- Published on
Adding Firewalled Jupyter to a GCP VM
- Authors
- Name
- Martin Andrews
- @mdda123
Adding Firewalled Jupyter to a GCP VM
Everything from CLI
This is a short-but-complete guide to setting up a Jupyter instance on GCP.
Clearly this has been done before, but I wanted to have my own notes on the process, and also didn't want to have to mess with the Console UI.
The Jupyter set-up below is scriptable.
If you don't need the
jupyterinstance to be available to anyone else (i.e. access from your local machine is all you need), please see my follow-up post about doing this behind the firewall. This method will also allow you to runtensorboardsafely, and mount your VM drives locally too (useful for editing files directly in a local IDE).
Use an existing GCP VM
( To see how to do this - even if only for the gcloud instance create ... command - please see my Building a reusable Deep Learning VM on Google Cloud post ).
export PROJECT_NAME="my-special-project"
gcloud config set project ${PROJECT_NAME}
export INSTANCE_NAME="deep-learning-vm1"
Then start the machine and ssh into it:
gcloud compute instances start ${INSTANCE_NAME}
gcloud compute ssh ${INSTANCE_NAME}
Create a local venv for python
The following is copied from Building a reusable Deep Learning VM on Google Cloud post :
sudo apt install -y python3.8-venv
python3.8 -m venv env38
. env38/bin/activate
pip install --upgrade pip
One-time install of jupyter
Once you have a venv installed (assumed to be named as above).
- See the Jupyter Docs for reference:
. env38/bin/activate
pip install jupyter
jupyter notebook --generate-config
# `/home/USERNAME/.jupyter/jupyter_notebook_config.py`
Set up SSL certificates for extra security
This may be security theatre, though, since the certificates are untrusted, though I guess it prevents over-the-wire snooping of the Jupyter code...
USER=`whoami` && openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /home/${USER}/.jupyter/mykey.key -out /home/${USER}/.jupyter/mycert.pem \
-subj "/C=SG/ST=Singapore/L=Singapore/O=RedDragonAI /OU=AI Department/CN=reddragon.ai"
Update the jupyter defaults
Add default configuration to ~/.jupyter/jupyter_notebook_config.py :
USER=`whoami` && echo "
c.NotebookApp.certfile = u'/home/${USER}/.jupyter/mycert.pem'
c.NotebookApp.keyfile = u'/home/${USER}/.jupyter/mykey.key'
c.NotebookApp.ip = '*'
c.NotebookApp.open_browser = False
c.NotebookApp.port = 8585
c.NotebookApp.notebook_dir = '.'
" >> /home/${USER}/.jupyter/jupyter_notebook_config.py
Add a firewall rule to allow access from the internet
On the local machine, set up a firewall rule so you have access to the Jupyter port on the VM.
- See the GCP documentation for reference:
gcloud compute firewall-rules list
# Applies rule to all instances in project :
gcloud compute firewall-rules create jupyter-service --allow=tcp:8585 --direction=INGRESS --description="Jupyter access"
# Check that it's there:
gcloud compute firewall-rules list
Launch Jupyter on the server
Since we've set up the default notebook-dir and other command-line options in the configuration, jupyter should work from whereever you launch it:
. env38/bin/activate
jupyter notebook
This will (until you optionally add a password using the Jupyter browser GUI) give you something like : token=437abd35ddXXXXd9579f5bd6bc16596acYYYYe180b60e3e9 that you should 'grab' somehow (to paste into the browser later).
Get the Server IP address
Find the IP address of the server, either:
- From the GCP control panel (as 'external IP'); or
- By running the following on the local machine :
gcloud compute instances describe ${INSTANCE_NAME} --format='get(networkInterfaces[0].accessConfigs[0].natIP)'
Launch Jupyter in the browser
Now you can get to the running instance :
- Browse to
http://SERVER_IP:8585/- When you get a 'Your connection is not private' warning, allow for unsafe browsing (since the SSL certificate we made above was not signed by one of the chains that browers are configured with) by pressing the 'Advanced' button and then clicking 'Proceed to
SERVER_IP(unsafe)' - Use the 'key' that your Jupyter server suggests, so that your Jupyter session cannot be stumbled upon by others on the internet (unless you also tell them the token which has ~48 hex-digits)
- Optionally : Create a simpler password so that you can access
jupytersessions key-less next time
- When you get a 'Your connection is not private' warning, allow for unsafe browsing (since the SSL certificate we made above was not signed by one of the chains that browers are configured with) by pressing the 'Advanced' button and then clicking 'Proceed to
Terminate the GCP VM when done...
gcloud compute instances stop ${INSTANCE_NAME}
Once completely finished with messing around with the VM/project, kill off the firewall rule too:
gcloud compute firewall-rules delete jupyter-service
End
All done!