This repository contains the Ansible configuration used to provision JupyterHub services.
This configuration is being used with an Ubuntu based system. Other Linux distributions will require adjustments, for example the firewall configuration is managed via ufw which may not be available on other distributions.
This repository uses git submodules for the following third party Ansible roles:
- Apache: https://github.com/geerlingguy/ansible-role-apache/
- Certbot: https://github.com/geerlingguy/ansible-role-certbot/
- UFW: https://github.com/weareinteractive/ansible-ufw/
To obtain the submodules:
git submodule init
git submodule update
Default settings for all hosts are set within the group_vars/all.yml file, and host specific settings within the relevant file within host_vars/.
The inventory/hosts.yml specifies the hosts to which the configuration will be applied, and any host specific settings.
To apply the configuration it is recommended to set up SSH key authentication with the ansible_user on the remote host.
Configuration can be applied with Ansible:
ansible-playbook -vv -K -i inventory/hosts.yml playbook.yml
The -vv option increases verbosity, and the -K option causes Ansible to prompt for the password for the remote ansible_user, to be used for sudo access.
Adjust options to your preference.
To try and see what change would be applied, without actually making any changes, the -C option can be used:
ansible-playbook -C -vv -K -i inventory/hosts.yml playbook.yml
Ansible is available via the package manager for many Linux distributions, and can also be installed via pip:
$ python3 -m venv ansible
$ . ./ansible/bin/activate
(ansible) $ pip install ansible
The following roles are used for the JupyterHub provisioning
https://github.com/geerlingguy/ansible-role-certbot/
The certbot role is used to acquire and renew a Let's Encrypt certificate for the system.
The following configuration options are set within group_vars/all.yml:
certbot_auto_renew: true
certbot_auto_renew_user: 'root'
certbot_auto_renew_hour: '04'
certbot_auto_renew_minute: '57'
certbot_auto_renew_options: '--quiet --no-self-upgrade'
certbot_create_if_missing: true
certbot_create_method: 'standalone'
certbot_create_standalone_stop_services: []
These settings will attempt to request / create a certificate if one does not exist, and run a cron job to automatically renew the certificate each day.
The following settings can be applied at the host level:
certbot_certs:
- email: '[email protected]'
domains:
- 'jupyterhub.example.com'
The resources role is used to create various resources on the remote system, such as directories, users and to install packages.
For example, in the group_vars/all.yml, the ssl-cert package is installed:
resources_packages_default:
- name: 'ssl-cert'
A default .bashrc file is also copied to the remote system:
resources_copies_default:
# Default .bashrc:
- src: 'files/etc/skel/.bashrc'
dest: '/etc/skel/.bashrc'
At the host level, this role may be used to create users:
resources_users_host:
- name: 'user00'
shell: '/bin/bash'
- name: 'user01'
- name: 'user02'
The roles/resources/defaults/main.yml specifies various default options for the different resources.
https://github.com/weareinteractive/ansible-ufw/
The ufw role is used to set up firewall roles on the remote system.
Default rules, including SSH and HTTP access, are configure in the group_vars/all.yml file:
ufw_rules:
- port: '22'
rule: 'allow'
comment: 'Allow SSH'
- port: '80'
rule: 'allow'
comment: 'Allow HTTP'
- port: '443'
rule: 'allow'
comment: 'Allow HTTPS'
The miniconda role is used to install Anaconda Python.
By default, this role will download Miniconda3-latest-Linux-x86_64.sh (if a new install is to be performed), and install within the specified directory.
Additional channels, packages to be installed (either via conda or pip), and whether the installation should be updated can be specified in the configuration:
miniconda_installs:
# jupyterhub1234:
- path: '/opt/jupyterhub1234/conda'
user: 'root'
user_home: '/root'
updates: true
channels:
- 'conda-forge'
packages:
- 'jupyterhub'
- 'notebook'
- 'sudospawner'
wrap: true
wrapper_dir: '/opt/jupyterhub1234/bin'
wrap_executables:
- 'python'
- 'jupyterhub'
The user as which the installer should be run can be specified with the user parameter.
If requested, specific executables can be accessed via a wrapper scipt in a spearate location. In this example, the Miniconda installation would be located within /opt/jupyterhub1234/conda, with wrappers for python and jupyterhub at /opt/jupyterhub1234/bin/python and /opt/jupyterhub1234/bin/jupyterhub.
The jupyterhub role is used to configure JupyterHub instances.
The role can be used to create JupyterHub instances which use either the sudo or systemd spawners, and use either local authentication, or Microsoft Auzure authentication, via OAuth.
The role can create the configuration and systemd service files for the JupyterHub, and enable / start the service.
- name: 'jupyterhub4567'
python_dir: '/opt/jupyterhub4567'
spawner:
name: 'systemd'
user:
name: 'jupyterhub_jupyterhub4567'
home: '/var/lib/jupyterhub_jupyterhub4567'
auth:
name: 'azure'
tenant_id: 'common'
callback_url: 'https://jupyterhub.example.com/jupyterhub4567/hub/oauth_callback'
client_id: 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee'
client_secret: 'xxx'
api_port: '2051'
bind_port: '2041'
port: '2030'
users:
users:
- 'user00'
- 'user04'
- 'user05'
- 'user06'
admins:
- 'user00'
data_dirs:
- path: '/data/jupyterhub4567'
This example would use a Python install within /opt/jupyterhub4567, configure the service to use the systemd spawner, with a working directory (where JupyterHub stores SQLite state files) of /var/lib/jupyterhub_jupyterhub4567, and authenticate users via Microsoft Azure. The specified users would be be added to a local group on the system, which is used to allow access to the service, and the specified admin users would be granted admin access to the service. The data directory /data/jupyterhub4567 would be created with permissions to allow access for the specified users of this service.
https://github.com/geerlingguy/ansible-role-apache/
The apache role configures the the Apache service, which manages the connection to the JupyterHub instances running on the system.
In the example configurations, two JupyterHub instances are created, which would be accessed via the addresses https://jupyterhub.example.com/jupyterhub1234/ and https://jupyterhub.example.com/jupyterhub1234/.
The configuration uses the Apache mod_proxy to handle the connections to and from the JupyterHub instances.