# jupyterhub Multi-user JupyterHub. **Cloud-only.** - **Hostname**: `hub.wbd-rd.nl` - **Networks**: `app` (UI proxied) + `mgmt` (Docker socket — for DockerSpawner once we switch to it) - **Config**: `config/jupyterhub_config.py` - **Image**: built locally (`cloud-jupyterhub:5`) — upstream JupyterHub + `oauthenticator` + `jupyterlab` + `notebook`. See `Dockerfile`. ## Auth Keycloak OIDC via `oauthenticator.generic.GenericOAuthenticator`. All authenticated users in the `wbd` realm can sign in (`c.GenericOAuthenticator.allow_all = True`). Admin promotion is currently driven by the `JUPYTERHUB_ADMIN_USERS` env (comma-separated emails). Switching to a Keycloak realm-role check (`app-admin`) is a TODO. ## Spawner **Current**: `SimpleLocalProcessSpawner` ("simple") — every user's notebook runs as a process inside the hub container itself, sharing the same filesystem. The spawner passes `--allow-root` to `jupyterhub-singleuser` because the hub container runs as root and the singleuser server refuses root without that flag. This is fine for one or two operators but is **not** the production-shape we want. ### TODO — switch to DockerSpawner The repo wiring is already half-there: - The `mgmt` network is mounted - `/var/run/docker.sock` is mounted into the hub - `DOCKER_NOTEBOOK_IMAGE` is set in `.env` To switch, change `jupyterhub_config.py`: ```python c.JupyterHub.spawner_class = "dockerspawner.DockerSpawner" c.DockerSpawner.image = os.environ["DOCKER_NOTEBOOK_IMAGE"] c.DockerSpawner.network_name = os.environ["DOCKER_NETWORK_NAME"] c.DockerSpawner.notebook_dir = "/home/jovyan/work" c.DockerSpawner.volumes = {"jupyter-user-{username}": "/home/jovyan/work"} c.DockerSpawner.remove = True ``` …and add `dockerspawner` to the `Dockerfile` pip install. ## Other TODO - Switch admin lookup from env-list to `app-admin` realm role - Per-user persistent volume policy + size limits - CPU / memory limits per user container - Idle-server culling (`jupyterhub-idle-culler` service) - Project-specific notebook image with mlflow/influx/rabbitmq clients preinstalled