1 files changed, 46 insertions, 0 deletions

diff --git a/jupyterhub.service b/jupyterhub.service
new file mode 100644
index 000000000000..34a31173b1db
--- /dev/null
+++ b/jupyterhub.service
@@ -0,0 +1,46 @@
+[Unit]
+Description=JupyterHub server
+After=network.target
+Documentation=https://jupyterhub.readthedocs.io/en/stable/
+
+[Service]
+# Where the PID and other runtime files will be placed.
+RuntimeDirectory=jupyterhub
+RuntimeDirectoryMode=0755
+
+# Paths in the configuration are relative to the working directory.
+WorkingDirectory=/etc/jupyterhub
+
+# The actual command to run. Note this service doesn't need the PID files, but
+# JupyterHub does use them internally.
+ExecStart=/usr/bin/jupyterhub \
+          -f /etc/jupyterhub/jupyterhub_config.py \
+          --pid-file=/run/jupyterhub/jupyterhub.pid \
+          --ConfigurableHTTPProxy.pid_file=/run/jupyterhub/jupyterhub-proxy.pid
+
+# Apply some service hardening.
+# The default LocalProcess spawner needs SETUID and SETGID to run the
+# single-user servers.
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID
+LockPersonality=true
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+ReadWritePaths=/etc/jupyterhub
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target