WIP Binder

swan-cern/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: swan
-  repository: https://registry.cern.ch/chartrepo/swan
-  version: 0.1.6
+  repository: file://../swan
+  version: 0.2.0
 - name: fluentd
   repository: http://registry.cern.ch/chartrepo/cern
   version: 0.1.5
-digest: sha256:e3728208418e25f1b1cd3f2486eae02b3e640bb1354df411036835ee7ef6d26f
-generated: "2022-02-01T09:20:32.294197039+01:00"
+digest: sha256:75996331669b40fbdc6c92c87487e8e063fb7249a6082d73a1229ec766e64604
+generated: "2022-04-21T14:28:14.504289838+02:00"

swan-cern/Chart.yaml

@@ -9,8 +9,8 @@ description: The chart to deploy SWAN at CERN
 #
 dependencies:
   - name: swan
-    version: 0.1.6
-    repository: https://registry.cern.ch/chartrepo/swan
+    version: 0.2.0
+    repository: file://../swan
   - name: fluentd
     repository: http://registry.cern.ch/chartrepo/cern
     version: 0.1.5

swan-cern/files/swan_config_cern.py

@@ -1,4 +1,4 @@
-import os, subprocess
+
 
 from kubernetes import client
 from kubernetes.client.rest import ApiException
@@ -190,6 +190,19 @@ def _init_eos_containers(self, eos_secret_name):
             )
         )
 
+        #the notebook container needs to run as root as it needs to 
+        #add an user and switch to that user
+        #it also need to set command and args to none in order to
+        #run the systemuser.sh script as defined in the image
+        #(we set jupyterhub-singleuser in the values as that is what 
+        #is needed for authenticated binder)
+
+        run_as_root=client.V1SecurityContext(run_as_user=0)
+
+        notebook_container.security_context=run_as_root
+        notebook_container.command=None
+        notebook_container.args=None
+
         # add the base containers after side container (to start after side container)
         existing_containers = self.pod.spec.containers
         pod_spec_containers.extend(existing_containers)
@@ -200,11 +213,11 @@ def _init_eos_containers(self, eos_secret_name):
 # https://jupyterhub-kubespawner.readthedocs.io/en/latest/spawner.html
 # This is defined in the configuration to allow overring iindependently 
 # of which config file is loaded first
-# c.SwanKubeSpawner.modify_pod_hook = swan_pod_hook
+# c.SwanSpawner.modify_pod_hook = swan_pod_hook
 def swan_pod_hook_prod(spawner, pod):
     """
     :param spawner: Swan Kubernetes Spawner
-    :type spawner: swanspawner.SwanKubeSpawner
+    :type spawner: swanspawner.SwanSpawner
     :param pod: default pod definition set by jupyterhub
     :type pod: client.V1Pod
 
@@ -219,7 +232,4 @@ def swan_pod_hook_prod(spawner, pod):
 # Get configuration parameters from environment variables
 swan_container_namespace = os.environ.get('POD_NAMESPACE', 'default')
 
-c.SwanKubeSpawner.modify_pod_hook = swan_pod_hook_prod
-
-# Required for swan systemuser.sh
-c.SwanKubeSpawner.cmd = None
+c.SwanSpawner.modify_pod_hook = swan_pod_hook_prod

swan-cern/files/swan_spark_config.py

@@ -13,6 +13,12 @@
 class SwanSparkPodHookHandler(SwanPodHookHandlerProd):
 
     def get_swan_user_pod(self):
+
+
+        if 'binder_ref_url' in self.spawner.user_options.keys():
+            # we don't need any customization if running within binder
+            return self.pod
+
         super().get_swan_user_pod()
 
         # get hadoop token
@@ -170,8 +176,6 @@ def _spark_enabled(self):
         """
 
         user_roles = self.spawner.user_roles
-        print(self.spawner.user_options)
-        print(self.spawner.user_roles)
         cluster = self.spawner.user_options[self.spawner.spark_cluster_field]
 
         if cluster == "analytix" and "analytix" not in user_roles:
@@ -337,7 +341,7 @@ def _init_spark(self, pod_labels):
 def spark_modify_pod_hook(spawner, pod):
     """
     :param spawner: Swan Kubernetes Spawner
-    :type spawner: swanspawner.SwanKubeSpawner
+    :type spawner: swanspawner.SwanSpawner
     :param pod: default pod definition set by jupyterhub
     :type pod: client.V1Pod
 
@@ -350,4 +354,4 @@ def spark_modify_pod_hook(spawner, pod):
 # Get configuration parameters from environment variables
 # swan_container_namespace = os.environ.get('POD_NAMESPACE', 'default')
 
-c.SwanKubeSpawner.modify_pod_hook = spark_modify_pod_hook
+c.SwanSpawner.modify_pod_hook = spark_modify_pod_hook

swan-cern/swan.dev.values.yaml

@@ -1,126 +1,127 @@
 swan:
-  jupyterhub:
-    hub:
-      image:
-        name: "gitlab-registry.cern.ch/swan/docker-images/jupyterhub"
-        tag: "v1.13"
-      config:
-        KeyCloakAuthenticator:
-          allowed_roles:
-            - swan-admins
-            - swan-qa
-            - swan-devs
-      extraVolumes:
-        - name: swan-jh
-          configMap:
-            name: swan-scripts
-            items:
-            - key: jupyterhub_form.html
-              path: jupyterhub_form.html
-            - key: swan_config.py
-              path: swan_config.py
-        - name: swan-jh-cern
-          configMap:
-            name: swan-scripts-cern
-            items:
-            - key: options_form_config.json
-              path: options_form_config.json
-            - key: swan_config_cern.py
-              path: swan_config_cern.py
-            - key: swan_spark_config.py
-              path: swan_spark_config.py
-        - name: swan-cull-scripts
-          configMap:
-            name: swan-scripts-cern
-            items:
-            - key: cull_check_ticket.sh
-              path: cull_check_ticket.sh
-            - key: cull_delete_ticket.sh
-              path: cull_delete_ticket.sh
-            defaultMode: 356 # 0544 perm
-        - name: swan-tokens-scripts
-          configMap:
-            name: swan-scripts-env-dev
-            items:
-            - key: webhdfs_token.sh
-              path: webhdfs_token.sh
-            - key: eos_token.sh
-              path: eos_token.sh
-            - key: sparkk8s_token.sh
-              path: sparkk8s_token.sh
-            defaultMode: 356 # 0544 perm
-        - name: swan-secrets
-          secret:
-            secretName: swan-cern
-            items:
-            - key: eos.cred
-              path: eos.cred
-            - key: hadoop.cred
-              path: hadoop.cred
-            - key: sparkk8s.cred
-              path: sparkk8s.cred
-        - name: cvmfs
-          hostPath: 
-            path: /var/cvmfs
-            type: Directory
-      db:
-        type: sqlite-memory
-    custom:
-      cvmfs:
-        deployDaemonSet: true
-        deployCsiDriver: false
-        useCsiDriver: false
-        repositories:
-          - mount: cvmfs-config.cern.ch
-          - mount: sft.cern.ch
-            proxy: 'http://ca-proxy-sft.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: sft-nightlies.cern.ch
-            proxy: 'http://ca-proxy-sft.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: alice.cern.ch
-            proxy: 'http://ca-proxy-alice.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: alice-ocdb.cern.ch
-            proxy: 'http://ca-proxy-alice.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: alice-nightlies.cern.ch
-            proxy: 'http://ca-proxy-alice.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: alpha.cern.ch
-          - mount: ams.cern.ch
-          - mount: atlas.cern.ch
-            proxy: 'http://ca-proxy-atlas.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: atlas-condb.cern.ch
-            proxy: 'http://ca-proxy-atlas.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: atlas-nightlies.cern.ch
-            proxy: 'http://ca-proxy-atlas.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: clicbp.cern.ch
-          - mount: cms.cern.ch
-            proxy: 'http://cmsmeyproxy.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: cms-ib.cern.ch
-            proxy: 'http://cmsmeyproxy.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: cms-bril.cern.ch
-            proxy: 'http://cmsmeyproxy.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: compass.cern.ch
-            proxy: 'http://ca-proxy-compass.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: compass-condb.cern.ch
-            proxy: 'http://ca-proxy-compass.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: fcc.cern.ch
-          - mount: ganga.cern.ch
-          - mount: geant4.cern.ch
-          - mount: lhcb.cern.ch
-            proxy: 'http://ca-proxy-lhcb.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: lhcb-condb.cern.ch
-            proxy: 'http://ca-proxy-lhcb.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: lhcbdev.cern.ch
-            proxy: 'http://ca-proxy-lhcb.cern.ch:3128;http://ca-proxy.cern.ch:3128'
-          - mount: na61.cern.ch
-          - mount: na62.cern.ch
-          - mount: projects.cern.ch
-          - mount: sw.hsf.org
-      eos:
-        deployDaemonSet: false
-        deployCsiDriver: true
-        useCsiDriver: true
-    prePuller:
-      hook:
-        enabled: false
+  binderhub:
+    jupyterhub:
+      hub:
+        image:
+          name: "gitlab-registry.cern.ch/swan/docker-images/jupyterhub"
+          tag: "v1.13"
+        config:
+          KeyCloakAuthenticator:
+            allowed_roles:
+              - swan-admins
+              - swan-qa
+              - swan-devs
+        extraVolumes:
+          - name: swan-jh
+            configMap:
+              name: swan-scripts
+              items:
+              - key: jupyterhub_form.html
+                path: jupyterhub_form.html
+              - key: swan_config.py
+                path: swan_config.py
+          - name: swan-jh-cern
+            configMap:
+              name: swan-scripts-cern
+              items:
+              - key: options_form_config.json
+                path: options_form_config.json
+              - key: swan_config_cern.py
+                path: swan_config_cern.py
+              - key: swan_spark_config.py
+                path: swan_spark_config.py
+          - name: swan-cull-scripts
+            configMap:
+              name: swan-scripts-cern
+              items:
+              - key: cull_check_ticket.sh
+                path: cull_check_ticket.sh
+              - key: cull_delete_ticket.sh
+                path: cull_delete_ticket.sh
+              defaultMode: 356 # 0544 perm
+          - name: swan-tokens-scripts
+            configMap:
+              name: swan-scripts-env-dev
+              items:
+              - key: webhdfs_token.sh
+                path: webhdfs_token.sh
+              - key: eos_token.sh
+                path: eos_token.sh
+              - key: sparkk8s_token.sh
+                path: sparkk8s_token.sh
+              defaultMode: 356 # 0544 perm
+          - name: swan-secrets
+            secret:
+              secretName: swan-cern
+              items:
+              - key: eos.cred
+                path: eos.cred
+              - key: hadoop.cred
+                path: hadoop.cred
+              - key: sparkk8s.cred
+                path: sparkk8s.cred
+          - name: cvmfs
+            hostPath: 
+              path: /var/cvmfs
+              type: Directory
+        db:
+          type: sqlite-memory
+      custom:
+        cvmfs:
+          deployDaemonSet: true
+          deployCsiDriver: false
+          useCsiDriver: false
+          repositories:
+            - mount: cvmfs-config.cern.ch
+            - mount: sft.cern.ch
+              proxy: 'http://ca-proxy-sft.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: sft-nightlies.cern.ch
+              proxy: 'http://ca-proxy-sft.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: alice.cern.ch
+              proxy: 'http://ca-proxy-alice.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: alice-ocdb.cern.ch
+              proxy: 'http://ca-proxy-alice.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: alice-nightlies.cern.ch
+              proxy: 'http://ca-proxy-alice.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: alpha.cern.ch
+            - mount: ams.cern.ch
+            - mount: atlas.cern.ch
+              proxy: 'http://ca-proxy-atlas.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: atlas-condb.cern.ch
+              proxy: 'http://ca-proxy-atlas.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: atlas-nightlies.cern.ch
+              proxy: 'http://ca-proxy-atlas.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: clicbp.cern.ch
+            - mount: cms.cern.ch
+              proxy: 'http://cmsmeyproxy.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: cms-ib.cern.ch
+              proxy: 'http://cmsmeyproxy.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: cms-bril.cern.ch
+              proxy: 'http://cmsmeyproxy.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: compass.cern.ch
+              proxy: 'http://ca-proxy-compass.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: compass-condb.cern.ch
+              proxy: 'http://ca-proxy-compass.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: fcc.cern.ch
+            - mount: ganga.cern.ch
+            - mount: geant4.cern.ch
+            - mount: lhcb.cern.ch
+              proxy: 'http://ca-proxy-lhcb.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: lhcb-condb.cern.ch
+              proxy: 'http://ca-proxy-lhcb.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: lhcbdev.cern.ch
+              proxy: 'http://ca-proxy-lhcb.cern.ch:3128;http://ca-proxy.cern.ch:3128'
+            - mount: na61.cern.ch
+            - mount: na62.cern.ch
+            - mount: projects.cern.ch
+            - mount: sw.hsf.org
+        eos:
+          deployDaemonSet: false
+          deployCsiDriver: true
+          useCsiDriver: true
+      prePuller:
+        hook:
+          enabled: false
 hadoopTokenGenerator:
   extraVolumes:
     - name: swan-tokens-scripts
@@ -129,4 +130,4 @@ hadoopTokenGenerator:
         items:
           - key: hadoop_token.sh
             path: hadoop_token.sh
-        defaultMode: 500
+        defaultMode: 500

swan-cern/templates/hadoop-token-generator.yaml

@@ -31,13 +31,13 @@ spec:
               name: hub
               key: hub.services.hadoop-token-generator.apiToken
         - name: HADOOP_CONF_HOME
-          value: {{ .Values.swan.jupyterhub.custom.spark.configurationPath }} 
+          value: {{ .Values.swan.binderhub.jupyterhub.custom.spark.configurationPath }} 
 
         livenessProbe:
           exec:
             command:
             - ls
-            - {{ .Values.swan.jupyterhub.custom.spark.configurationPath }}
+            - {{ .Values.swan.binderhub.jupyterhub.custom.spark.configurationPath }}
           initialDelaySeconds: 5
           periodSeconds: 5