Difference between revisions of "Jupyterhub"
From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search| (11 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
== Installation == | == Installation == | ||
| − | + | On [roentgen] we use anaconda in /usr/local/anaconda3 for jupyterhub. On other systems, we do not use the Anaconda install, because that does not play nice with ROOT. We would want to use the default python3 in /bin/python3 but that is a 3.4 python, and we need a >=3.5. Yuck! | |
See: [https://jupyterhub.readthedocs.io/en/stable/quickstart.html Jupyterhub quick start] | See: [https://jupyterhub.readthedocs.io/en/stable/quickstart.html Jupyterhub quick start] | ||
| Line 25: | Line 25: | ||
npm install -g configurable-http-proxy | npm install -g configurable-http-proxy | ||
| − | Create the /etc/ | + | === Secure Setup With SudoSpawner === |
| + | |||
| + | Install sudospawner: | ||
| + | |||
| + | pip3.6 install git+https://github.com/jupyter/sudospawner | ||
| + | |||
| + | Create the "jupy" user that will run things, and setup sudo for this user. | ||
| + | |||
| + | useradd jupy | ||
| + | # edit /etc/passwd to so jupy has shell /sbin/nologin | ||
| + | |||
| + | Use visudo to add the following at the bottom: | ||
| + | # | ||
| + | # For Jupyterhub use with Sudospawner | ||
| + | # | ||
| + | # the command(s) the Hub can run on behalf of users in jupyter group without needing a password | ||
| + | # the exact path may differ, depending on how sudospawner was installed | ||
| + | Cmnd_Alias JUPYTER_CMD = /bin/sudospawner | ||
| + | |||
| + | # actually give the Hub user permission to run the above command on behalf | ||
| + | # of the above users without prompting for a password | ||
| + | jupy ALL=(%jupyter) NOPASSWD:JUPYTER_CMD | ||
| + | # | ||
| + | |||
| + | Test this with: | ||
| + | sudo -u jupy sudo -n -u maurik /bin/sudospawner --help | ||
| + | |||
| + | === Setup Jupyter Hub === | ||
| + | |||
| + | Use sudospawner. See: https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges | ||
| + | |||
| + | Generate the config area and config file: | ||
| + | |||
| + | mkdir /etc/jupyterhub | ||
| + | useradd jupy | ||
| + | chown jupy:root /etc/jupyterhub | ||
| + | cd /etc/jupyterhub | ||
Create new cookie: | Create new cookie: | ||
| Line 31: | Line 67: | ||
cd /etc/jupyterhub | cd /etc/jupyterhub | ||
openssl rand -hex 32 > jupyterhub_cookie_secret | openssl rand -hex 32 > jupyterhub_cookie_secret | ||
| + | chmod og-r jupyterhub_cookie_secret | ||
| + | |||
| + | Copy the certificate to /home/jupy/certs | ||
| + | |||
| + | mkdir /home/jupy/certs | ||
| + | chown jupy /home/jupy/certs | ||
| + | cp /etc/letsencrypt/live/endeavour.unh.edu/* /home/jupy/certs | ||
| + | |||
| + | Note: fix the certbot script to copy new certs! | ||
| + | |||
| + | Edit Config file: | ||
| + | |||
| + | c.JupyterHub.hub_ip = '10.0.0.100' | ||
| + | c.JupyterHub.ip = 'endeavour.unh.edu' | ||
| + | c.JupyterHub.cookie_secret_file = '/etc/jupyterhub/jupyterhub_cookie_secret' | ||
| + | c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner' | ||
| + | c.JupyterHub.ssl_key = '/home/jupy/certs/privkey.pem' | ||
| + | c.JupyterHub.ssl_cert = '/home/jupy/certs/fullchain.pem' | ||
| + | c.Spawner.args = ['--ip="0.0.0.0"'] | ||
| + | c.Spawner.notebook_dir = '~' # Can change to ~/notebooks | ||
| + | c.Authenticator.whitelist = set() | ||
| + | c.LocalAuthenticator.group_whitelist = set(['jupyter','npg']) | ||
| + | |||
| + | Setup sudo file: | ||
| + | # | ||
| + | # For Jupyterhub use with Sudospawner | ||
| + | # | ||
| + | # the command(s) the Hub can run on behalf of users in jupyter group without needing a password | ||
| + | # the exact path may differ, depending on how sudospawner was installed | ||
| + | Defaults:jupy !requiretty | ||
| + | Cmnd_Alias JUPYTER_CMD = /usr/local/anaconda3/bin/sudospawner, /bin/sudospawner | ||
| + | |||
| + | # actually give the Hub user permission to run the above command on behalf | ||
| + | # of the above users without prompting for a password | ||
| + | jupy ALL=(%jupyter) NOPASSWD:JUPYTER_CMD | ||
| + | # | ||
| + | |||
| + | Test with: | ||
| + | |||
| + | sudo -u jupy sudo -n -u maurik /usr/local/anaconda3/bin/sudospawner --help | ||
| + | sudo -u jupy /usr/local/anaconda3/bin/jupyterhub -f /etc/jupyterhub/jupyterhub_conf.py | ||
| + | |||
| + | Finally: | ||
| + | |||
| + | Setup /var/log/jupyterhub/ directory owned by jupy. | ||
| + | Setup systemd, see: https://github.com/jupyterhub/jupyterhub/wiki/Run-jupyterhub-as-a-system-service | ||
| + | |||
| + | install the startup script in /etc/jupyterhub like: | ||
| + | |||
| + | #!/bin/bash | ||
| + | # | ||
| + | cd /etc/jupyterhub | ||
| + | # jupyterhub -f jupyterhub_config.py &>> ${logfile} & | ||
| + | |||
| + | start() { | ||
| + | # logfile="/var/log/jupyterhub-$(date +'%Y-%m-%d').log" | ||
| + | mv -f /var/log/jupyterhub/jupyterhub.log /var/log/jupyterhub/jupyterhub-$(date +'%Y-%m-%d').log | ||
| + | . /usr/local/anaconda3/bin/activate base | ||
| + | logfile="/var/log/jupyterhub/jupyterhub.log" | ||
| + | echo $PATH | ||
| + | echo "Debug out going to: " ${logfile} | ||
| + | touch ${logfile} | ||
| + | echo "================= Starting Jupterhub ======================" >> ${logfile} | ||
| + | /bin/date >> ${logfile} | ||
| + | # exec sudo -u jupy /usr/local/anaconda3/bin/jupyterhub -f jupyterhub_config.py &>> ${logfile} | ||
| + | /usr/local/anaconda3/bin/jupyterhub -f jupyterhub_config.py &>> ${logfile} | ||
| + | } | ||
| + | |||
| + | stop() { | ||
| + | exec killall /usr/local/anaconda3/bin/python | ||
| + | } | ||
| + | |||
| + | status(){ | ||
| + | exec ps auwwx | grep jupyter | ||
| + | } | ||
| + | |||
| + | case $1 in | ||
| + | start|stop|status) "$1" ;; | ||
| + | esac | ||
| + | |||
| + | |||
| + | |||
| + | Bug Notes: | ||
| + | Currently this only works with a symlink from /bin/jupyterhub-single-user to the anaconda3 version, and the same for sudospawner. | ||
Latest revision as of 17:00, 19 February 2019
JupyterHub
The JupyterHub system allows you to serve up jupyter notebooks over the web.
Installation
On [roentgen] we use anaconda in /usr/local/anaconda3 for jupyterhub. On other systems, we do not use the Anaconda install, because that does not play nice with ROOT. We would want to use the default python3 in /bin/python3 but that is a 3.4 python, and we need a >=3.5. Yuck! See: Jupyterhub quick start
Python3
First install python3.6 See: Install Python3.6
yum install https://centos7.iuscommunity.org/ius-release.rpm yum install python36u yum install python36u-pip yum install python36u-devel pip3.6 install scipy numpy ipython pandas pip3.6 install jupyter
Jupyter Hub
yum install npm nodejs pip3.6 install jupyterhub npm install -g configurable-http-proxy
Secure Setup With SudoSpawner
Install sudospawner:
pip3.6 install git+https://github.com/jupyter/sudospawner
Create the "jupy" user that will run things, and setup sudo for this user.
useradd jupy # edit /etc/passwd to so jupy has shell /sbin/nologin
Use visudo to add the following at the bottom:
# # For Jupyterhub use with Sudospawner # # the command(s) the Hub can run on behalf of users in jupyter group without needing a password # the exact path may differ, depending on how sudospawner was installed Cmnd_Alias JUPYTER_CMD = /bin/sudospawner # actually give the Hub user permission to run the above command on behalf # of the above users without prompting for a password jupy ALL=(%jupyter) NOPASSWD:JUPYTER_CMD #
Test this with:
sudo -u jupy sudo -n -u maurik /bin/sudospawner --help
Setup Jupyter Hub
Use sudospawner. See: https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges
Generate the config area and config file:
mkdir /etc/jupyterhub useradd jupy chown jupy:root /etc/jupyterhub cd /etc/jupyterhub
Create new cookie:
cd /etc/jupyterhub openssl rand -hex 32 > jupyterhub_cookie_secret chmod og-r jupyterhub_cookie_secret
Copy the certificate to /home/jupy/certs
mkdir /home/jupy/certs chown jupy /home/jupy/certs cp /etc/letsencrypt/live/endeavour.unh.edu/* /home/jupy/certs
Note: fix the certbot script to copy new certs!
Edit Config file:
c.JupyterHub.hub_ip = '10.0.0.100' c.JupyterHub.ip = 'endeavour.unh.edu' c.JupyterHub.cookie_secret_file = '/etc/jupyterhub/jupyterhub_cookie_secret' c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner' c.JupyterHub.ssl_key = '/home/jupy/certs/privkey.pem' c.JupyterHub.ssl_cert = '/home/jupy/certs/fullchain.pem' c.Spawner.args = ['--ip="0.0.0.0"'] c.Spawner.notebook_dir = '~' # Can change to ~/notebooks c.Authenticator.whitelist = set() c.LocalAuthenticator.group_whitelist = set(['jupyter','npg'])
Setup sudo file:
# # For Jupyterhub use with Sudospawner # # the command(s) the Hub can run on behalf of users in jupyter group without needing a password # the exact path may differ, depending on how sudospawner was installed Defaults:jupy !requiretty Cmnd_Alias JUPYTER_CMD = /usr/local/anaconda3/bin/sudospawner, /bin/sudospawner # actually give the Hub user permission to run the above command on behalf # of the above users without prompting for a password jupy ALL=(%jupyter) NOPASSWD:JUPYTER_CMD #
Test with:
sudo -u jupy sudo -n -u maurik /usr/local/anaconda3/bin/sudospawner --help sudo -u jupy /usr/local/anaconda3/bin/jupyterhub -f /etc/jupyterhub/jupyterhub_conf.py
Finally:
Setup /var/log/jupyterhub/ directory owned by jupy. Setup systemd, see: https://github.com/jupyterhub/jupyterhub/wiki/Run-jupyterhub-as-a-system-service
install the startup script in /etc/jupyterhub like:
#!/bin/bash
#
cd /etc/jupyterhub
# jupyterhub -f jupyterhub_config.py &>> ${logfile} &
start() {
# logfile="/var/log/jupyterhub-$(date +'%Y-%m-%d').log"
mv -f /var/log/jupyterhub/jupyterhub.log /var/log/jupyterhub/jupyterhub-$(date +'%Y-%m-%d').log
. /usr/local/anaconda3/bin/activate base
logfile="/var/log/jupyterhub/jupyterhub.log"
echo $PATH
echo "Debug out going to: " ${logfile}
touch ${logfile}
echo "================= Starting Jupterhub ======================" >> ${logfile}
/bin/date >> ${logfile}
# exec sudo -u jupy /usr/local/anaconda3/bin/jupyterhub -f jupyterhub_config.py &>> ${logfile}
/usr/local/anaconda3/bin/jupyterhub -f jupyterhub_config.py &>> ${logfile}
}
stop() {
exec killall /usr/local/anaconda3/bin/python
}
status(){
exec ps auwwx | grep jupyter
}
case $1 in
start|stop|status) "$1" ;;
esac
Bug Notes: Currently this only works with a symlink from /bin/jupyterhub-single-user to the anaconda3 version, and the same for sudospawner.
