Difference between revisions of "Jupyterhub"
(10 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
== Installation == | == Installation == | ||
− | + | On [roentgen] we use anaconda in /usr/local/anaconda3 for jupyterhub. On other systems, we do not use the Anaconda install, because that does not play nice with ROOT. We would want to use the default python3 in /bin/python3 but that is a 3.4 python, and we need a >=3.5. Yuck! | |
See: [https://jupyterhub.readthedocs.io/en/stable/quickstart.html Jupyterhub quick start] | See: [https://jupyterhub.readthedocs.io/en/stable/quickstart.html Jupyterhub quick start] | ||
Line 25: | Line 25: | ||
npm install -g configurable-http-proxy | npm install -g configurable-http-proxy | ||
− | Create the /etc/ | + | === Secure Setup With SudoSpawner === |
+ | |||
+ | Install sudospawner: | ||
+ | |||
+ | pip3.6 install git+https://github.com/jupyter/sudospawner | ||
+ | |||
+ | Create the "jupy" user that will run things, and setup sudo for this user. | ||
+ | |||
+ | useradd jupy | ||
+ | # edit /etc/passwd to so jupy has shell /sbin/nologin | ||
+ | |||
+ | Use visudo to add the following at the bottom: | ||
+ | # | ||
+ | # For Jupyterhub use with Sudospawner | ||
+ | # | ||
+ | # the command(s) the Hub can run on behalf of users in jupyter group without needing a password | ||
+ | # the exact path may differ, depending on how sudospawner was installed | ||
+ | Cmnd_Alias JUPYTER_CMD = /bin/sudospawner | ||
+ | |||
+ | # actually give the Hub user permission to run the above command on behalf | ||
+ | # of the above users without prompting for a password | ||
+ | jupy ALL=(%jupyter) NOPASSWD:JUPYTER_CMD | ||
+ | # | ||
+ | |||
+ | Test this with: | ||
+ | sudo -u jupy sudo -n -u maurik /bin/sudospawner --help | ||
+ | |||
+ | === Setup Jupyter Hub === | ||
+ | |||
+ | Use sudospawner. See: https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges | ||
+ | |||
+ | Generate the config area and config file: | ||
+ | |||
+ | mkdir /etc/jupyterhub | ||
+ | useradd jupy | ||
+ | chown jupy:root /etc/jupyterhub | ||
+ | cd /etc/jupyterhub | ||
Create new cookie: | Create new cookie: | ||
Line 31: | Line 67: | ||
cd /etc/jupyterhub | cd /etc/jupyterhub | ||
openssl rand -hex 32 > jupyterhub_cookie_secret | openssl rand -hex 32 > jupyterhub_cookie_secret | ||
+ | chmod og-r jupyterhub_cookie_secret | ||
+ | |||
+ | Copy the certificate to /home/jupy/certs | ||
+ | |||
+ | mkdir /home/jupy/certs | ||
+ | chown jupy /home/jupy/certs | ||
+ | cp /etc/letsencrypt/live/endeavour.unh.edu/* /home/jupy/certs | ||
+ | |||
+ | Note: fix the certbot script to copy new certs! | ||
+ | |||
+ | Edit Config file: | ||
+ | |||
+ | c.JupyterHub.hub_ip = '10.0.0.100' | ||
+ | c.JupyterHub.ip = 'endeavour.unh.edu' | ||
+ | c.JupyterHub.cookie_secret_file = '/etc/jupyterhub/jupyterhub_cookie_secret' | ||
+ | c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner' | ||
+ | c.JupyterHub.ssl_key = '/home/jupy/certs/privkey.pem' | ||
+ | c.JupyterHub.ssl_cert = '/home/jupy/certs/fullchain.pem' | ||
+ | c.Spawner.args = ['--ip="0.0.0.0"'] | ||
+ | c.Spawner.notebook_dir = '~' # Can change to ~/notebooks | ||
+ | c.Authenticator.whitelist = set() | ||
+ | c.LocalAuthenticator.group_whitelist = set(['jupyter','npg']) | ||
+ | |||
+ | Setup sudo file: | ||
+ | # | ||
+ | # For Jupyterhub use with Sudospawner | ||
+ | # | ||
+ | # the command(s) the Hub can run on behalf of users in jupyter group without needing a password | ||
+ | # the exact path may differ, depending on how sudospawner was installed | ||
+ | Defaults:jupy !requiretty | ||
+ | Cmnd_Alias JUPYTER_CMD = /usr/local/anaconda3/bin/sudospawner, /bin/sudospawner | ||
+ | |||
+ | # actually give the Hub user permission to run the above command on behalf | ||
+ | # of the above users without prompting for a password | ||
+ | jupy ALL=(%jupyter) NOPASSWD:JUPYTER_CMD | ||
+ | # | ||
+ | |||
+ | Test with: | ||
+ | |||
+ | sudo -u jupy sudo -n -u maurik /usr/local/anaconda3/bin/sudospawner --help | ||
+ | sudo -u jupy /usr/local/anaconda3/bin/jupyterhub -f /etc/jupyterhub/jupyterhub_conf.py | ||
+ | |||
+ | Finally: | ||
+ | |||
+ | Setup /var/log/jupyterhub/ directory owned by jupy. | ||
+ | Setup systemd, see: https://github.com/jupyterhub/jupyterhub/wiki/Run-jupyterhub-as-a-system-service | ||
+ | |||
+ | install the startup script in /etc/jupyterhub like: | ||
+ | |||
+ | #!/bin/bash | ||
+ | # | ||
+ | cd /etc/jupyterhub | ||
+ | # jupyterhub -f jupyterhub_config.py &>> ${logfile} & | ||
+ | |||
+ | start() { | ||
+ | # logfile="/var/log/jupyterhub-$(date +'%Y-%m-%d').log" | ||
+ | mv -f /var/log/jupyterhub/jupyterhub.log /var/log/jupyterhub/jupyterhub-$(date +'%Y-%m-%d').log | ||
+ | . /usr/local/anaconda3/bin/activate base | ||
+ | logfile="/var/log/jupyterhub/jupyterhub.log" | ||
+ | echo $PATH | ||
+ | echo "Debug out going to: " ${logfile} | ||
+ | touch ${logfile} | ||
+ | echo "================= Starting Jupterhub ======================" >> ${logfile} | ||
+ | /bin/date >> ${logfile} | ||
+ | # exec sudo -u jupy /usr/local/anaconda3/bin/jupyterhub -f jupyterhub_config.py &>> ${logfile} | ||
+ | /usr/local/anaconda3/bin/jupyterhub -f jupyterhub_config.py &>> ${logfile} | ||
+ | } | ||
+ | |||
+ | stop() { | ||
+ | exec killall /usr/local/anaconda3/bin/python | ||
+ | } | ||
+ | |||
+ | status(){ | ||
+ | exec ps auwwx | grep jupyter | ||
+ | } | ||
+ | |||
+ | case $1 in | ||
+ | start|stop|status) "$1" ;; | ||
+ | esac | ||
− | |||
− | |||
− | + | Bug Notes: | |
+ | Currently this only works with a symlink from /bin/jupyterhub-single-user to the anaconda3 version, and the same for sudospawner. |
Latest revision as of 17:00, 19 February 2019
JupyterHub
The JupyterHub system allows you to serve up jupyter notebooks over the web.
Installation
On [roentgen] we use anaconda in /usr/local/anaconda3 for jupyterhub. On other systems, we do not use the Anaconda install, because that does not play nice with ROOT. We would want to use the default python3 in /bin/python3 but that is a 3.4 python, and we need a >=3.5. Yuck! See: Jupyterhub quick start
Python3
First install python3.6 See: Install Python3.6
yum install https://centos7.iuscommunity.org/ius-release.rpm yum install python36u yum install python36u-pip yum install python36u-devel pip3.6 install scipy numpy ipython pandas pip3.6 install jupyter
Jupyter Hub
yum install npm nodejs pip3.6 install jupyterhub npm install -g configurable-http-proxy
Secure Setup With SudoSpawner
Install sudospawner:
pip3.6 install git+https://github.com/jupyter/sudospawner
Create the "jupy" user that will run things, and setup sudo for this user.
useradd jupy # edit /etc/passwd to so jupy has shell /sbin/nologin
Use visudo to add the following at the bottom:
# # For Jupyterhub use with Sudospawner # # the command(s) the Hub can run on behalf of users in jupyter group without needing a password # the exact path may differ, depending on how sudospawner was installed Cmnd_Alias JUPYTER_CMD = /bin/sudospawner # actually give the Hub user permission to run the above command on behalf # of the above users without prompting for a password jupy ALL=(%jupyter) NOPASSWD:JUPYTER_CMD #
Test this with:
sudo -u jupy sudo -n -u maurik /bin/sudospawner --help
Setup Jupyter Hub
Use sudospawner. See: https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges
Generate the config area and config file:
mkdir /etc/jupyterhub useradd jupy chown jupy:root /etc/jupyterhub cd /etc/jupyterhub
Create new cookie:
cd /etc/jupyterhub openssl rand -hex 32 > jupyterhub_cookie_secret chmod og-r jupyterhub_cookie_secret
Copy the certificate to /home/jupy/certs
mkdir /home/jupy/certs chown jupy /home/jupy/certs cp /etc/letsencrypt/live/endeavour.unh.edu/* /home/jupy/certs
Note: fix the certbot script to copy new certs!
Edit Config file:
c.JupyterHub.hub_ip = '10.0.0.100' c.JupyterHub.ip = 'endeavour.unh.edu' c.JupyterHub.cookie_secret_file = '/etc/jupyterhub/jupyterhub_cookie_secret' c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner' c.JupyterHub.ssl_key = '/home/jupy/certs/privkey.pem' c.JupyterHub.ssl_cert = '/home/jupy/certs/fullchain.pem' c.Spawner.args = ['--ip="0.0.0.0"'] c.Spawner.notebook_dir = '~' # Can change to ~/notebooks c.Authenticator.whitelist = set() c.LocalAuthenticator.group_whitelist = set(['jupyter','npg'])
Setup sudo file:
# # For Jupyterhub use with Sudospawner # # the command(s) the Hub can run on behalf of users in jupyter group without needing a password # the exact path may differ, depending on how sudospawner was installed Defaults:jupy !requiretty Cmnd_Alias JUPYTER_CMD = /usr/local/anaconda3/bin/sudospawner, /bin/sudospawner # actually give the Hub user permission to run the above command on behalf # of the above users without prompting for a password jupy ALL=(%jupyter) NOPASSWD:JUPYTER_CMD #
Test with:
sudo -u jupy sudo -n -u maurik /usr/local/anaconda3/bin/sudospawner --help sudo -u jupy /usr/local/anaconda3/bin/jupyterhub -f /etc/jupyterhub/jupyterhub_conf.py
Finally:
Setup /var/log/jupyterhub/ directory owned by jupy. Setup systemd, see: https://github.com/jupyterhub/jupyterhub/wiki/Run-jupyterhub-as-a-system-service
install the startup script in /etc/jupyterhub like:
#!/bin/bash # cd /etc/jupyterhub # jupyterhub -f jupyterhub_config.py &>> ${logfile} & start() { # logfile="/var/log/jupyterhub-$(date +'%Y-%m-%d').log" mv -f /var/log/jupyterhub/jupyterhub.log /var/log/jupyterhub/jupyterhub-$(date +'%Y-%m-%d').log . /usr/local/anaconda3/bin/activate base logfile="/var/log/jupyterhub/jupyterhub.log" echo $PATH echo "Debug out going to: " ${logfile} touch ${logfile} echo "================= Starting Jupterhub ======================" >> ${logfile} /bin/date >> ${logfile} # exec sudo -u jupy /usr/local/anaconda3/bin/jupyterhub -f jupyterhub_config.py &>> ${logfile} /usr/local/anaconda3/bin/jupyterhub -f jupyterhub_config.py &>> ${logfile} } stop() { exec killall /usr/local/anaconda3/bin/python } status(){ exec ps auwwx | grep jupyter } case $1 in start|stop|status) "$1" ;; esac
Bug Notes: Currently this only works with a symlink from /bin/jupyterhub-single-user to the anaconda3 version, and the same for sudospawner.