Improved autostart logic: it now requires being mounted as "readonl…

…y" under `/root/autostart`.

Dockerfile

@@ -7,11 +7,20 @@
 # To start it:
 #
 # ```
-# docker pull janpfeifer/gonb_jupyter:latest
-# docker run -it --rm -p 8888:8888 -v "${PWD}":/notebooks/host janpfeifer/gonb_jupyterlab:latest
+#   docker pull janpfeifer/gonb_jupyter:latest
+#   docker run -it --rm -p 8888:8888 -v "${PWD}":/notebooks/host janpfeifer/gonb_jupyterlab:latest
 # ```
 #
 # Then copy&paste the URL it outputs in your browser.
+#
+# You can also provide an `autostart.sh` file (it doesn't really need to be shell script) if you
+# mount it _READONLY_ under `/root/autostart/autostart.sh`. So the command line would look like:
+#
+# ```
+#   docker run -it --rm -p 8888:8888 \
+#       -v "${PWD}":/notebooks/host -v "~/work/gonb/autostart:/root/autostart:ro" \
+#       janpfeifer/gonb_jupyterlab:latest
+# ```
 
 #######################################################################################################
 # Base image from JupyterLab
@@ -98,8 +107,7 @@ RUN apt-get clean && rm -rf /var/lib/apt/lists/*
 USER root
 WORKDIR ${NOTEBOOKS}
 
-# Script that checks for `autostart.sh` (and runs it if owned by root and present), and then starts
-# JupyterLab.
+# Script that checks for `/root/autostart/autostart.sh` (mounted readonly) and then starts JupyterLab.
 COPY cmd/check_and_run_autostart.sh /usr/local/bin/
 
 ENTRYPOINT ["tini", "-g", "--", "/usr/local/bin/check_and_run_autostart.sh"]

cmd/check_and_run_autostart.sh

@@ -9,19 +9,22 @@
 # Makes sure we are not using $NB_USER's GOPATH.
 export GOPATH=/root/go
 
-# Check if autostart.sh exists
-if [[ -f "${NOTEBOOKS}/autostart.sh" ]]; then
-  # Check if it's owned by root and is executable
-  if [[ "$(stat -c '%U' "${NOTEBOOKS}/autostart.sh")" = "root" && -x "${NOTEBOOKS}/autostart.sh" ]]; then
+# Check if autostart.sh exists and is executable.
+AUTOSTART="/root/autostart/autostart.sh"
+if [[ -x "${AUTOSTART}" ]]; then
+  # Check if it's mounted readonly: we chmod to its current permissions. If it fails we assume it is mounted
+  # readonly.
+  permissions=$(stat -c '%a' "${AUTOSTART}")
+  if chmod "${permissions}" "${AUTOSTART}" 2> /dev/null ; then
+    echo "${AUTOSTART} doesn't seem to be mounted readonly, NOT EXECUTING IT." 2>&1
+  else
     # Run autostart.sh as root
     echo "Running autostart.sh as root..."
-    "${NOTEBOOKS}/autostart.sh"
-  else
-    # Print a message indicating why it's not running
-    echo "autostart.sh exists but is not owned by root or not executable. Not running it."
+    "${AUTOSTART}"
   fi
+
 else
-  echo "No autostart.sh initialization script."
+  echo "No ${AUTOSTART} initialization script."
 fi
 
 # Run JupyterLab from $NOTEBOOKS as user $NB_USER.

docs/CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Next
 
+* Improved `autostart` logic: it now requires being mounted as "readonly" under `/root/autostart`.
 * Added `%version`, and environment variables `GONB_VERSION`, `GONB_GIT_COMMIT`.
 * Added `%help` info on missing environment variables.
 

docs/docker.md

@@ -8,9 +8,8 @@
 
 ## Customization with `autostart.sh`
 
-If you create the file `autostart.sh` in the directory mounted under `/notebooks` in the container,
-**owned by `root` and with executable permissions**, it will be executed at start up of the container by default
-**as `root`**.
+If you **readonly** mount a file `/root/autostart/autostart.sh` with executable permissions, it will be executed at
+start up of the container by default **as `root`**.
 
 This allows you to download/install databases, or set up credentials, etc.