tljh/installer.py

import sys
import os
import tljh.systemd as systemd
import tljh.conda as conda
from urllib.error import HTTPError
from urllib.request import urlopen, URLError
from tljh import user
import secrets
import argparse
import time
from ruamel.yaml import YAML

INSTALL_PREFIX = os.environ.get('TLJH_INSTALL_PREFIX', '/opt/tljh')
HUB_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'hub')
USER_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'user')

HERE = os.path.abspath(os.path.dirname(__file__))

rt_yaml = YAML()


def ensure_jupyterhub_service(prefix):
    """
    Ensure JupyterHub & CHP Services are set up properly
    """
    with open(os.path.join(HERE, 'systemd-units', 'jupyterhub.service')) as f:
        hub_unit_template = f.read()

    with open(os.path.join(HERE, 'systemd-units', 'configurable-http-proxy.service')) as f:
        proxy_unit_template = f.read()

    unit_params = dict(
        python_interpreter_path=sys.executable,
        jupyterhub_config_path=os.path.join(HERE, 'jupyterhub_config.py'),
        install_prefix=INSTALL_PREFIX
    )
    systemd.install_unit('configurable-http-proxy.service', proxy_unit_template.format(**unit_params))
    systemd.install_unit('jupyterhub.service', hub_unit_template.format(**unit_params))
    systemd.reload_daemon()

    # Set up proxy / hub secret oken if it is not already setup
    # FIXME: Check umask here properly
    proxy_secret_path = os.path.join(INSTALL_PREFIX, 'configurable-http-proxy.secret')
    if not os.path.exists(proxy_secret_path):
        with open(proxy_secret_path, 'w') as f:
            f.write('CONFIGPROXY_AUTH_TOKEN=' + secrets.token_hex(32))
        # If we are changing CONFIGPROXY_AUTH_TOKEN, restart configurable-http-proxy!
        systemd.restart_service('configurable-http-proxy')

    os.makedirs(os.path.join(INSTALL_PREFIX, 'hub', 'state'), mode=0o700, exist_ok=True)
    # Start CHP if it has already not been started
    systemd.start_service('configurable-http-proxy')
    # If JupyterHub is running, we want to restart it.
    systemd.restart_service('jupyterhub')

    # Mark JupyterHub & CHP to start at boot ime
    systemd.enable_service('jupyterhub')
    systemd.enable_service('configurable-http-proxy')


def ensure_jupyterhub_package(prefix):
    """
    Install JupyterHub into our conda environment if needed.

    We install all python packages from PyPI as much as possible in the
    hub environment. A lot of spawners & authenticators do not have conda-forge
    packages, but do have pip packages. Keeping all python packages in the
    hub environment be installed with pip prevents accidental mixing of python
    and conda packages!
    """
    conda.ensure_conda_packages(prefix, ['configurable-http-proxy==3.1.0'])
    conda.ensure_pip_packages(prefix, [
        'jupyterhub==0.9.0',
        'jupyterhub-dummyauthenticator==0.3.1',
        'jupyterhub-systemdspawner==0.11',
        'jupyterhub-firstuseauthenticator==0.10',
        'jupyterhub-ldapauthenticator==1.2.2',
        'oauthenticator==0.7.3',
    ])


def ensure_usergroups():
    """
    Sets up user groups & sudo rules
    """
    user.ensure_group('jupyterhub-admins')
    user.ensure_group('jupyterhub-users')

    print("Grainting passwordless sudo to JupyterHub admins...")
    with open('/etc/sudoers.d/jupyterhub-admins', 'w') as f:
        # JupyterHub admins should have full passwordless sudo access
        f.write('%jupyterhub-admins ALL = (ALL) NOPASSWD: ALL\n')
        # `sudo -E` should preserve the $PATH we set. This allows
        # admins in jupyter terminals to do `sudo -E pip install <package>`,
        # `pip` is in the $PATH we set in jupyterhub_config.py to include the user conda env.
        f.write('Defaults exempt_group = jupyterhub-admins\n')


def ensure_user_environment():
    """
    Set up user conda environment with required packages
    """
    print("Setting up user environment...")
    conda.ensure_conda_env(USER_ENV_PREFIX)
    conda.ensure_conda_packages(USER_ENV_PREFIX, [
        # Conda's latest version is on conda much more so than on PyPI.
        'conda==4.5.8'
    ])

    conda.ensure_pip_packages(USER_ENV_PREFIX, [
        # JupyterHub + notebook package are base requirements for user environment
        'jupyterhub==0.9.0',
        'notebook==5.5.0',
        # Install additional notebook frontends!
        'jupyterlab==0.32.1',
        'nteract-on-jupyter==1.8.1'
    ])


def ensure_admins(admins):
    """
    Setup given list of users as admins.
    """
    if not admins:
        return
    print("Setting up admin users")
    config_path = os.path.join(INSTALL_PREFIX, 'config.yaml')
    if os.path.exists(config_path):
        with open(config_path, 'r') as f:
            config = rt_yaml.load(f)
    else:
        config = {}

    config['users'] = config.get('users', {})
    config['users']['admin'] = list(admins)

    with open(config_path, 'w+') as f:
        rt_yaml.dump(config, f)


def ensure_jupyterhub_running(times=4):
    """
    Ensure that JupyterHub is up and running

    Loops given number of times, waiting a second each.
    """

    for i in range(times):
        try:
            print('Waiting for JupyterHub to come up ({}/{} tries)'.format(i + 1, times))
            urlopen('http://127.0.0.1')
            return
        except HTTPError as h:
            if h.code in [404, 503]:
                # May be transient
                time.sleep(1)
                continue
            # Everything else should immediately abort
            raise
        except URLError as e:
            if isinstance(e.reason, ConnectionRefusedError):
                # Hub isn't up yet, sleep & loop
                time.sleep(1)
                continue
            # Everything else should immediately abort
            raise

    raise Exception("Installation failed: JupyterHub did not start in {}s".format(times))


def main():
    argparser = argparse.ArgumentParser()
    argparser.add_argument(
        '--admin',
        nargs='*',
        help='List of usernames set to be admin'
    )

    args = argparser.parse_args()

    ensure_admins(args.admin)

    ensure_usergroups()
    ensure_user_environment()

    print("Setting up JupyterHub...")
    ensure_jupyterhub_package(HUB_ENV_PREFIX)
    ensure_jupyterhub_service(HUB_ENV_PREFIX)
    ensure_jupyterhub_running()

    print("Done!")


if __name__ == '__main__':
    main()
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00			`import sys`
			`import os`
			`import tljh.systemd as systemd`
			`import tljh.conda as conda`
handle transient 404 2018-07-13 15:55:41 +02:00			`from urllib.error import HTTPError`
Check JupyterHub is running before finishing installer Integration CI failures were probably caused by us testing too soon. This should make that less likely 2018-07-11 12:56:52 -07:00			`from urllib.request import urlopen, URLError`
Use classic unix users rather than systemd dynamic users Dynamic Users are neat and probably very useful for a tmpnb style situation. However, for regular use they have the following problems: 1. Can't set ProtectHome=no, so you can never apt install or similar from inside admin accounts. 2. Dynamic uid / gid makes it hard to write sudo rules. We want admin users to have sudo. 3. Persistent uids / gids are very useful for ad-hoc ACLs between users. gid sharing isn't the most flexible sharing mechanism, but it is well known & quite useful. 4. /etc/skel is pretty useful! 2018-06-26 23:30:06 -07:00			`from tljh import user`
Separate jupyterhub & chp services Allows restarting hub for config changes without disrupting user service! 2018-06-27 02:00:52 -07:00			`import secrets`
Add --admin params to bootstrap / installer to set up admin accts This removes a big step requiring file changes from the quickstart path. You can specify the admin username on the commandline. 2018-07-03 16:18:32 -07:00			`import argparse`
Check JupyterHub is running before finishing installer Integration CI failures were probably caused by us testing too soon. This should make that less likely 2018-07-11 12:56:52 -07:00			`import time`
Add --admin params to bootstrap / installer to set up admin accts This removes a big step requiring file changes from the quickstart path. You can specify the admin username on the commandline. 2018-07-03 16:18:32 -07:00			`from ruamel.yaml import YAML`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00
			`INSTALL_PREFIX = os.environ.get('TLJH_INSTALL_PREFIX', '/opt/tljh')`
			`HUB_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'hub')`
			`USER_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'user')`

			`HERE = os.path.abspath(os.path.dirname(__file__))`

Add --admin params to bootstrap / installer to set up admin accts This removes a big step requiring file changes from the quickstart path. You can specify the admin username on the commandline. 2018-07-03 16:18:32 -07:00			`rt_yaml = YAML()`

Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00
			`def ensure_jupyterhub_service(prefix):`
Separate jupyterhub & chp services Allows restarting hub for config changes without disrupting user service! 2018-06-27 02:00:52 -07:00			`"""`
Add --admin params to bootstrap / installer to set up admin accts This removes a big step requiring file changes from the quickstart path. You can specify the admin username on the commandline. 2018-07-03 16:18:32 -07:00			`Ensure JupyterHub & CHP Services are set up properly`
			`"""`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00			`with open(os.path.join(HERE, 'systemd-units', 'jupyterhub.service')) as f:`
Separate jupyterhub & chp services Allows restarting hub for config changes without disrupting user service! 2018-06-27 02:00:52 -07:00			`hub_unit_template = f.read()`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00
Separate jupyterhub & chp services Allows restarting hub for config changes without disrupting user service! 2018-06-27 02:00:52 -07:00			`with open(os.path.join(HERE, 'systemd-units', 'configurable-http-proxy.service')) as f:`
			`proxy_unit_template = f.read()`

			`unit_params = dict(`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00			`python_interpreter_path=sys.executable,`
			`jupyterhub_config_path=os.path.join(HERE, 'jupyterhub_config.py'),`
Use classic unix users rather than systemd dynamic users Dynamic Users are neat and probably very useful for a tmpnb style situation. However, for regular use they have the following problems: 1. Can't set ProtectHome=no, so you can never apt install or similar from inside admin accounts. 2. Dynamic uid / gid makes it hard to write sudo rules. We want admin users to have sudo. 3. Persistent uids / gids are very useful for ad-hoc ACLs between users. gid sharing isn't the most flexible sharing mechanism, but it is well known & quite useful. 4. /etc/skel is pretty useful! 2018-06-26 23:30:06 -07:00			`install_prefix=INSTALL_PREFIX`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00			`)`
Separate jupyterhub & chp services Allows restarting hub for config changes without disrupting user service! 2018-06-27 02:00:52 -07:00			`systemd.install_unit('configurable-http-proxy.service', proxy_unit_template.format(**unit_params))`
			`systemd.install_unit('jupyterhub.service', hub_unit_template.format(**unit_params))`
Start / Restart JupyterHub / CHP as required 2018-06-28 00:06:11 -07:00			`systemd.reload_daemon()`
Separate jupyterhub & chp services Allows restarting hub for config changes without disrupting user service! 2018-06-27 02:00:52 -07:00
			`# Set up proxy / hub secret oken if it is not already setup`
Move all config files inside INSTALL_PREFIX Makes cleanup easier! 2018-06-27 03:10:41 -07:00			`# FIXME: Check umask here properly`
			`proxy_secret_path = os.path.join(INSTALL_PREFIX, 'configurable-http-proxy.secret')`
			`if not os.path.exists(proxy_secret_path):`
			`with open(proxy_secret_path, 'w') as f:`
Separate jupyterhub & chp services Allows restarting hub for config changes without disrupting user service! 2018-06-27 02:00:52 -07:00			`f.write('CONFIGPROXY_AUTH_TOKEN=' + secrets.token_hex(32))`
Start / Restart JupyterHub / CHP as required 2018-06-28 00:06:11 -07:00			`# If we are changing CONFIGPROXY_AUTH_TOKEN, restart configurable-http-proxy!`
			`systemd.restart_service('configurable-http-proxy')`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00
Store hub state inside install_prefix rm -rf'ing the prefix should get rid of almost everything 2018-06-27 14:21:08 -07:00			`os.makedirs(os.path.join(INSTALL_PREFIX, 'hub', 'state'), mode=0o700, exist_ok=True)`
Start / Restart JupyterHub / CHP as required 2018-06-28 00:06:11 -07:00			`# Start CHP if it has already not been started`
			`systemd.start_service('configurable-http-proxy')`
			`# If JupyterHub is running, we want to restart it.`
			`systemd.restart_service('jupyterhub')`
Store hub state inside install_prefix rm -rf'ing the prefix should get rid of almost everything 2018-06-27 14:21:08 -07:00
Start JupyterHub / CHP when system starts 2018-06-28 00:49:36 -07:00			`# Mark JupyterHub & CHP to start at boot ime`
			`systemd.enable_service('jupyterhub')`
			`systemd.enable_service('configurable-http-proxy')`

Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00
			`def ensure_jupyterhub_package(prefix):`
			`"""`
			`Install JupyterHub into our conda environment if needed.`

Install all python packages in hub environment with pip 2018-07-16 01:28:18 -07:00			`We install all python packages from PyPI as much as possible in the`
			`hub environment. A lot of spawners & authenticators do not have conda-forge`
			`packages, but do have pip packages. Keeping all python packages in the`
			`hub environment be installed with pip prevents accidental mixing of python`
			`and conda packages!`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00			`"""`
Install all python packages in hub environment with pip 2018-07-16 01:28:18 -07:00			`conda.ensure_conda_packages(prefix, ['configurable-http-proxy==3.1.0'])`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00			`conda.ensure_pip_packages(prefix, [`
Install all python packages in hub environment with pip 2018-07-16 01:28:18 -07:00			`'jupyterhub==0.9.0',`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00			`'jupyterhub-dummyauthenticator==0.3.1',`
Bump systemdspawner version 2018-07-12 16:56:20 -07:00			`'jupyterhub-systemdspawner==0.11',`
Add LDAP & OAuthenticator to initial install 2018-07-16 16:19:16 -07:00			`'jupyterhub-firstuseauthenticator==0.10',`
			`'jupyterhub-ldapauthenticator==1.2.2',`
			`'oauthenticator==0.7.3',`
Add a simple installer! Sortof re-invents what debian packages do a little bit. 2018-06-26 18:37:24 -07:00			`])`


Add --admin params to bootstrap / installer to set up admin accts This removes a big step requiring file changes from the quickstart path. You can specify the admin username on the commandline. 2018-07-03 16:18:32 -07:00			`def ensure_usergroups():`
			`"""`
			`Sets up user groups & sudo rules`
			`"""`
Rewrite bootstrapper in Python - This was going to get too complex for bash. Only way to kill those scripts is before they get too complex. - Better progress messages from bootstrapper. - Differentiate between bootstrapper & installer - Cleanup documentation a little bit 2018-07-02 15:12:26 -07:00			`user.ensure_group('jupyterhub-admins')`
			`user.ensure_group('jupyterhub-users')`

			`print("Grainting passwordless sudo to JupyterHub admins...")`
			`with open('/etc/sudoers.d/jupyterhub-admins', 'w') as f:`
			`# JupyterHub admins should have full passwordless sudo access`
			`f.write('%jupyterhub-admins ALL = (ALL) NOPASSWD: ALL\n')`
			# `sudo -E` should preserve the $PATH we set. This allows
			# admins in jupyter terminals to do `sudo -E pip install <package>`,
			# `pip` is in the $PATH we set in jupyterhub_config.py to include the user conda env.
			`f.write('Defaults exempt_group = jupyterhub-admins\n')`

Add --admin params to bootstrap / installer to set up admin accts This removes a big step requiring file changes from the quickstart path. You can specify the admin username on the commandline. 2018-07-03 16:18:32 -07:00
			`def ensure_user_environment():`
			`"""`
			`Set up user conda environment with required packages`
			`"""`
Rewrite bootstrapper in Python - This was going to get too complex for bash. Only way to kill those scripts is before they get too complex. - Better progress messages from bootstrapper. - Differentiate between bootstrapper & installer - Cleanup documentation a little bit 2018-07-02 15:12:26 -07:00			`print("Setting up user environment...")`
			`conda.ensure_conda_env(USER_ENV_PREFIX)`
			`conda.ensure_conda_packages(USER_ENV_PREFIX, [`
			`# Conda's latest version is on conda much more so than on PyPI.`
Bump version of conda installed in user environment 2018-07-11 13:07:45 -07:00			`'conda==4.5.8'`
Rewrite bootstrapper in Python - This was going to get too complex for bash. Only way to kill those scripts is before they get too complex. - Better progress messages from bootstrapper. - Differentiate between bootstrapper & installer - Cleanup documentation a little bit 2018-07-02 15:12:26 -07:00			`])`

			`conda.ensure_pip_packages(USER_ENV_PREFIX, [`
			`# JupyterHub + notebook package are base requirements for user environment`
			`'jupyterhub==0.9.0',`
			`'notebook==5.5.0',`
			`# Install additional notebook frontends!`
			`'jupyterlab==0.32.1',`
			`'nteract-on-jupyter==1.8.1'`
			`])`

Add --admin params to bootstrap / installer to set up admin accts This removes a big step requiring file changes from the quickstart path. You can specify the admin username on the commandline. 2018-07-03 16:18:32 -07:00
			`def ensure_admins(admins):`
			`"""`
			`Setup given list of users as admins.`
			`"""`
			`if not admins:`
			`return`
			`print("Setting up admin users")`
			`config_path = os.path.join(INSTALL_PREFIX, 'config.yaml')`
			`if os.path.exists(config_path):`
			`with open(config_path, 'r') as f:`
			`config = rt_yaml.load(f)`
			`else:`
			`config = {}`

			`config['users'] = config.get('users', {})`
			`config['users']['admin'] = list(admins)`

			`with open(config_path, 'w+') as f:`
			`rt_yaml.dump(config, f)`


Check JupyterHub is running before finishing installer Integration CI failures were probably caused by us testing too soon. This should make that less likely 2018-07-11 12:56:52 -07:00			`def ensure_jupyterhub_running(times=4):`
			`"""`
			`Ensure that JupyterHub is up and running`

			`Loops given number of times, waiting a second each.`
			`"""`

remove hard-coded constant from retry loop 2018-07-13 15:36:44 +02:00			`for i in range(times):`
Check JupyterHub is running before finishing installer Integration CI failures were probably caused by us testing too soon. This should make that less likely 2018-07-11 12:56:52 -07:00			`try:`
Fix checking for JupyterHub service being up Would always fail before, since we never returned on success 2018-07-11 13:01:57 -07:00			`print('Waiting for JupyterHub to come up ({}/{} tries)'.format(i + 1, times))`
Check JupyterHub is running before finishing installer Integration CI failures were probably caused by us testing too soon. This should make that less likely 2018-07-11 12:56:52 -07:00			`urlopen('http://127.0.0.1')`
Fix checking for JupyterHub service being up Would always fail before, since we never returned on success 2018-07-11 13:01:57 -07:00			`return`
handle 404 and 503 transient errors 2018-07-13 14:56:00 +00:00			`except HTTPError as h:`
			`if h.code in [404, 503]:`
			`# May be transient`
Check JupyterHub is running before finishing installer Integration CI failures were probably caused by us testing too soon. This should make that less likely 2018-07-11 12:56:52 -07:00			`time.sleep(1)`
			`continue`
			`# Everything else should immediately abort`
			`raise`
handle 404 and 503 transient errors 2018-07-13 14:56:00 +00:00			`except URLError as e:`
			`if isinstance(e.reason, ConnectionRefusedError):`
			`# Hub isn't up yet, sleep & loop`
handle transient 404 2018-07-13 15:55:41 +02:00			`time.sleep(1)`
			`continue`
			`# Everything else should immediately abort`
			`raise`
Check JupyterHub is running before finishing installer Integration CI failures were probably caused by us testing too soon. This should make that less likely 2018-07-11 12:56:52 -07:00
			`raise Exception("Installation failed: JupyterHub did not start in {}s".format(times))`


Add --admin params to bootstrap / installer to set up admin accts This removes a big step requiring file changes from the quickstart path. You can specify the admin username on the commandline. 2018-07-03 16:18:32 -07:00			`def main():`
			`argparser = argparse.ArgumentParser()`
			`argparser.add_argument(`
			`'--admin',`
			`nargs='*',`
			`help='List of usernames set to be admin'`
			`)`

			`args = argparser.parse_args()`

			`ensure_admins(args.admin)`

			`ensure_usergroups()`
			`ensure_user_environment()`

			`print("Setting up JupyterHub...")`
			`ensure_jupyterhub_package(HUB_ENV_PREFIX)`
			`ensure_jupyterhub_service(HUB_ENV_PREFIX)`
Check JupyterHub is running before finishing installer Integration CI failures were probably caused by us testing too soon. This should make that less likely 2018-07-11 12:56:52 -07:00			`ensure_jupyterhub_running()`
Add --admin params to bootstrap / installer to set up admin accts This removes a big step requiring file changes from the quickstart path. You can specify the admin username on the commandline. 2018-07-03 16:18:32 -07:00
Rewrite bootstrapper in Python - This was going to get too complex for bash. Only way to kill those scripts is before they get too complex. - Better progress messages from bootstrapper. - Differentiate between bootstrapper & installer - Cleanup documentation a little bit 2018-07-02 15:12:26 -07:00			`print("Done!")`


			`if __name__ == '__main__':`
			`main()`