# Runpod Dev Environment Setup

SSH implements public-key cryptography to establish trust between client and server systems. In this paradigm, we have the **public key** (`.pub`) that functions as an access *verifier*, installed on target systems (like Runpod nodes), and the **private key** serves as the unique authentication factor for mathematically proving identity.

Below, we create public keys which we install onto Runpod and GitHub systems. The corresponding private key for Runpod is stored locally, while that for GitHub is securely copied via `scp`. This gives every new pod read and write access to GitHub repositories.

![](./img/runpod-ssh.png)

## Give local SSH access to pods

1. Generate SSH keys for Runpod (no passphrase):
```bash
ssh-keygen -t ed25519 -C "runpod" -f ~/.ssh/runpod -N ""
cat ~/.ssh/runpod.pub
```
2. Add this to `Settings>SSH Public Keys` in Runpod (separated by newline).

## Give pods SSH access to GitHub
1. Generate SSH keys to access GitHub from each pod (no passphrase):
```bash
ssh-keygen -t ed25519 -C "runpod-github" -f ~/.ssh/runpod_github -N ""
cat ~/.ssh/runpod_github.pub
```
2. Register the printed public SSH key in Github.
3. Run the following script. Then, copy your pod's **SSH over exposed TCP** [connection string]{.underline}[^connstring]. Paste the connection string in the resulting input prompt. You should verify the auto-filled values for **pod IP** and **port number** before proceeding.
```bash
echo -n "\nSSH over exposed TCP connection string: \n"
read RUNPOD_SSH

RUNPOD_IP=$(echo "$RUNPOD_SSH" | sed -E 's/.*@([0-9.]+).*/\1/')
RUNPOD_PORT=$(echo "$RUNPOD_SSH" | sed -E 's/.*-p ([0-9]+).*/\1/')
echo ""
echo "IP:   $RUNPOD_IP"
echo "Port: $RUNPOD_PORT"
```

4. Run the following script. This copies the GitHub private SSH key, adds it to the SSH agent, and logs in to the instance. You should now be connected to your pod! 🫛 Also, you can check that you have access to your repositories.
```bash
ssh-keyscan -p $RUNPOD_PORT $RUNPOD_IP >> ~/.ssh/known_hosts                    # <0>

scp -P $RUNPOD_PORT -i ~/.ssh/runpod \
    ~/.ssh/runpod_github root@$RUNPOD_IP:/root/.ssh/runpod_github

ssh -t -p $RUNPOD_PORT -i ~/.ssh/runpod root@$RUNPOD_IP '
    # Set secure permissions for SSH directory and key
    chmod 700 ~/.ssh                                                            # <1>
    chmod 600 ~/.ssh/runpod_github                                              # <2>

    # Add GitHub to known_hosts and set permissions
    ssh-keyscan github.com >> ~/.ssh/known_hosts                                # <3>
    chmod 644 ~/.ssh/known_hosts                                                # <4>

    # Start SSH agent and load the key
    eval "$(ssh-agent -s)" > /dev/null;                                         # <5>
    ssh-add ~/.ssh/runpod_github                                                # <6>

    # Launch interactive shell to keep the session alive
    exec bash -l                                                                # <7>
'
```
0. Append pod's public SSH host key to local `known_hosts` to skip authenticity prompts.
1. Permissions: only owner can read, write, or execute directory.
2. Permissions: only owner can read or write on the private key file.
3. Append GitHub's public SSH host key to pod `known_hosts` to avoid authenticity prompts.
4. Permissions: `known_hosts` owner can read/write, others have read-only access.
5. Run SSH agent in the background and output env vars to `~/.ssh-agent-info` for later sourcing.
6. Add GitHub private key to SSH agent. 
7. Once setup completes, `exec $SHELL -l` starts a login shell that inherits the environmental variables of the last one. The `-t` flag ensures the final `exec` gets a proper terminal.

:::{.callout-note}
The `ssh-agent` process persists in the background once started, holding your loaded keys in memory. What does not persist are the environment variables (`SSH_AUTH_SOCK`, `SSH_AGENT_PID`) that let your shell know how to communicate with that agent. When you open a new shell or SSH session, those env vars are not automatically set, so your shell can’t find the running agent unless you restore them (e.g. doing `ssh-add` again). This is why we want all setup and SSH connection to happen in one continuous session.
:::

[^connstring]: e.g. `ssh root@63.141.33.33 -p 22011 -i ~/.ssh/id_ed25519`

## Virtual environment

:::{.callout-warning}
This part is much more specific to the current project. 
:::

Clone the repo:

```bash
git clone git@github.com:particle1331/ai-notebooks.git
```

You can use `uv` as environment and package manager synced with `uv.lock`. This creates a virtual env `.venv` that can be used as notebook kernel.

```bash
make venv
```
Or skip `uv` entirely and just use `pip`:
```bash
make requirements
pip install -r requirements.txt
```

:::{.callout-note}
There are trade-offs. The pods are ephemeral, so you don't need to perfect their setup or maintain a clean state. But then things like reproducibility may matter, so you may still want a well-defined environment. The level of precision necessary ultimately depends on your use case.
:::

## Quarto docs

Check [here](https://github.com/particle1331/ai-notebooks/blob/main/.github/workflows/publish.yml) for the Quatro version that we're using. Adjust the following variable accordingly:
```bash
export QUARTO_VERSION=1.7.32  # may be outdated
wget -q https://github.com/quarto-dev/quarto-cli/releases/download/v${QUARTO_VERSION}/quarto-${QUARTO_VERSION}-linux-amd64.deb
dpkg -i quarto-${QUARTO_VERSION}-linux-amd64.deb && rm quarto-${QUARTO_VERSION}-linux-amd64.deb
```

Preview then [port-forward](https://code.visualstudio.com/docs/remote/ssh#_forwarding-a-port-creating-ssh-tunnel) using vscode:
```bash
make docs
```