Skip to content

run_code as a user instead of root #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
mishushakov wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

run_code as a user instead of root #94

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
8ad22ef
wip
mishushakov Apr 26, 2025
14e0c51
fix file paths
mishushakov Apr 26, 2025
9d73789
fixes start command, adds logging, removes useradd in prod Docker
mishushakov Apr 28, 2025
e6edde7
undo some changes to e2b.toml, bring back r kernel
mishushakov Apr 28, 2025
4aeaeef
wip
mishushakov Apr 29, 2025
741e0e5
wip
mishushakov Apr 29, 2025
822beda
qip
mishushakov Apr 29, 2025
162c3de
sync'd some changes from test.Dockerfile to Dockerfile
mishushakov Apr 29, 2025
f1c427d
changed deno kernel path
mishushakov Apr 29, 2025
38ee9c7
change user in new context
mishushakov May 1, 2025
f16e512
Merge branch 'main' into permissions-calling-run_code-as-a-different-…
mishushakov May 14, 2025
23f58ea
start default kernel as root to avoid breaking change
mishushakov May 14, 2025
4a8c98a
adds ability to pass user to the createCodeContext SDK method
mishushakov May 14, 2025
44c2a42
added changeset
mishushakov May 14, 2025
d49ea96
changed default user to "user" as per @jakubno
mishushakov May 14, 2025
f4fc072
change default cwd depending on the user if cwd is not provided
mishushakov May 14, 2025
feb767e
changed template to code-interpreter-v1beta1
mishushakov May 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions template/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,18 @@
FROM python:3.10.14

ENV HOME=/home/user

RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
build-essential curl git util-linux jq sudo nodejs npm fonts-noto-cjk

RUN mkdir -p $HOME/.jupyter $HOME/.ipython $HOME/.server

ENV PIP_DEFAULT_TIMEOUT=100 \
PIP_DISABLE_PIP_VERSION_CHECK=1 \
PIP_NO_CACHE_DIR=1 \
JUPYTER_CONFIG_PATH="/root/.jupyter" \
IPYTHON_CONFIG_PATH="/root/.ipython" \
SERVER_PATH="/root/.server" \
JUPYTER_CONFIG_PATH="$HOME/.jupyter" \
IPYTHON_CONFIG_PATH="$HOME/.ipython" \
SERVER_PATH="$HOME/.server" \
R_VERSION=4.4.2

ENV R_HOME=/opt/R/${R_VERSION} \
Expand All @@ -32,7 +36,7 @@ RUN ijsinstall --install=global
COPY --from=denoland/deno:bin-2.0.4 /deno /usr/bin/deno
RUN chmod +x /usr/bin/deno
RUN deno jupyter --unstable --install
COPY ./deno.json /root/.local/share/jupyter/kernels/deno/kernel.json
COPY ./deno.json $HOME/.local/share/jupyter/kernels/deno/kernel.json

# Bash Kernel
RUN pip install bash_kernel
Expand All @@ -42,13 +46,12 @@ RUN python -m bash_kernel.install
RUN python -m venv $SERVER_PATH/.venv

# Copy server and its requirements
RUN mkdir -p $SERVER_PATH/
COPY ./server/requirements.txt $SERVER_PATH
RUN $SERVER_PATH/.venv/bin/pip install --no-cache-dir -r $SERVER_PATH/requirements.txt
COPY ./server $SERVER_PATH

# Copy matplotlibrc
COPY matplotlibrc /root/.config/matplotlib/.matplotlibrc
COPY matplotlibrc $HOME/.config/matplotlib/matplotlibrc
Copy link
Copy Markdown
Contributor

@graphite-app graphite-app bot Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a path inconsistency between the Dockerfile and startup script. In the Dockerfile, the matplotlibrc file is copied to $HOME/.config/matplotlib/matplotlibrc (without a dot prefix), but in start-up.sh it's referenced as $HOME/.config/matplotlib/.matplotlibrc (with a dot prefix).

To resolve this, either:

  1. Update this line to include the dot prefix: COPY matplotlibrc $HOME/.config/matplotlib/.matplotlibrc, or
  2. Update the path in start-up.sh to remove the dot prefix: MATPLOTLIBRC=$HOME/.config/matplotlib/matplotlibrc

This will ensure the file is correctly located where the startup script expects to find it.

Suggested change
COPY matplotlibrc $HOME/.config/matplotlib/matplotlibrc
COPY matplotlibrc $HOME/.config/matplotlib/.matplotlibrc

Spotted by Diamond

Fix in Graphite

Is this helpful? React 👍 or 👎 to let us know.


# Copy Jupyter configuration
COPY ./start-up.sh $JUPYTER_CONFIG_PATH/
Expand All @@ -62,7 +65,6 @@ COPY ipython_kernel_config.py $IPYTHON_CONFIG_PATH/profile_default/
RUN mkdir -p $IPYTHON_CONFIG_PATH/profile_default/startup
COPY startup_scripts/* $IPYTHON_CONFIG_PATH/profile_default/startup


COPY --from=eclipse-temurin:11-jdk $JAVA_HOME $JAVA_HOME
RUN ln -s ${JAVA_HOME}/bin/java /usr/bin/java

Expand Down
5 changes: 2 additions & 3 deletions template/e2b.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,9 @@
# JS SDK
# import { Sandbox } from 'e2b'
# const sandbox = await Sandbox.create('code-interpreter-v1')

team_id = "460355b3-4f64-48f9-9a16-4442817f79f5"
memory_mb = 1_024
start_cmd = "/root/.jupyter/start-up.sh"
start_cmd = "sudo -u user /home/user/.jupyter/start-up.sh"
Copy link
Copy Markdown
Member Author

@mishushakov mishushakov May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one thing: this is a breaking change, should I put a script in /root/.jupyter/start-up.sh that just calls the actual start-up.sh with sudo -u user?

dockerfile = "e2b.Dockerfile"
template_name = "code-interpreter-v1"
template_id = "nlhz8vlwyupq845jsdg9"
template_id = "nlhz8vlwyupq845jsdg9"
2 changes: 1 addition & 1 deletion template/server/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ async def lifespan(app: FastAPI):
global client
client = httpx.AsyncClient()

with open("/root/.jupyter/kernel_id") as file:
with open("/home/user/.jupyter/kernel_id") as file:
default_context_id = file.read().strip()

default_ws = ContextWebSocket(
Expand Down
12 changes: 6 additions & 6 deletions template/start-up.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,15 @@ function start_jupyter_server() {
exit 1
fi

sudo mkdir -p /root/.jupyter
mkdir -p /home/user/.jupyter
kernel_id=$(echo "${response}" | jq -r '.kernel.id')
sudo echo "${kernel_id}" | sudo tee /root/.jupyter/kernel_id >/dev/null
sudo echo "${response}" | sudo tee /root/.jupyter/.session_info >/dev/null
echo "${kernel_id}" > /home/user/.jupyter/kernel_id
echo "${response}" > /home/user/.jupyter/.session_info

cd /root/.server/
/root/.server/.venv/bin/uvicorn main:app --host 0.0.0.0 --port 49999 --workers 1 --no-access-log --no-use-colors
cd /home/user/.server/
/home/user/.server/.venv/bin/uvicorn main:app --host 0.0.0.0 --port 49999 --workers 1 --no-access-log --no-use-colors >> /home/user/uvicorn_server.log 2>&1
}

echo "Starting Code Interpreter server..."
start_jupyter_server &
MATPLOTLIBRC=/root/.config/matplotlib/.matplotlibrc jupyter server --IdentityProvider.token="" >/dev/null 2>&1
MATPLOTLIBRC=/home/user/.config/matplotlib/.matplotlibrc jupyter server --IdentityProvider.token="" >> /home/user/jupyter_server.log 2>&1
25 changes: 18 additions & 7 deletions template/test.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,22 @@
FROM python:3.10.14

# Create a non-root user
RUN useradd -m -s /bin/bash user
ENV HOME=/home/user

ENV JAVA_HOME=/opt/java/openjdk
COPY --from=eclipse-temurin:11-jdk $JAVA_HOME $JAVA_HOME
ENV PATH="${JAVA_HOME}/bin:${PATH}"

RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
build-essential curl git util-linux jq sudo nodejs npm fonts-noto-cjk
build-essential curl git util-linux jq nodejs npm fonts-noto-cjk

ENV PIP_DEFAULT_TIMEOUT=100 \
PIP_DISABLE_PIP_VERSION_CHECK=1 \
PIP_NO_CACHE_DIR=1 \
JUPYTER_CONFIG_PATH="/root/.jupyter" \
IPYTHON_CONFIG_PATH="/root/.ipython" \
SERVER_PATH="/root/.server"
JUPYTER_CONFIG_PATH="$HOME/.jupyter" \
IPYTHON_CONFIG_PATH="$HOME/.ipython" \
SERVER_PATH="$HOME/.server"

# Install Jupyter
COPY ./template/requirements.txt requirements.txt
Expand All @@ -27,7 +31,7 @@ RUN ijsinstall --install=global
COPY --from=denoland/deno:bin-2.0.4 /deno /usr/bin/deno
RUN chmod +x /usr/bin/deno
RUN deno jupyter --unstable --install
COPY ./template/deno.json /root/.local/share/jupyter/kernels/deno/kernel.json
COPY ./template/deno.json $HOME/.local/share/jupyter/kernels/deno/kernel.json

# Create separate virtual environment for server
RUN python -m venv $SERVER_PATH/.venv
Expand All @@ -39,7 +43,7 @@ RUN $SERVER_PATH/.venv/bin/pip install --no-cache-dir -r $SERVER_PATH/requiremen
COPY ./template/server $SERVER_PATH

# Copy matplotlibrc
COPY ./template/matplotlibrc /root/.config/matplotlib/matplotlibrc
COPY ./template/matplotlibrc $HOME/.config/matplotlib/matplotlibrc

# Copy Jupyter configuration
COPY ./template/start-up.sh $JUPYTER_CONFIG_PATH/
Expand All @@ -54,7 +58,14 @@ RUN mkdir -p $IPYTHON_CONFIG_PATH/profile_default/startup
COPY ./template/startup_scripts/* $IPYTHON_CONFIG_PATH/profile_default/startup

# Setup entrypoint for local development
WORKDIR /home/user
WORKDIR $HOME
COPY ./chart_data_extractor ./chart_data_extractor
RUN pip install -e ./chart_data_extractor

# Set ownership of all files to the user
RUN chown -R user:user $HOME

# Switch to non-root user
USER user
Comment on lines +79 to +83
Copy link
Copy Markdown
Member

@jakubno jakubno May 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are you doing it as last thing? If you would set the user as a first thing you probably don't need change the ownership

Copy link
Copy Markdown
Member Author

@mishushakov mishushakov May 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the problem here is: "user" does not exist in python image
and we cannot add user before we have "sudo" dependency installed

so this is why it's the last


ENTRYPOINT $JUPYTER_CONFIG_PATH/start-up.sh
Loading