EGI Advanced Computing for Research www egi eu

EGI: Advanced Computing for Research www. egi. eu @EGI_e. Infra EGI Notebooks training Get your own Jupyterhub! Enol Fernández enol. fernandez@egi. eu The work of the EGI Foundation is partly funded by the European Commission under H 2020 Framework Programme

Disclaimer: This is not a training for using notebooks! Target audience is site admins willing to deploy a notebook service for their users www. egi. eu @EGI_e. Infra 12/03/2021 2

Training objectives • Learn the basics of Jupyter. Hub on Kubernetes • Learn about the EGI Notebooks customisations § Check-in § Monitoring § Accounting • Hands on practice § Deploy your own Jupyter. Hub with Check-in authentication www. egi. eu @EGI_e. Infra 12/03/2021 3

Feedback form https: //www. surveymonkey. com/r/Jupyterhub_development www. egi. eu @EGI_e. Infra 12/03/2021 4

The Jupyter Notebook in a nutshell • Non-profit, open-source, interactive platform for Data Science born out of the i. Python project in 2014 • Released under the BSD license • Notebooks can be shared with others using email, Dropbox, Git. Hub www. egi. eu @EGI_e. Infra 12/03/2021 5

Some key features Language of choice The Notebook has support for over 40 programming languages, including Python, R, Julia and Scala Share notebooks Notebooks can be shared with others using email, Dropbox, Git. Hub and the Jupyter Notebook Viewer Interactive output Your code can produce interactive output: HTML, images, videos, La. Te. X, and custom MIME types Big data integration Leverage big data tools, such as Apache Spark for Python, R and Scala. www. egi. eu @EGI_e. Infra 12/03/2021 6

Jupyter Architecture Kernels Python R HTTP/WS Notebook Server ZMQ Julia . ipynb … www. egi. eu @EGI_e. Infra 12/03/2021 7

Jupyter. Hub • Jupyter is single user by design • Jupyter. Hub is a multi-user version of notebook designed for companies, classrooms and research labs § Manages Authentication § Spawns single-users notebooks servers on-demand § Gives each user a complete Jupyter server www. egi. eu @EGI_e. Infra 12/03/2021 8

Jupyter. Hub: how it works • Login data is handed to the Authenticator instance for validation • The Authenticator returns the username if the login information is valid • A single-user notebook server instance is spawned for the logged-in user • When the single-user notebook server starts, the proxy is notified to forward requests to `/user/[username]/*` to the single-user notebook server. • A cookie is set on `/hub/`, containing an encrypted token. • The browser is redirected to `/user/[username]`, and the request is handled by the single-user notebook server. www. egi. eu @EGI_e. Infra 12/03/2021 9

Authenticators • Deals with Authentication • Default is PAM, but lots of them available § § § § OAuth 2. 0 (Open. ID Connect can be included here) Dummy LDAP Kerberos REMOTE_USER JSON Web token Shibboleth … • Also easy to customise: § https: //jupyterhub. readthedocs. io/en/latest/reference/authenticators. html www. egi. eu @EGI_e. Infra 12/03/2021 10

Spawner • Spawns notebooks § start the process § Poll whether the process is still running § stop the process • Some examples: § Batch. Spawner § Docker. Spawner § Kube. Spawner § Sudo. Spawner § Wrap. Spawner • https: //jupyterhub. readthedocs. io/en/latest/reference/spawners. html www. egi. eu @EGI_e. Infra 12/03/2021 11

Kubernetes (in few minutes) Container App A Container App B Schedule containers to physical or virtual machines Restart containers if they stop Provide private container network Scale up and down Service discovery www. egi. eu Infrastructure 12 @EGI_e. Infra 12/03/2021 12

Kubernetes concepts • Pod: group of one or more containers, shared storage and options to run the containers • Deployment maintains the desired count of Pods all the time • Service: logical set of Pods and a policy by which to access them. § Own IP, entry in DNS, loadbalancer toward pods • Job: A job creates one or more pods and ensures that a specified number of them successfully terminate. • Volume: exposes persistent storage to the Pod • Persistent. Volume/Persistent. Volume. Claim: abstracs the management of volumes from underlying technology www. egi. eu @EGI_e. Infra 12/03/2021 13

Kubernetes: sample deployment api. Version: apps/v 1 kind: Deployment metadata: name: frontend spec: selector: match. Labels: app: guestbook tier: frontend replicas: 3 template: metadata: labels: app: guestbook tier: frontend 12/03/2021 spec: containers: - name: php-redis image: gcr. io/google-samples/gb-frontend: v 4 resources: requests: cpu: 100 m memory: 100 Mi env: - name: GET_HOSTS_FROM value: dns ports: - container. Port: 80 www. egi. eu 14 @EGI_e. Infra 12/03/2021 14

Kubernetes and Jupyter. Hub proxy service proxy deployment hub service redirects hub deployment hub volume spawns: create pods and volumes redirects single user pod User volume Kubernetes www. egi. eu @EGI_e. Infra 12/03/2021 15

Kubernetes and Jupyter. Hub ingress proxy service proxy deployment hub service redirects hub deployment hub volume spawns: create pods and volumes redirects single user pod User volume Kubernetes www. egi. eu @EGI_e. Infra 12/03/2021 16

Let’s see it in action www. egi. eu @EGI_e. Infra 12/03/2021 17

Helm • Helm is a package manager for Kubernetes • Allows to easily install applications/services easily • Creates from templates all the k 8 s objects needed to run the application • Wide catalogue of charts with sane defaults www. egi. eu 18 @EGI_e. Infra 12/03/2021 18

Helm + Jupyterhub • Easy way to get started with Jupyter. Hub • But very configurable to match your needs $ cat config. yaml proxy: secret. Token: <some-secret> $ helm install jupyterhub/jupyterhub --version=v 0. 8 --name=jupyterhub --namespace=jupyterhub -f config. yaml $ helm upgrade jupyterhub/jupyterhub --version=v 0. 9 -f config. yaml www. egi. eu 19 @EGI_e. Infra 12/03/2021 19

Customising • Jupyter. Hub helm chart is highly adaptable to your needs § What image the users should run § What storage should the users have associated with § What kind of authentication should be used §… • EGI Notebooks is mostly customisation of the Jupyter. Hub helm § Using our notebooks images § With EGI Check-in Authentication § NFS Persistent Volumes § And some extra pods deployed for monitoring and accounting www. egi. eu 20 @EGI_e. Infra 12/03/2021 20

EGI Notebooks • Jupyter. Hub hosted in the EGI Cloud § Offers Jupyter notebooks ‘as Service’ § One-click solution: login and start using • Extra EGI Features: § Login with the EGI AAI Check-In service § Persistent storage for notebooks § Bring your own environments/kernels § Use EGI computing and storage resources from your notebooks www. egi. eu @EGI_e. Infra 12/03/2021 21

Monitoring • Even if the pods are online, ¿are they working as expected? § Kubernetes has its own liveness / readiness for pods, but didn’t want to touch too much the hub, § how can we know from the EGI ARGO if the service is actually ready to run notebooks? o Nagios, Cent. OS 6, prehistoric python • egi-notebooks-monitor § Every hour tries to create a new notebook o So it resembles user behaviour and will fail if the system is not properly working § Epxposes as a Jupyter. Hub service the result of the last trial § Nagios just goes to that URL and checks status www. egi. eu @EGI_e. Infra 12/03/2021 22

Monitoring www. egi. eu @EGI_e. Infra 12/03/2021 23

Accounting • Report back to EGI accounting the usage of resources per user § Re-use the VM accounting record (collects CPU, memory, network) • egi-notebooks-accounting § “watches” pods of users and registers them into a SQLite DB § periodically (every 6 hours) o contacts Prometheus and extract usage information from pods and dumps them into accounting records o Sends the records to APEL accounting repository www. egi. eu @EGI_e. Infra 12/03/2021 24

Prometheus www. egi. eu @EGI_e. Infra 12/03/2021 25

Hands-on Deploy your own instance www. egi. eu @EGI_e. Infra 12/03/2021 26

Getting kubernetes • Commercial ready-to-use k 8 s § Google Kubernetes Engine (GKE) § Azure Container Service (AKS) § Amazon Elastic Container Service for Kubernetes (Amazon EKS) §… • On premises deployment: § Open. Stack Magnum § kubeadm, kubeops § Kubernetes the hard way • EGI Cloud Container Compute § Ansible roles around kubeadm www. egi. eu 27 @EGI_e. Infra 12/03/2021 27

Getting started Copy and paste from http: //go. egi. eu/notebooks-deploy • Login to https: //training-deployment. fedcloud-tf. fedcloud. eu • Create a new terminal and init helm init --client-only • Try to use some kubernetes commands: § kubectl get nodes § helm list www. egi. eu @EGI_e. Infra 12/03/2021 28

The simplest notebook • Get a host name at https: //nsupdate. fedcloud. eu, set IP as 147. 228. 242. 9 • Generate a unique random token openssl rand -hex 32 • Edit the notebooks. yaml, add the key and adjust ingress to point to your newly created host name • Install helm install jupyterhub/jupyterhub --version=0. 8 --name=<some name> --namespace=<same name> -f notebooks. yaml • Test! www. egi. eu @EGI_e. Infra 12/03/2021 29

Authentication • Go to https: //aai-dev. egi. eu/oidc/ • Create a new client, use https: //<your DNS name>/hub/oauth_callback • Edit the notebooks-checkin. yaml and add your client id/secrets • Upgrade: helm upgrade -f notebooks-checkin. yaml --version=0. 8 <your app name> jupyterhub/jupyterhub • Test! www. egi. eu @EGI_e. Infra 12/03/2021 30

(EGI) Monitoring • Create a new random token: openssl rand -hex 32 • Uncomment the extra service information to notebooks-checkin. yaml and upgrade: helm upgrade -f notebooks-checkin. yaml --version=0. 8 <your app name> jupyterhub/jupyterhub • Add the token to monitor. yaml and install helm install -f monitor. yaml notebooks/notebooks-monitor --version=0. 1. 1 -ec 59 f 3 b --name <some unique naming> --namespace <same namespace used before!> • Check it works https: //<your host>/services/status www. egi. eu @EGI_e. Infra 12/03/2021 31

More EGI Customisation • EGI Notebooks still has some further customisation • Hub: § A Check-in Authenticator that is able to refresh tokens when requested § A D 4 Science authenticator for integration with VREs § Some hooks in the spawner to make sure we don’t mess with the user storage § Changes to the front login page to include some service description • Single User § Lots of packages requested by users • https: //github. com/EGI-Foundation/egi-notebooks-images www. egi. eu @EGI_e. Infra 12/03/2021 32

Storage • Storage is very-installation specific • Anything that can be expressed as k 8 s volumes is easily usable • At EGI we have tried/used: § NFS § B 2 DROP § One. Data § Cinder volumes www. egi. eu @EGI_e. Infra 12/03/2021 33

Summary • Jupyter. Hub allows to provide Jupyter Notebook as a Service for your users • Kubernetes provides a foundation for operating the service • Jupyterhub is very customisable to your needs § EGI Notebooks is such a customisation • Deploying your own notebook instance can be easily done with a running kubernetes and helm www. egi. eu @EGI_e. Infra 12/03/2021 34

Some pointers Jupyterhub: https: //jupyterhub. readthedocs. io/en/stable/ Kubernetes: https: //kubernetes. io/ Helm: https: //www. helm. sh/ Zero to Jupyterhub: https: //zero-tojupyterhub. readthedocs. io/en/latest/index. html • EGI helm charts: https: //egi-foundation. github. io/egi-notebooks-chart/ • EGI Notebooks: https: //notebooks. egi. eu • • www. egi. eu @EGI_e. Infra 12/03/2021 35