Fix example jupyterhub.service file

[mangecoeur]

The example jupyterhub.service file is out of date and has a mistake anyway (readwrite set on /var/lib/jupyterhub but workingdir /var/local/lib)

On the other hand it would be great to get the best practices for a correct systemd service (or maybe there is another one in a different repo?). I've been writing mine sort of from scraps of advice around the internet without really knowing what I'm doing.

It currently looks like this:

[Unit]
Description=Jupyterhub
After=syslog.target network.target

[Service]
ExecStart=/opt/jupyterhub/bin/jupyterhub --no-ssl --config /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py
WorkingDirectory=/var/lib/jupyterhub/
ProtectSystem=strict
ReadWriteDirectories=/var/lib/jupyterhub/ /var/log/ /proc/self/ /run/
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/jupyterhub/bin"
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_AUDIT_WRITE CAP_SETGID CAP_SETUID
PrivateDevices=yes
PrivateTmp=yes
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectKernelModules=true

[Install]
WantedBy=multi-user.target

Including all the Protect* lines which i literally copy pasted from somewhere that suggested it was a good idea 🤣

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[yuvipanda]

The Littlest JupyterHub is the primary distro using systemdspawner. The systemd unit file it uses for JupyterHub is at https://github.com/jupyterhub/the-littlest-jupyterhub/blob/master/tljh/systemd-units/jupyterhub.service. Perhaps we can adapt that to be the example here?

[mangecoeur]

That would be a good idea... I'm also interested in what hearing some deeper knowledge of systemd, for instance how much sandboxing/protection is turned on by default or is it a good idea to add as much as possible. e.g. I recently learned about the ProtectSystem directive which seems relevant.

[behrmann]

I run the singleuser servers with

PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=read-only
ProtectKernelTunables=yes
ProtectControlGroups=yes

and explicit ReadWritePaths=. It just works.

[mangecoeur]

and explicit ReadWritePaths=

This for example, it would be good to document what paths need to be writable (at least on a typical host e.g. Ubuntu LTS). e.g. I discovered by trial and error that I needed to add /run/ to the readwritepaths.

[behrmann]

You can usually get away with just the user's home, if the singleuser server doesn't start a PAM session, then you would probably need /run/user/%U as well.

[mangecoeur]

just to be clear - we are talking about the jupyerhub service not the singleuser servers.
w.r.t the jupyterhub.service sample file, this commit causes Jhub to store data in /run/ which means it needs RW access to that folder, even if the singlusers don't need it.