Merge pull request #42 from NERSC/deploy-18-10

Deploy 18 10

base/Dockerfile

@@ -56,7 +56,7 @@ RUN \
     npm install -g configurable-http-proxy                          &&  \
     git clone https://github.com/jupyterhub/jupyterhub.git          &&  \
     cd jupyterhub                                                   &&  \
-    git checkout tags/0.9.2                                         &&  \
+    git checkout tags/0.9.4                                         &&  \
     /opt/anaconda3/bin/python setup.py js                           &&  \
     /opt/anaconda3/bin/pip --no-cache-dir install .                 &&  \
     cp examples/cull-idle/cull_idle_servers.py /opt/anaconda3/bin/. &&  \

base/build.sh

@@ -1,3 +1,4 @@
 #!/bin/bash
 
-docker build --no-cache -t registry.spin.nersc.gov/das/jupyterhub-base.gaffer:latest .
+branch=deploy-18-10
+docker build --no-cache -t registry.spin.nersc.gov/das/jupyterhub-base.$branch:latest .

jupyter-dev/Dockerfile

@@ -1,38 +1,36 @@
-FROM registry.spin.nersc.gov/das/jupyterhub-base.gaffer:latest
+ARG branch=unknown
+
+FROM registry.spin.nersc.gov/das/jupyterhub-base.${branch}:latest
 LABEL maintainer="Rollin Thomas <rcthomas@lbl.gov>"
+WORKDIR /srv
 
-# Install gsissh
+# Authenticator and spawner
 
 RUN \
-    apt-get update              &&  \
-    apt-get install --yes           \
-        apt-transport-https     &&  \
-    echo "deb http://downloads.globus.org/toolkit/gt6/stable/deb/ jessie contrib" >> /etc/apt/sources.list && \
-    apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 44AE7EC2FAF24365 && \
-    apt-get update              &&  \
-    apt-get install --yes           \
-        gsi-openssh-clients
+    pip install git+https://github.com/nersc/sshapiauthenticator.git    && \
+    pip install git+https://github.com/nersc/sshspawner.git
+
+# MFA-enabled login template
 
-# Add certs
+ADD templates templates
 
-ADD certs /etc/grid-security/certificates
+# Install announcement service components
 
-# JupyterHub GSI Authenticator and SSH Spawner from NERSC
-
 RUN \
-    pip install --no-cache-dir git+https://github.com/NERSC/gsiauthenticator.git && \
-    pip install --no-cache-dir git+https://github.com/NERSC/sshspawner.git
+    cp /tmp/jupyterhub/examples/service-announcement/announcement.py .  &&  \
+    cp /tmp/jupyterhub/examples/service-announcement/templates/page.html templates/.
+
+# Hub scripts
+
+ADD hub-scripts/*.sh /srv/
 
 # Volume for user cert/key files
 
 VOLUME /certs
 
-# Config and entrypoint script
+# Entrypoint and command
 
-ADD jupyterhub_config.py docker-entrypoint.sh /srv/
-ADD hub-scripts/*.sh /srv/
-
-WORKDIR /srv
+ADD docker-entrypoint.sh jupyterhub_config.py /srv/
 RUN chmod +x docker-entrypoint.sh
-CMD ["jupyterhub", "--debug"]
 ENTRYPOINT ["./docker-entrypoint.sh"]
+CMD ["jupyterhub", "--debug"]

jupyter-dev/build.sh

@@ -1,3 +1,8 @@
 #!/bin/bash
 
-docker build --no-cache -t registry.spin.nersc.gov/das/jupyterhub-jupyter-dev.gaffer:latest .
+branch=deploy-18-10
+
+docker build                    \
+    --build-arg branch=$branch  \
+    --no-cache                  \
+    --tag registry.spin.nersc.gov/das/jupyterhub-jupyter-dev.$branch:latest .

jupyter-dev/docker-entrypoint.sh

@@ -24,5 +24,6 @@ file_env() {
 }
 
 file_env 'POSTGRES_PASSWORD'
+file_env 'SKEY'
 
 exec "$@"

jupyter-dev/hub-scripts/flush-certs.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
-# Get rid of any certs older than 2 weeks
+# Get rid of any cert files older than 2 weeks
 
-find /certs -type f -name 'x509_*' -mtime +14 -exec rm {} \;
+limit=14
+
+find /certs -type f -name '*.key'           -mtime +$limit -exec rm {} \;
+find /certs -type f -name '*.key-cert.pub'  -mtime +$limit -exec rm {} \;
+find /certs -type f -name '*.key.pub'       -mtime +$limit -exec rm {} \;

jupyter-dev/hub-scripts/kill-cori.sh

@@ -5,27 +5,28 @@
 
 usernames=("$@")
 if [ ${#usernames[@]} -eq 0 ]; then
-    for cert in /certs/x509_*
+    for cert in /certs/*.key
     do
-        username=$(echo $cert | cut -b 13-)
+        username=$(echo $cert | cut -b8- | sed 's/\.key$//')
         usernames=(${usernames[@]} $username)
     done
 fi
 
 for username in ${usernames[@]}
 do
-    cert=/certs/x509_$username
+    cert=/certs/$username.key
     echo $username $cert
     if [ ! -f $cert ]; then
         echo " ... SKIPPED no cert for $username"
         continue
     fi
-    export X509_USER_CERT=$cert
-    export X509_USER_KEY=$cert
-    gsissh \
-        -o StrictHostKeyChecking=no \
-        -l $username \
-        -p 2222 cori19-224.nersc.gov \
+    /usr/bin/ssh                                \
+        -i $cert                                \
+        -l $username                            \
+        -o PreferredAuthentications=publickey   \
+        -o StrictHostKeyChecking=no             \
+        -p 22                                   \
+        cori19-224.nersc.gov                    \
         /global/common/shared/das/jupyterhub/kill-my-old-jupyters.sh
     sleep 1
 done

jupyter-dev/hub-scripts/scram-user.sh

@@ -6,20 +6,21 @@
 
 for username in "$@"
 do
-    cert=/certs/x509_$username
+    cert=/certs/$username.key
     echo $username $cert
     if [ ! -f $cert ]; then
         echo " ... SKIPPED no cert for $username"
         continue
     fi
-    export X509_USER_CERT=$cert
-    export X509_USER_KEY=$cert
     for i in 1 2 3
     do
-        gsissh \
-            -o StrictHostKeyChecking=no \
-            -l $username \
-            -p 2222 cori19-224.nersc.gov \
+        /usr/bin/ssh                                \
+            -i $cert                                \
+            -l $username                            \
+            -o PreferredAuthentications=publickey   \
+            -o StrictHostKeyChecking=no             \
+            -p 22                                   \
+            cori19-224.nersc.gov                    \
             killall -u $username
         sleep 1
     done

jupyter-dev/hub-scripts/test-user.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
-# Test a user's ability to gsissh in.
+# Test user's ability to ssh
 
 username=$1
-cert=/certs/x509_$username
+cert=/certs/$username.key
 echo $username $cert
 if [ ! -f $cert ]; then
     echo " ... no cert for $username"
     exit 1
 fi
-export X509_USER_CERT=$cert
-export X509_USER_KEY=$cert
-gsissh \
-    -o StrictHostKeyChecking=no \
-    -l $username \
-    -p 2222 cori19-224.nersc.gov
+/usr/bin/ssh                                \
+    -i $cert                                \
+    -l $username                            \
+    -o PreferredAuthentications=publickey   \
+    -o StrictHostKeyChecking=no             \
+    -p 22                                   \
+    cori19-224.nersc.gov

jupyter-dev/jupyterhub_config.py

@@ -1,6 +1,7 @@
 # Configuration file for jupyterhub.
 
 import os
+import sys
 
 import requests
 
@@ -15,6 +16,7 @@ def comma_split(string):
     else:
         return list()
 
+ip = requests.get('https://v4.ifconfig.co/json').json()['ip']
 
 bindir = '/global/common/cori/software/python/3.6-anaconda-5.2/bin/'
 if 'BASE_PATH' in os.environ:
@@ -98,7 +100,7 @@ def comma_split(string):
 #    where `handler` is the calling web.RequestHandler,
 #    and `data` is the POST form data from the login page.
 #c.JupyterHub.authenticator_class = 'jupyterhub.auth.PAMAuthenticator'
-c.JupyterHub.authenticator_class = 'gsiauthenticator.auth.GSIAuthenticator'
+c.JupyterHub.authenticator_class = 'sshapiauthenticator.auth.SSHAPIAuthenticator'
 
 ## The base URL of the entire application.
 #  
@@ -388,6 +390,11 @@ def comma_split(string):
         'name': 'cull-idle',
         'admin': True,
         'command': 'cull_idle_servers.py --timeout=43200'.split(),
+    },
+    {
+        'name': 'announcement',
+        'url': 'http://127.0.0.1:8888',
+        'command': ["python", "-m", "announcement"],
     }
 ]
 
@@ -434,6 +441,7 @@ def comma_split(string):
 
 ## Paths to search for jinja templates, before using the default templates.
 #c.JupyterHub.template_paths = []
+c.JupyterHub.template_paths = ["templates"]
 
 ## Extra variables to be passed into jinja templates
 #c.JupyterHub.template_vars = {}
@@ -688,7 +696,7 @@ def comma_split(string):
 #  JupyterHub modifies its own state accordingly and removes appropriate routes
 #  from the configurable proxy.
 #c.Spawner.poll_interval = 30
-c.Spawner.poll_interval = 1800
+c.Spawner.poll_interval = 900
 
 ## The port for single-user servers to listen on.
 #  
@@ -959,31 +967,20 @@ def comma_split(string):
 #c.CryptKeeper.n_threads = 2
 
 #------------------------------------------------------------------------------
-# GSIAuthenticator(Authenticator) configuration
+# SSHAPIAuthenticator(Authenticator) configuration
 #------------------------------------------------------------------------------
 
-c.GSIAuthenticator.proxy_lifetime = 999999
-c.GSIAuthenticator.server = 'nerscca1.nersc.gov'
-c.GSIAuthenticator.cert_path_prefix = '/certs/x509_'
+c.SSHAPIAuthenticator.server = 'https://sshproxy.nersc.gov/create_pair/jupyter/'
+c.SSHAPIAuthenticator.skey = os.environ.get('SKEY')
+c.SSHAPIAuthenticator.cert_path = '/certs'
 
 #------------------------------------------------------------------------------
 # SSHSpawner(Spawner) configuration
 #------------------------------------------------------------------------------
 
 c.SSHSpawner.remote_hosts = ['cori19-224.nersc.gov']
-c.SSHSpawner.remote_port = '2222'
-c.SSHSpawner.ssh_command = 'gsissh'
-if 'REMOTE_HOST' in os.environ:
-    host, port = os.environ['REMOTE_HOST'].split(':')
-    c.SSHSpawner.remote_host = host
-    c.SSHSpawner.remote_port = port
-
-c.SSHSpawner.hub_api_url = 'http://{}:8081/hub/api'.format(requests.get('https://ifconfig.co/json').json()['ip'])
-if 'HUB_API_URL' in os.environ:
-    c.SSHSpawner.hub_api_url = os.environ['HUB_API_URL']
-
-c.SSHSpawner.use_gsi = True
+c.SSHSpawner.remote_port = '22'
+c.SSHSpawner.hub_api_url = "http://{}:8081/hub/api".format(ip)
 c.SSHSpawner.path = bindir + ':/global/common/cori/das/jupyterhub/:/usr/common/usg/bin:/usr/bin:/bin'
 c.SSHSpawner.remote_port_command = '/usr/bin/python /global/common/cori/das/jupyterhub/get_port.py'
-c.SSHSpawner.gsi_cert_path = '/certs/x509_{username}'
-c.SSHSpawner.gsi_key_path = '/certs/x509_{username}'
+c.SSHSpawner.ssh_keyfile = '/certs/{username}.key'