Privileged access to the filestore

Currently, we do not have any way to make containers with privileged filesystem access available from JupyterHub.

In order to get privileged access to the filestore, you will need access to kubectl with admin privileges to Kubernetes cluster you want to work on.

Procedure

Save the following file as copier.yaml. You may need to edit it to point to the correct filestore. If you need multiple filestores present (for instance, for copying data between environments), then you will need to create multiple Volume/VolumeMount pairs so multiple filestores are present within the container.

copier.yaml
apiVersion: v1
kind: Pod
metadata:
  name: copier
  namespace: copier
spec:
  containers:
  - name: main
    image: ubuntu:latest
    args: [ "tail", "-f", "/dev/null" ]
    volumeMounts:
    - mountPath: /mnt
      name: share
  volumes:
  - name: share
    nfs:
      path: /share1
      server: 10.13.105.122
      # 10.87.86.26 is IDF dev
      # 10.22.240.130 is IDF int
      # 10.13.105.122 is IDF prod

Spin up this Pod and log into its shell:

kubectl create ns copier
kubectl apply -f copier.yaml
kubectl exec -it -n copier copier -- /bin/bash -l

Once you do that, you have a root prompt and the instance filestore is mounted at /mnt. With great power comes great responsibility.

When you’re done, delete the namespace. This will also destroy the privileged pod:

kubectl delete ns copier

Examples

  • Get usage data by username, sorted by usage, largest at the bottom:

    du -s -BM /mnt/home/* \
    | sed -e 's/\s\+/,/' \
    | sed -e 's|/mnt/home/||' \
    | sort -nr
    
  • Make an archival copy of user foo’s previous .local file for analysis:

    tar cvpfz /tmp/foo-local.tgz /mnt/home/foo/.local.20210804223021