- Установка Jupyter Notebook на CentOS
- Установка и запуск
- Запуск в качестве сервиса
- Running a notebook serverВ¶
- Securing a notebook serverВ¶
- Prerequisite: A notebook configuration fileВ¶
- Automatic Password setupВ¶
- Preparing a hashed passwordВ¶
- Adding hashed password to your notebook configuration fileВ¶
- Using SSL for encrypted communicationВ¶
- Running a public notebook serverВ¶
- Using Let’s Encrypt¶
- Firewall SetupВ¶
- Running the notebook with a customized URL prefixВ¶
- Embedding the notebook in another websiteВ¶
- Using a gateway server for kernel managementВ¶
- Known issuesВ¶
- ProxiesВ¶
- Content-Security-Policy (CSP)В¶
- Docker CMDВ¶
Установка Jupyter Notebook на CentOS
Jupyter Notebook — это приложение для создания книг и документов из вычислительного материала (в формате .ipynb). Его установка и запуск должны выполняться от пользователя с правами, отличными от root. В данной инструкции мы будем выполнять часть операций от последнего, остальное — от пользователя jupyter. Руководство подходит для Linux CentOS версий 7 и 8.
Перед установкой можно ознакомиться с приложением онлайн на официальном сайте.
Установка и запуск
От пользователя root устанавливаем необходимые компоненты:
# yum install gcc python3-devel python3-pip kernel-headers
- gcc — набор компиляторов для разных языков программирования.
- python3-devel — средства для разработки Python. Библиотеки и инструменты для создания своих модулей и возможности встраивания Python в другие приложения.
- python3-pip — инструмент для установки пакетов python.
- kernel-headers — заголовочные файлы ядра. Необходимы для сборки модулей последнего.
Создаем пользователя, от которого будем запускать Jupyter Notebook:
# useradd jupyter -m
* наш пользователь будет с именем jupyter. Также мы сразу создаем для него домашний каталог.
Создаем правило в брандмауэре для подключения к Jupyter Notebook по сети:
# firewall-cmd —permanent —add-port=8080/tcp
* предполагается, что наш сервис будет запускаться на порту 8080.
Применяем настройки firewalld:
Заходим в систему под созданным пользователем jupyter:
Выполним установку питон-приложения jupyter:
$ pip3 install —user jupyter
Проверить корректность установки можно командой:
Мы должны увидеть версию установленного приложения, например:
jupyter core : 4.7.0
jupyter-notebook : 6.1.5
qtconsole : 4.7.7
ipython : 7.16.1
ipykernel : 5.3.4
jupyter client : 6.1.7
jupyter lab : not installed
nbconvert : 6.0.7
ipywidgets : 7.5.1
nbformat : 5.0.8
traitlets : 4.3.3
* обратите внимание, что в списке есть jupyter lab, который не установлен. При желании, его устанавливаем командой: pip3 install —user jupyterlab.
Создаем конфигурационный файл для Jupyter Notebook:
jupyter notebook —generate-config
Он должен появиться в домашней директории пользователя jupyter:
Writing default config to: /home/jupyter/.jupyter/jupyter_notebook_config.py
Задаем пароль для входа в веб-панель:
$ jupyter notebook password
Дважды вводим пароль — система создаст для него хэш и сохранить в домашней папке пользователя:
Enter password:
Verify password:
[NotebookPasswordApp] Wrote hashed password to /home/jupyter/.jupyter/jupyter_notebook_config.json
$ jupyter notebook —no-browser —ip=0.0.0.0 —port=8080
* в данном примере мы запускаем jupyter notebook на порту 8080 и на всех сетевых интерфейсах.
Открываем браузер и переходим по пути http:// :8080 — должна открывать страница с формой ввода пароля, который мы создавали ранее — вводим его:
Откроется страница Jupyter Notebook:
Если jupyter notebook не открывается в браузере, запускаем другую консоль на компьютере с приложением и выполняем команду:
ss -tunlp | grep 8080
Мы должны увидеть что-то на подобие:
tcp LISTEN 0 128 0.0.0.0:8080 0.0.0.0:* users:((«jupyter-noteboo»,pid=8510,fd=5))
В противном случае проверяем, что у нас запустилось приложение. Но если команда ss -tunlp | grep 8080 показала наличие сервиса, который слушает на порту 8080, еще раз проверяем настройки брандмауэра:
Мы должны увидеть правило:
После окончания работы можно выходить из-под пользователя jupyter:
Запуск в качестве сервиса
Мы установили и запустили наше приложение из консоли. Однако, если мы хотим, чтобы Jupyter Notebook запускался как сервис автоматически, создаем юнит в systemd:
[Unit]
Description=Jupyter Notebook Service
After=network.target
[Service]
User=jupyter
Group=jupyter
Type=simple
WorkingDirectory=/home/jupyter
ExecStart=/home/jupyter/.local/bin/jupyter notebook —no-browser —ip=0.0.0.0 —port=8080
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
Источник
Running a notebook serverВ¶
The Jupyter notebook web application is based on a server-client structure. The notebook server uses a two-process kernel architecture based on ZeroMQ, as well as Tornado for serving HTTP requests.
By default, a notebook server runs locally at 127.0.0.1:8888 and is accessible only from localhost . You may access the notebook server from the browser using http://127.0.0.1:8888 .
This document describes how you can secure a notebook server and how to run it on a public interface .
This is not the multi-user server you are looking for. This document describes how you can run a public server with a single user. This should only be done by someone who wants remote access to their personal machine. Even so, doing this requires a thorough understanding of the set-ups limitations and security implications. If you allow multiple users to access a notebook server as it is described in this document, their commands may collide, clobber and overwrite each other.
If you want a multi-user server, the official solution is JupyterHub. To use JupyterHub, you need a Unix server (typically Linux) running somewhere that is accessible to your users on a network. This may run over the public internet, but doing so introduces additional security concerns.
Securing a notebook serverВ¶
You can protect your notebook server with a simple single password. As of notebook 5.0 this can be done automatically. To set up a password manually you can configure the NotebookApp.password setting in jupyter_notebook_config.py .
Prerequisite: A notebook configuration fileВ¶
Check to see if you have a notebook configuration file, jupyter_notebook_config.py . The default location for this file is your Jupyter folder located in your home directory:
OS X: /Users/USERNAME/.jupyter/jupyter_notebook_config.py
If you don’t already have a Jupyter folder, or if your Jupyter folder doesn’t contain a notebook configuration file, run the following command:
This command will create the Jupyter folder if necessary, and create notebook configuration file, jupyter_notebook_config.py , in this folder.
Automatic Password setupВ¶
As of notebook 5.3, the first time you log-in using a token, the notebook server should give you the opportunity to setup a password from the user interface.
You will be presented with a form asking for the current _token_, as well as your _new_ _password_ ; enter both and click on Login and setup new password .
Next time you need to log in you’ll be able to use the new password instead of the login token, otherwise follow the procedure to set a password from the command line.
The ability to change the password at first login time may be disabled by integrations by setting the —NotebookApp.allow_password_change=False
Starting at notebook version 5.0, you can enter and store a password for your notebook server with a single command. jupyter notebook password will prompt you for your password and record the hashed password in your jupyter_notebook_config.json .
This can be used to reset a lost password; or if you believe your credentials have been leaked and desire to change your password. Changing your password will invalidate all logged-in sessions after a server restart.
Preparing a hashed passwordВ¶
You can prepare a hashed password manually, using the function notebook.auth.security.passwd() :
passwd() when called with no arguments will prompt you to enter and verify your password such as in the above code snippet. Although the function can also be passed a string as an argument such as passwd(‘mypassword’) , please do not pass a string as an argument inside an IPython session, as it will be saved in your input history.
Adding hashed password to your notebook configuration fileВ¶
You can then add the hashed password to your jupyter_notebook_config.py . The default location for this file jupyter_notebook_config.py is in your Jupyter folder in your home directory,
Automatic password setup will store the hash in jupyter_notebook_config.json while this method stores the hash in jupyter_notebook_config.py . The .json configuration options take precedence over the .py one, thus the manual password may not take effect if the Json file has a password set.
Using SSL for encrypted communicationВ¶
When using a password, it is a good idea to also use SSL with a web certificate, so that your hashed password is not sent unencrypted by your browser.
Web security is rapidly changing and evolving. We provide this document as a convenience to the user, and recommend that the user keep current on changes that may impact security, such as new releases of OpenSSL. The Open Web Application Security Project (OWASP) website is a good resource on general security issues and web practices.
You can start the notebook to communicate via a secure protocol mode by setting the certfile option to your self-signed certificate, i.e. mycert.pem , with the command:
A self-signed certificate can be generated with openssl . For example, the following command will create a certificate valid for 365 days with both the key and certificate data written to the same file:
When starting the notebook server, your browser may warn that your self-signed certificate is insecure or unrecognized. If you wish to have a fully compliant self-signed certificate that will not raise warnings, it is possible (but rather involved) to create one, as explained in detail in this tutorial. Alternatively, you may use Let’s Encrypt to acquire a free SSL certificate and follow the steps in Using Let’s Encrypt to set up a public server.
Running a public notebook serverВ¶
If you want to access your notebook server remotely via a web browser, you can do so by running a public notebook server. For optimal security when running a public notebook server, you should first secure the server with a password and SSL/HTTPS as described in Securing a notebook server .
Start by creating a certificate file and a hashed password, as explained in Securing a notebook server .
If you don’t already have one, create a config file for the notebook using the following command line:
/.jupyter directory, edit the notebook config file, jupyter_notebook_config.py . By default, the notebook config file has all fields commented out. The minimum set of configuration options that you should uncomment and edit in jupyter_notebook_config.py is the following:
You can then start the notebook using the jupyter notebook command.
Using Let’s Encrypt¶
Let’s Encrypt provides free SSL/TLS certificates. You can also set up a public server using a Let’s Encrypt certificate.
Running a public notebook server will be similar when using a Let’s Encrypt certificate with a few configuration changes. Here are the steps:
If you don’t already have config file for the notebook, create one using the following command:
/.jupyter directory, edit the notebook config file, jupyter_notebook_config.py . By default, the notebook config file has all fields commented out. The minimum set of configuration options that you should to uncomment and edit in jupyter_notebook_config.py is the following:
You can then start the notebook using the jupyter notebook command.
Use вЂhttps’. Keep in mind that when you enable SSL support, you must access the notebook server over https:// , not over plain http:// . The startup message from the server prints a reminder in the console, but it is easy to overlook this detail and think the server is for some reason non-responsive.
When using SSL, always access the notebook server with вЂhttps://’.
You may now access the public server by pointing your browser to https://your.host.com:9999 where your.host.com is your public server’s domain.
Firewall SetupВ¶
To function correctly, the firewall on the computer running the jupyter notebook server must be configured to allow connections from client machines on the access port c.NotebookApp.port set in jupyter_notebook_config.py to allow connections to the web interface. The firewall must also allow connections from 127.0.0.1 (localhost) on ports from 49152 to 65535. These ports are used by the server to communicate with the notebook kernels. The kernel communication ports are chosen randomly by ZeroMQ, and may require multiple connections per kernel, so a large range of ports must be accessible.
Running the notebook with a customized URL prefixВ¶
The notebook dashboard, which is the landing page with an overview of the notebooks in your working directory, is typically found and accessed at the default URL http://localhost:8888/ .
If you prefer to customize the URL prefix for the notebook dashboard, you can do so through modifying jupyter_notebook_config.py . For example, if you prefer that the notebook dashboard be located with a sub-directory that contains other ipython files, e.g. http://localhost:8888/ipython/ , you can do so with configuration options like the following (see above for instructions about modifying jupyter_notebook_config.py ):
Embedding the notebook in another websiteВ¶
Sometimes you may want to embed the notebook somewhere on your website, e.g. in an IFrame. To do this, you may need to override the Content-Security-Policy to allow embedding. Assuming your website is at https://mywebsite.example.com , you can embed the notebook on your website with the following configuration setting in jupyter_notebook_config.py :
When embedding the notebook in a website using an iframe, consider putting the notebook in single-tab mode. Since the notebook opens some links in new tabs by default, single-tab mode keeps the notebook from opening additional tabs. Adding the following to
/.jupyter/custom/custom.js will enable single-tab mode:
Using a gateway server for kernel managementВ¶
You are now able to redirect the management of your kernels to a Gateway Server (i.e., Jupyter Kernel Gateway or Jupyter Enterprise Gateway) simply by specifying a Gateway url via the following command-line option:
or in jupyter_notebook_config.py :
When provided, all kernel specifications will be retrieved from the specified Gateway server and all kernels will be managed by that server. This option enables the ability to target kernel processes against managed clusters while allowing for the notebook’s management to remain local to the Notebook server.
Known issuesВ¶
ProxiesВ¶
When behind a proxy, especially if your system or browser is set to autodetect the proxy, the notebook web application might fail to connect to the server’s websockets, and present you with a warning at startup. In this case, you need to configure your system not to use the proxy for the server’s address.
For example, in Firefox, go to the Preferences panel, Advanced section, Network tab, click вЂSettings…’, and add the address of the notebook server to the вЂNo proxy for’ field.
Content-Security-Policy (CSP)В¶
Certain security guidelines recommend that servers use a Content-Security-Policy (CSP) header to prevent cross-site scripting vulnerabilities, specifically limiting to default-src: https: when possible. This directive causes two problems with Jupyter. First, it disables execution of inline javascript code, which is used extensively by Jupyter. Second, it limits communication to the https scheme, and prevents WebSockets from working because they communicate via the wss scheme (or ws for insecure communication). Jupyter uses WebSockets for interacting with kernels, so when you visit a server with such a CSP, your browser will block attempts to use wss, which will cause you to see “Connection failed” messages from jupyter notebooks, or simply no response from jupyter terminals. By looking in your browser’s javascript console, you can see any error messages that will explain what is failing.
To avoid these problem, you need to add ‘unsafe-inline’ and connect-src https: wss: to your CSP header, at least for pages served by jupyter. (That is, you can leave your CSP unchanged for other parts of your website.) Note that multiple CSP headers are allowed, but successive CSP headers can only restrict the policy; they cannot loosen it. For example, if your server sends both of these headers
Content-Security-Policy “default-src https: вЂunsafe-inline’” Content-Security-Policy “connect-src https: wss:”
the first policy will already eliminate wss connections, so the second has no effect. Therefore, you can’t simply add the second header; you have to actually modify your CSP header to look more like this:
Content-Security-Policy “default-src https: вЂunsafe-inline’; connect-src https: wss:”
Docker CMDВ¶
Using jupyter notebook as a Docker CMD results in kernels repeatedly crashing, likely due to a lack of PID reaping. To avoid this, use the tini init as your Dockerfile ENTRYPOINT :
Источник