# JupyterHub - MaxFordham Documentation and configuration files in the following repository: https://github.com/QuantStack/jupyterhub-maxfordham ## Questions - What authenticator? - Need to have a shared directory between users? - share tutorials, work on shared notebooks, etc. - hardlink? - *TBD, this could be an extra volume mounted on all containers* - Use TLS? Who is handling certs/keys generation? Provided by MaxFordham? - *yes, either their wildcard certificate, or built-in TLJH Let's Encrypt* - List admins - O/S of the server? - Need to adapt some installation scripts (https://github.com/plasmabio/tljh-repo2docker) to work with different O/S than Ubuntu `bionic` - *It will be Ubuntu 20.04 as a requirements for TLJH* - OK so we need to adapt slightly to use `focal` - Is there a corporate proxy that requires tooling (Ansible, wget, curl, docker, etc.) to be configured ? - we could use `cntlm`, even with `kerberos` for installation step - we have to configure docker to be able to pull images from public repos (dockerhub, quay.io?) - *They will be using `tljh-repo2docker`, which uses `repo2docker` under the hood. So we need access to DockerHub from the machine where TLJH will be running to be able to pull the image. Then the image will stay local to the machine, and not be pushed to another Docker registry* - are they planning to build docker images from public repos (GitHub, through a proxy?) or internal ones? - *There will be Internet access. However we indeed to check if there will be a proxy in the middle* - `tljh-repo2docker` shows CPU and RAM limits - how is CPU limit set? through `docker`? (Adrien: I never achieved to have CPU limit on docker) - *This should normally work: https://github.com/plasmabio/tljh-repo2docker/blob/dbd23a97cfadfef6ed66d424c212994d6d5b5ab9/tljhrepo2docker/init.py#L150-L154* ### Troubleshooting A couple of items that we might have to look at for troubleshooting issues: - `iptables`: to make sure iptables allow connections to localhost on IPv4. - Docker and iptables: https://docs.docker.com/network/iptables/ - DNS: this might require creating the `/etc/docker/daemon.json` file with the following content: ```json { "dns": ["1.2.3.4"] } ``` - TLS verification with the custom TLS certificate - Accessing private git repositories: this might require building a local `jupyter/repo2docker` Docker image (`tljh-repo2docker` uses the Docker image for `repo2docker`), which includes extra git settings such as: ```dockerfile FROM jupyter/repo2docker:0.11.0-98.g8bbced7 RUN git config --global http.sslVerify "false" ``` And then build the local `repo2docker` image with: ```bash= docker build -t jupyter/repo2docker:master . ``` ### Emails from MaxFordham #### 2021-01-26 I'm in process of building our new JupyterHub virtual machine and wanted to advise you on the proposed configuration and if you had any other suggestions/requirements. Server (named: StBarts) to be configured with: - 6x vCPUs @2HGz - 32GB vRAM - 100GB vDisk (working data to be saved onto our network file server: J:\ drive) - Ubuntu Server 20.04.1 - We will grant you VPN access - Will create an admin account on StBarts for you to login and set up the server - We'll liaise later on when it comes to SSL cert and SSO with our internal Active Directory server. #### 2021-01-21 - we will provide you with: VPN access with u/n and p/w to get onto a server running Ubuntu 20.04 LTS. we'll send it the week before the week of the 8th Feb. - given that the server is on our network it should have access to our internal Git server. - i had a chat with Mike re security - for now we'll stick to our maxfordham.com security certificate wildcard solution, not LetsEncrypt - the server will be configured to look at data drives (J:\ , Y:\ , Z:\ , G:\ ). you said you'd do this using Samba share - we will have a look at making a binder-able repo of stuff we already have. - we note that on the server if we import modules from stuff we've made on our pythonpath this would need to be handled using a post-build script ### Snippets for a LDAP Authenticator ```python class SomeLDAPAuthenticator(LDAPAuthenticator): @gen.coroutine def get_connection(self, userdn, password): server = ldap3.Server( self.server_address, port=self.server_port, use_ssl=self.use_ssl, connect_timeout=5, ) auto_bind = ( self.use_ssl and ldap3.AUTO_BIND_TLS_BEFORE_BIND or ldap3.AUTO_BIND_NO_TLS ) c.LDAPAuthenticator.server_address = '...' c.LDAPAuthenticator.use_ssl = True c.LDAPAuthenticator.bind_dn_template = "{username}@*server_address*" c.LDAPAuthenticator.user_search_base = 'dc=' c.LDAPAuthenticator.user_attribute = 'sAMAccountName' c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'cn' c.LDAPAuthenticator.escape_userdn = False c.JupyterHub.authenticator_class = SomeLDAPAuthenticator ``` ###### tags: `projects`