anybody tried to connect from Visual Studio Code to jupyter server started by ondemand?
Visual Studio Code offers possibility to connect to URL of already running Jupyter server, but it’s not able (that’s my current understanding) to go over the dex authentization phase.
Isn’t anybody here who tried to investigate this already?
I haven’t, no, sorry! If there’s enough need at your site, it could be beneficial to create it’s own app like code server + Jupyter. That way it all happens in the app for the user by itself.
yup, I saw the example code-server app at OSC github. - I discussed this already with some key users, and the known bug “In-app installation of extensions does not work” is quite showstopper - we all like syntax highlight, linters, etc…
Also the feeling of “native” app vscode is a factor…
After some research, I can tell that:
So the remaining task is to show this information somehow here - would you advice me, please, where in the codebase is this box drawn?
(and solve the network visibility between client and compute node indeed)
We are very interested to this too. @jose-d can you please elaborate on how you have been able to have VSCode connect to OOD-launched jupyter? I see two problems:
At the moment I have a JupyterHub server (running on the head node, and submitting jobs to the compute node) and I would like to retire that. However users like the ability to just launch that, get the token (from the hub control panel) and connect via VSCode. On the other hand, network administrators like that they can keep the compute node behind the firewall.
@jeff.ohrstrom can you please elaborate a bit on the code server + Jupyter option and especially on the two issues? I’m not familiar with code server, so excuse me if the questions are too naive
in-app installation: is this something that I could workaround by doing global install as root? My user base is relatively small and relatively homogeneous, so that’s something I could live with, but I will need to install syntax highlighter and other extensions.
auth unencrypted: I don’t get this! If we are talking about a OOD app, how does it have its own authentication? Doesn’t it use just the OOD infrastructure including authentication?
Thanks to both!
sure. I must say it was regular slurm-started jupyter, it would need few tweaks to to the same in the jupyter OOD app, but principally doable:
at cluster (front-end node):
srun -N 1 --partition=gpu_int --gres=gpu:a100:1 --cpus-per-task=8 --mem=64000 --time=1-00:00:00 --pty bash -i
# command above will create interactive shell job with properly booked GPU, we're now in it..
# .. load any modules we like:
module load JupyterLab/3.5.0-GCCcore-11.3.0
module load CUDA/11.7.0
# run jupyter
jupyter-server --ip=0.0.0.0
this will get you lot of output including this:
To access the server, open this file in a browser:
file:///home/jose/.local/share/jupyter/runtime/.....html
Or copy and paste one of these URLs:
http://gpu1......:8888/?token=redacted
or http://127.0.0.1:8888/?token=redacted
well and then, at my local laptop (edit: changed wording a bit), I started vscode, and created remote development session at login/front-end server (acting as a ssh jumpserver), then:
…and that’s it.
It would be helpful, if using job templates or other OOD feature I’d be able to automatize the job launch, extract jupyter server URL, and display that in some user-friendly way.
Inbetween I realized that there is “tunnels” feature in vscode. Perhaps it could be more meaningful for our case.
I’m not entirely sure how to do this, but I would say that with a seperate app you can boot both applications, vscode & jupyter and connect them directly in the script.sh.erb.
Here’s an example where we boot Spark along with Jupyter. It’s a seperate application from the regular Jupyter application and does all the work of booting up Spark alongside Jupyter and connecting the two.
@jeff.ohrstrom isn’t there any template/example to display (part of) content of job output at OOD portal?
(like the unofficial desktop feature showing VNC client connection instructions for various OS, parsed from log output of vncserver…)
You can use conn_params for variables that are generated at runtime (the job’s runtime) that need to be passed back to the view.html.erb
https://osc.github.io/ood-documentation/latest/how-tos/app-development/interactive/conn-params.html
After some offline discussion, it has been recommended to me to inspect the HTML of the “Connect to Jupyter” button to see if I could find a way to connect to jupyter via an URL-only method which should work in VSCode, but that does not appear to work.
For example, in one instance I get
<div class="ood-appkit markdown"><form action="/node/node0202/53086/login" method="post" target="_blank">
<input type="hidden" name="password" value="some_password_value">
<button class="btn btn-primary" type="submit">
<i class="fa fa-eye"></i> Connect to Jupyter
</button>
</form>
</div>
However navigating (in another browser) to https://actcluster.honeywell.lab:5554/node/node0202/53086/login?password=some_password_value returns a 404. Copy-pasting the actual URL which the “Connect to Jupyter” button opens require a login, whether or not I append the ?password=some_password_value at the end.
Any ideas?
Buttons are a POST request - you can see the method="post" there in the form tag. Web browsers issue GET requests.
I’m trying to find the documentation for the same, but it seems to indicate that if you switch to token based authentication it may work.
Instead of setting a password in before.sh.erb you can use the uuid command and set the setting:
c.NotebookApp.token = ''
Thanks.
I think the problem is that OOD still tries to authenticate me via DEX. So if I set a token authentication in jupyter (perhaps with an actual token, rather than a empty one 
I would like to go to an URL like
https://cluster-url:8443/node/node-name.cluster/12882/lab/?token=1234
and bypass the DEX authentication getting only the jupyter one.
That’s how it is handled by JupyterHub, as mentioned at here
In fact if I go to any JH URL it asks me to authenticate to the JH server, however something like
https://cluster-url:port/user/username/lab/?token=1234
gets authenticated by jupyter notebook and bypasses the jupyterhub authentication.
My guess is that OOD does not support this sort of pass-through? Does it sound like something easy to configure or implement in a future version?
You cannot bypass DEX. I thought the flow is something like
The last step is the important bit. You have to use a new tab in the same browser that you’re logged into OnDemand with. Otherwise, yes, you’ll have to authenticate with DEX.
I see. This makes sense for the browser, but sadly not for the pretend-browser that VSCode acts like.
So we need to keep JH running for that reason 
Is there any way that in the future this bypass-DEX-for-certain-URLs feature be implemented?
Thanks!
I don’t think so. It seems very dangerous to me to leave these URLs open to anyone.
I don’t think so. It seems very dangerous to me to leave these URLs open to anyone.
Thanks for sharing this comment.
To be clear, I’m not suggesting to leave it “open to anyone” but to simply proxy that URL to something else (jupyter in this case). Jupyter itself is not “open to anyone” but requires a password or token (which OOD provides under the hood in the current implementation, so you authenticate only once rather than twice).
What I was proposing, for this specific URL, is that OOD would just to the proxy to jupyter and let that handle the authentication.
If it’s too much of hassle or something to get it right, I understand – but I suspect others would keep asking since VSCode is quite popular already and gaining even more among the jupyter crowd, so…