any bad affects when starting notebook with root user rather than jovyan?

[SmartInWhut]

hi，

i found that jupyter notebook config with option '--allow-root' in Dockerfile, but the default user jovyan is in 'users' group without sudo. so i change user by 'USER root' for notebook user to run apt get or sth like that.
the question is, is there any problem with root user ? and why the defalut jovyan with unreachable '--allow-root' work together? i found sth in /issues/1375, but still confuse.

Expecting a reply or pointing out my misunderstanding，XD

[kevin-bates]

Running a container as root is just bad practice and there are numerous blog posts stating why. While completely isolated containers will appear to work fine, you can get into issues when mounting host directories since they can now be manipulated as the root user. Network operations will also be performed as root, etc., etc.

Folks typically add the necessary packages to their containers at build time via a sequence similar to this...

USER root
install any packages my user will need
USER <my non root user>

If packages are needed at runtime, users can usually perform things like !pip install --user xxx from a notebook cell, etc., but baking the necessary packages into the image is usually the best approach. This is why there's a rich offering of docker-stack images referenced in @rgbkrk's response in #1375.

The --allow-root flag is essentially ignored when True. However, when False Notebook server checks if the effective user is root. If so, it exits stating that running as root is not recommended. So the flag is really Notebook's way of asking users "Are you really sure you want to run this process as root? If so, tell me by adding the --allow-root flag." It's purpose is not to say "allow this non-root user to run as root". One reason Notebook does this is because it exposes filesystem operations (via its Content Service) that could lead to bad results depending on where Notebook was started or where the root-dir option is configured to point.

[SmartInWhut]

Truly appreciated for your detailed answer!
i am now clear about the security effects. but i solve this demand by sed -i '$a\jovyan ALL=(root) NOPASSWD: /usr/bin/apt-get' /etc/sudoers , to provide apt-get only.
Thanks again !

[goelakash]

@SmartInWhut could this be closed?
cc: @jtpio