►
From YouTube: 10. Jupyter at LLNL
Description
June 12, 2019 Jupyter Community Workshop talk by Thomas Mendoza, Lawrence Livermore National Laboratory
A
A
So
today,
anyway,
I
wanted
to
talk
about
our
deployment
at
LML,
it's
fairly
similar
to
the
one
at
nurse
with
a
few
different
variations,
I
kind
of
think
of
us
as
like
the
Galapagos
finches
in
the
way
kind
of
coat
some
similar
features,
but
just
different
or
not
so
the
motivation
behind
this
was.
We
were
repeatedly
asked
by
LC
users,
whether
or
not
they
could
use
Jupiter,
and
we
would
always
tell
them
no
and
so.
A
Living
more
computing
were
generally
suspicious
of
any
web
server
based
applications
because
they
bypass
UNIX
permissions,
and
that's
that's
really
the
big
one
because
at
and
then
it's
an
NSA
lab.
We
have
requirement
to
make
sure
that
user
data
belongs
to
that
user,
because,
while
most
of
the
things
that
people
work
with
are
unclassified
and
we
do
have
classified
computing
as
well-
some
of
that
is
a
little
bit
more
sensitive
nature.
For
example,
acne
just
I,
don't
remember:
unclassified
control
nuclear
information-
something
like
that.
A
So
we
can't
let
full
share
data
and,
as
a
simple
example
of
this,
if
I
were
to
type
into
my
terminal,
Python
M,
simple,
HTTP,
server,
HTV
server
I
forget
what
it
is.
Now
all
the
files
in
my
home
directory
are
available
to
anybody
else.
That
happens
to
be
on
the
same
machine
and
can
find
my
server
running
on
localhost.
A
B
A
We
would
frequently
get
people
calling
in
saying.
Why
did
you
kill
my
jupiter
notebook
and
we
would
point
them
to
the
page
that
says:
you're
not
allowed
to
run
jupiter
notebooks,
but
we
had
this
happen
on
such
a
regular
basis
that
they
said.
Can
we
people
want
it
something
and
it
is
so
demo.
So
what
I'm
gonna
do
here
is
I'm
gonna
run
a
jupiter
notebook.
A
A
A
That
you're
running
on
I
can
connect
to
your
notebook.
I
can
read
everything
that
you're
doing
and
most
might
not.
You
know
some
people
do
try
to
connect
my
single
some
people
try
to
connect
to
other
services
and
they'll
type.
A
password
just
like
I
did
right
there
and
so
that's
available.
So
you
can
spy
on
your
friends
right
now.
It
wasn't
very
hard
for
me
to
put
together
this
demo.
It's
it's
quite
easy
to
do
so.
A
We
really
like
the
Jupiter
hub
model,
so
in
searching
around
as
I
start
going
through
and
trying
to,
as
you
apply
turn
that
off
as
I
started.
Looking
at
Jupiter,
we
really
like
the
Jupiter
hub
model.
We
like
it
when
people
are
running
as
themselves,
because
then
we
can
let
standard
unix
permissions
take
over
and
just
go
from
there.
A
A
A
A
I
will
add
the
little
asterisk
that
that
does
not
mitigate
against
the
previous
threat.
That
I
meant
are
just
demonstrated
because
in
practice
it's
a
little
bit
harder
to
propagate
those
certs
to
the
0q
sockets.
That
are
just
because
of
the
way
the
client
kernel
architecture
set
up
so
right
now
what
we
do,
what.
A
Do
is
we
set
it
up,
such
that
all
of
the
connections
between
hub
components
and
individual
notebooks
is
secured
by
a
cell
and
in
between
the
notebook
and
individual
kernel.
We
turn
on
the
IPC
transport,
so
we
use
a
a
UNIX
domain
socket
instead,
which
is
scoped
to
your
user.
So,
as
only
you
as
long
as
we
can
enforce
even
extra
missions
we
can
enforce.
Who
happens
to
be
able
to
bind
to
that
kernel,
and
so
those
notebooks
I.
A
Actually
populate
a
list
of
I
can
login
nodes
from
another
endpoint
that
we
have
and
visitors
like
Tom,
to
connect
to
you
know
potentially
another
kernel
running
out
in
an
allocation
to
to
do
their
work.
That's
that's
kind
of
the
fuzzy
piece
that
hasn't
quite
been
completed
yet,
so
this
is
just
a
breakdown
of
that
I
set
up
the
internal
SSL
modifications
so
that
these
things
can
talk
to
each
other
encrypted
and
we
also
have
a
custom
Authenticator
as
well,
very,
very,
very
similar
set
up.
The
only
other
difference.
A
I
guess
is
I
am
to
our
single
sign-on,
which
does
have
some
advantages
too,
because
I
think
I
heard
some
folks
mention
that
they
were
looking
to
like
how
do
I
propagate
off
to
other
services.
So
if
for
us
I
set
up
each
service
and
they'll
see
to
support
single
sign-on.
So
now
that
jupiter
hub
knows
about
that,
I
can
be
retaught
to
anything
else
using
the
same
login
as
before.
So
every
other
service.
A
It's
pretty
seamless
you
log
in
once,
and
now
you
get
to
pedir,
you
get
everything
else
that
we
offer
all
the
alaskan
tools
etc
and
there's
the
bridge
kernel
as
I
mentioned,
that
that's
that's
kind
of
the
thing
that
Tom
was
using.
But
what
I'd
like
to
move
to
is
which
I
think
you
also
had
experimented
with
at
one
point
in
time
is
launching
a
Colonel
remotely
from
the
login.
So
instead
of
having
something
like
the
Baptist
honor,
we
would
launch
on
the
login
node
and
then
from
there.
B
A
I
think
it's
a
little
bit
more,
but
at
least
in
my
mind
it
seems
like
a
little
bit
more
of
a
natural
workflow
and
then
we
just
let
the
native
scheduler
handle
everything
and
not
really
have
to
worry
about
exposing
that
being
API
yeah
and
so
as
I
as
I
just
mentioned.
This
that's
kind
of
the
future
path.
I
want
to
go
down
for
batch
spawning
and
also
so
I
kind
of
glossed
over
it,
but
we're
using
IPC
sockets
right
now
to
protect
that
client
colonel
communication.
A
It
would
be
really
nice
to
get
back
to
the
TCP
socket
version
of
that,
because
there
are
some
kernels
which
don't
support
IPC,
and
it
hasn't
been
too
much
of
a
problem
for
us
yet,
but
that
you
know
I
I
foresee
somebody's
gonna
ask
for
it.
The
difficulty
there
being
it's
a
little
bit
more
of
a
delicate
thing
to
change,
because
that
would
cause
complications
with
other.
You
know:
kernel
developers,
custom
kernel
developers,
so
I
talked
to
men
about
this
a
little
bit
and
I
just
haven't
quite
gotten
around
to
and
implementing
it,
but.
B
A
Spawner
itself
so
I'll
go
that
that
needs
some
some
cleanup,
the
crowd
they
haven't
released
and
I.
Don't
think
I've
been
trying
to
get
that
one
out,
I,
don't
think
they're
going
to
ya
crap
axion
tool.
It
just
happens
to
be
what
we
use,
because
it
kind
of
evolved
around
our
use
of
lasting
tools.
But
we
do
some
interesting
things
with
that
as
well.
We're
like
we
have
a
web
server,
we're
on
processes
as
yourself
as
well,
and
that
workflow
is
kind
of
built
into
the
crowd.
A
A
I
have
that
in
the
spawner
yep
word
yeah,
so
yeah
the
hub
host
is
running
as
root
I
use
that
to
attach
and
run
SSH
out
to
an
individual
hosts,
but
it
you
know
it
has
afforded
some
advantages,
that
it
is
kind
of
kludgy
and
in
some
ways
as
well,
but
it
works.
And
when
you
have
you
know
some
of
the
methods
to
address
certain
difficulties
like
number
one
was
the
extension
management
business
like
right.
Now
we
don't
part
of
that
data.
A
Sharing
thing
is
like
we
don't
let
other
people
see
extensions,
so
installing
them
globally
not
an
option,
but
we
have
been
able
to
and
I
don't
remember
we're
talking
about.
Yesterday
we
have
been
able
to
set
up
to
where
tom
was
able
to
set
up
a
custom
version
of
jupiter
lab,
set
an
environment
variable
and
for
I
actually
launched
a
notebook.
A
B
A
Currently,
yes,
we
do
distrust
users.
In
that
sense,
we
don't
let
any
standard
user
run
docker
at
escalation
that
whole
business.
In
fact,
our
doctors
are
modified,
that
no
standard
user
can
touch
them.
So
it's
only
for
admin
purposes.
That's
okay,
I
mean
it's
something
that
we're
looking
at
because
we
would
like
it.
It's
a
hard
thing.
I
watch
from
the
back
and
like
with
like
dream
guys
like.
Oh
man,
I
steal
things
that
you
guys
have
them
like.
I
want
nice
things.
A
B
B
A
There
is
a
token
and
I
think
I
know
which
one
you're
talking
about
that's
to
sign,
request
to
execute
something,
but
that's
all
the
tokens
for
it.
So
I
can't
submit,
even
though
I
combined
to
the
back
Colonel
I
can't
submit
jobs
as
you
that
took
it,
keeps
that
part
safe,
but
all
of
the
traffic
isn't
clear
so
that
so
I
can
bind
to
any
of
those
published
ports
and
just
listen.
Read.
A
Yeah
and
the
solution
that
I
was
looking
at
is
that
there's
right
now,
there's
no
place
to
insert
the
actual
use
of
SSL
or
the
sockets,
and
so
the
suggestion
was
to
take
and
set
a
proxy
which
sets
up
a
set
of
10
or
it's
1
on
a
client
and
1
for
the
kernel
and
that
proxy
would
actually
set
up
would
take
the
certs
that
I
generate
from
the
hub
and
use
those
to
stand
up
SSL,
but
now
I'm
eating
up
10
points.
It's
not
the
end
of
the
world.
A
Which,
which
part
is
it's
in
there
it's
in
there
now,
but
and
it
should
be
end-to-end
SSL
asterisk
because
of
this,
because
III
specifically
started
in
Jupiter
hub,
but
the
other
change
that
I'm
talking
about
would
be
between
the
client
and
kernel
itself.
So
that's
another
thing
that
it
just
hasn't
been
high
on
the
priority
list,
because
everybody
was
pretty
happy
with.
B
B
A
Because
yeah,
we
can't
open
up
any
of
the
high
number
of
ports
on
the
login
nodes.
So
I
set
it
up
to
just
tunnel
that
port
back
and
we
also
have
lifetimes
on
but
notebooks
they're
tied
to
the
credential
itself,
so
I
actually
modified
and
I
didn't
mention.
This
I
modified
the
think.
It's
like
the
single
and
to
set
up
a
timer
that
basically
says
if
I
can't
reach
the
hub,
kill
myself
or
if
I
can't.
If
I
have
gone
over,
told
that
better
way
to
say
that.