Published on

Adding Firewalled Jupyter to a GCP VM

Authors

Adding Firewalled Jupyter to a GCP VM

Everything from CLI

This is a short-but-complete guide to setting up a Jupyter instance on GCP.

Clearly this has been done before, but I wanted to have my own notes on the process, and also didn't want to have to mess with the Console UI.

The Jupyter set-up below is scriptable.

If you don't need the jupyter instance to be available to anyone else (i.e. access from your local machine is all you need), please see my follow-up post about doing this behind the firewall. This method will also allow you to run tensorboard safely, and mount your VM drives locally too (useful for editing files directly in a local IDE).

Use an existing GCP VM

( To see how to do this - even if only for the gcloud instance create ... command - please see my Building a reusable Deep Learning VM on Google Cloud post ).

export PROJECT_NAME="my-special-project"
gcloud config set project ${PROJECT_NAME}
export INSTANCE_NAME="deep-learning-vm1"

Then start the machine and ssh into it:

gcloud compute instances start ${INSTANCE_NAME}
gcloud compute ssh ${INSTANCE_NAME}

Create a local venv for python

The following is copied from Building a reusable Deep Learning VM on Google Cloud post :

sudo apt install -y python3.8-venv
python3.8 -m venv env38

. env38/bin/activate

pip install --upgrade pip

One-time install of jupyter

Once you have a venv installed (assumed to be named as above).

. env38/bin/activate

pip install jupyter
jupyter notebook --generate-config
#  `/home/USERNAME/.jupyter/jupyter_notebook_config.py`

Set up SSL certificates for extra security

This may be security theatre, though, since the certificates are untrusted, though I guess it prevents over-the-wire snooping of the Jupyter code...

USER=`whoami` && openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
   -keyout /home/${USER}/.jupyter/mykey.key -out /home/${USER}/.jupyter/mycert.pem \
   -subj "/C=SG/ST=Singapore/L=Singapore/O=RedDragonAI /OU=AI Department/CN=reddragon.ai"

Update the jupyter defaults

Add default configuration to ~/.jupyter/jupyter_notebook_config.py :

USER=`whoami` && echo "
c.NotebookApp.certfile = u'/home/${USER}/.jupyter/mycert.pem'
c.NotebookApp.keyfile  = u'/home/${USER}/.jupyter/mykey.key'
c.NotebookApp.ip = '*'
c.NotebookApp.open_browser = False
c.NotebookApp.port = 8585
c.NotebookApp.notebook_dir = '.'
   " >> /home/${USER}/.jupyter/jupyter_notebook_config.py

Add a firewall rule to allow access from the internet

On the local machine, set up a firewall rule so you have access to the Jupyter port on the VM.

gcloud compute firewall-rules list

# Applies rule to all instances in project :
gcloud compute firewall-rules create jupyter-service --allow=tcp:8585 --direction=INGRESS --description="Jupyter access"

# Check that it's there:
gcloud compute firewall-rules list

Launch Jupyter on the server

Since we've set up the default notebook-dir and other command-line options in the configuration, jupyter should work from whereever you launch it:

. env38/bin/activate

jupyter notebook

This will (until you optionally add a password using the Jupyter browser GUI) give you something like : token=437abd35ddXXXXd9579f5bd6bc16596acYYYYe180b60e3e9 that you should 'grab' somehow (to paste into the browser later).

Get the Server IP address

Find the IP address of the server, either:

  • From the GCP control panel (as 'external IP'); or
  • By running the following on the local machine :
gcloud compute instances describe ${INSTANCE_NAME} --format='get(networkInterfaces[0].accessConfigs[0].natIP)'

Launch Jupyter in the browser

Now you can get to the running instance :

  • Browse to http://SERVER_IP:8585/
    • When you get a 'Your connection is not private' warning, allow for unsafe browsing (since the SSL certificate we made above was not signed by one of the chains that browers are configured with) by pressing the 'Advanced' button and then clicking 'Proceed to SERVER_IP (unsafe)'
    • Use the 'key' that your Jupyter server suggests, so that your Jupyter session cannot be stumbled upon by others on the internet (unless you also tell them the token which has ~48 hex-digits)
    • Optionally : Create a simpler password so that you can access jupyter sessions key-less next time

Terminate the GCP VM when done...

gcloud compute instances stop ${INSTANCE_NAME}

Once completely finished with messing around with the VM/project, kill off the firewall rule too:

gcloud compute firewall-rules delete jupyter-service

End

All done!