systemd/system/jupyterhub.service:


User=jupyterhub   << change this to your user 

In [ ]:
2. After creating and starting the SystemD script. If 
   you have Selinux enabled. You will receive a 500 error due to policy issues. 

Additional Information:
Source Context                system_u:system_r:unconfined_service_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                /usr/bin/jupyterhub-singleuser [ process ]
Source                        jupyterhub
Source Path                   /usr/bin/python3.4

Error: Raw Audit Messages
type=AVC msg=audit(1535304575.875:90241): avc:  denied  { transition } for  pid=31239
comm="jupyterhub" path="/usr/bin/jupyterhub-singleuser" dev="xvda1" ino=13572171 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

Troublshooting steps and fix

A) setenforce 0
Use the application as you would normally and then take a look at the SELinux 
related messages in /var/log/audit/audit.log*

B) grep denied /var/log/audit/audit.log*
You can pass the results to various utilities to get some sense of what is required

C)grep denied /var/log/audit/audit.log* | audit2why
Analysing that can be helpful. It may suggest you configure various booleans. You may also 
want to run the results through audit2allow

D)grep denied /var/log/audit/audit.log* | audit2allow
This will also tell you what you need to do. You can create a local module

E)grep denied /var/log/audit/audit.log* | audit2allow -M local-module
and then use it

F) semodule -i local-module.pp