New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remote kernel support #38
Comments
Maybe remote kernel can be used/integrated to support this feature? |
I would still like to support this. @rgbkrk, I think you had some concerns about zmq on random ports making it through people's networks? @TKCen it looks like Would someone be willing to give |
Just opened #39 to address switching between multiple kernels for a language. |
As for my concerns, these are my observations from teaching classes, running a few tmpnb deployments, JupyterHub deployments, and my own security perspectives. Feel free to take it all with a grain of salt. Remotes over ZeroMQIt's all about the kernels communication layer. Not every ZeroMQ installation includes encryption by default (libsodium is an optional dependency for ØMQ). ØMQ4 does have curve, which is wire-compatible with ØMQ3, but won't necessarily have libsodium. One can build it that way for themselves, certainly. This tends to mean either using websockets (through a notebook server) or tunneling through SSH. Remotes over websocketsThe most reliable way I've seen for getting websockets through is making sure they're served over HTTPS on the standard port (443). That boils down to corporate (MITM) proxies totally mucking up the sticky connection with websockets, interfering with the flow, and generally being nasty. As for port, that's about stringent controls (no high ports getting through, etc.) Use HTTPS and you're fine! Upstream!That being said, I think the remote kernel issue should be addressed with upstream Jupyter projects to work for the notebook server, etc. As long as we're adhering to the same protocol, it should help multiple projects at once. I see a near future where folks can consume kernels remotely from wherever they have them deployed, whether that means O'Reilly Media providing them for static content (e.g. https://beta.oreilly.com/learning/an-illustrated-introduction-to-the-t-sne-algorithm, through the use of tmpnb + thebe), a JupyterHub deployment (complete with auth), or some other spawning mechanism. There's not a current authentication construct/config around providing support for remote kernels (from a project level) other than IPython parallel and full notebooks with the JupyterHub spawners, but I'd like to see it soon. |
Interesting — if something like |
I tried rk, Jupyter connects to the kernel momentarily, then loops between "Dead Kernel" and "Connected" every twenty seconds or so. |
Forgive my ignorance, is the security issue with the remote kernel only relevant in open networks? Lots of use cases involve only talking to closed networks through a vpn or some such. |
For someone advanced enough to do that, they can already use remote kernels just fine. It's the launcher that has to perform it. The kernel.json spec file could specify whatever IP you bind to:
The default in the notebook is to do localhost so that we're not exposing typical users to remote execution of their laptop while, e.g. at a cafe. |
Can someone please give us some example on how to set this up? I am a total noob when it comes to edit: |
There's no documentation because this is definitely not supported behavior right now. Since Hydrogen is designed to start the kernel itself rather than connecting to an existing kernel, it's going to be weird if it works at all. Hydrogen currently connects via local ZeroMQ ports. Furthermore, Hydrogen does not use any security at all, since it's designed for local access, meaning that the server and probably also your local machine would have a huge security hole. Honestly, I think you're going to be better off using I'm sorry I don't have a better answer for you right now, but keep an eye out for changes to come. |
I will post shortly... I have just made this to work (without changing anything in |
Right on! On Wed, Jul 1, 2015 at 12:30 PM Răzvan Rădulescu notifications@github.com
|
My major issue with not using message signing, even though local, is that anything else that can reach those ZMQ sockets can get remote execution. They have to know the port, but it's not like they can't port scan. If someone got it to work through the flash binding (zmqsocket.js) you would have a XSS attack with full remote execution from random sites on the internet. That's not good. There's a reason the key and signature scheme is provided. |
But it sounds to me that there's a super easy solution to this... You just build the ability to add remote machines in |
@rgbkrk Ugh, yeah. Let's get signing working. @razvanc87 Yep — signing and remote kernels are two different steps. I agree that getting it just to the point of running in Hydrogen isn't a ton of work. The harder steps about making that use case work as smoothly as possible for people. |
If you're interested in working on this, pull requests are very much appreciated :) |
Yep, I definitely am, but I have a lot of ground to cover... I have no experience with this oh right... I forgot to explain what the bash script does... oh well :))... details |
Awesome work on this — I'll direct people this way in the future! |
Any news on this? |
@oxinabox I haven't used them myself, but I'm aware of, at least, three projects to provide remote kernels. See:
@rgbkrk @lgeiger Currently, the only way to start up Hydrogen is to make a run request. Functionality like switching kernels is not available before that. I think we could provide two more commands:
|
We've got a couple remote kernel setups working as part of enchannel, though they're not ready for utility consumption. |
old link form @razvanc-r was not working anymore, link to his gist is: https://gist.github.com/razvanc-r/a365b921ba4bf575b6a5 |
Closed via #295 |
This was in the original to-do list ("support remote kernels"). I think this feature would be extremely helpful for people who need to run the code on remote servers. Is this feature still part of the roadmap for the near future :)?
The text was updated successfully, but these errors were encountered: