Kubernetes 通过 Deployment 部署Jupyterlab

概要

在Kubernetes上部署jupyterlab服务，链接Kubernetes集群内的MySQL，实现简单的数据开发功能。

前置条件

镜像准备：自定义Docker镜像--Jupyterlab-CSDN博客

MySQL-Statefulset准备：StatefulSet 简单实践 Kubernetes-CSDN博客

步骤

1-namespace.yaml

apiVersion: v1
kind: Namespace
metadata:name: jupyterlablabels:app1: jupyterlabapp.kubernetes.io/name: jupyterlab

2-jupyter-config.yaml

关键配置：

c.ServerApp.allow_remote_access = True
c.ServerApp.ip = '*'
c.ServerApp.open_browser = False
c.ServerApp.password = ''
c.ServerApp.port = 8888

c.ServerApp.ip = '' 默认事localhost，配置 "*" 便于访问，便于nodeport的访问

如何生成password，参考:

jupyter-lab 设置密码(password) - 简书 (jianshu.com)

详细内容：

apiVersion: v1
kind: ConfigMap
metadata:labels:app1: jupyterlabapp.kubernetes.io/name: jupyterlabname: jupyter-confignamespace: jupyterlab
data:jupyter_lab_config.py: |-# Configuration file for lab.#------------------------------------------------------------------------------# Application(SingletonConfigurable) configuration#------------------------------------------------------------------------------## This is an application.## The date format used by logging formatters for %(asctime)s#c.Application.log_datefmt = '%Y-%m-%d %H:%M:%S'## The Logging format template#c.Application.log_format = '[%(name)s]%(highlevel)s %(message)s'## Set the log level by value or name.#c.Application.log_level = 30#------------------------------------------------------------------------------# JupyterApp(Application) configuration#------------------------------------------------------------------------------## Base class for Jupyter applications## Answer yes to any prompts.#c.JupyterApp.answer_yes = False## Full path of a config file.c.JupyterApp.config_file = '/root/.jupyter/jupyter_lab_config.py'## Specify a config file to load.#c.JupyterApp.config_file_name = ''## Generate default config file.#c.JupyterApp.generate_config = False#------------------------------------------------------------------------------# ExtensionApp(JupyterApp) configuration#------------------------------------------------------------------------------## Base class for configurable Jupyter Server Extension Applications.#  #  ExtensionApp subclasses can be initialized two ways:#  1. Extension is listed as a jpserver_extension, and ServerApp calls#      its load_jupyter_server_extension classmethod. This is the#      classic way of loading a server extension.#  2. Extension is launched directly by calling its `launch_instance`#      class method. This method can be set as a entry_point in#      the extensions setup.py## #c.ExtensionApp.default_url = ''## Handlers appended to the server.#c.ExtensionApp.handlers = []## Whether to open in a browser after starting. The specific browser used is#  platform dependent and determined by the python standard library `webbrowser`#  module, unless it is overridden using the --browser (ServerApp.browser)#  configuration option.#c.ExtensionApp.open_browser = False## Settings that will passed to the server.#c.ExtensionApp.settings = {}## paths to search for serving static files.#  #  This allows adding javascript/css to be available from the notebook server#  machine, or overriding individual files in the IPython#c.ExtensionApp.static_paths = []## Url where the static assets for the extension are served.#c.ExtensionApp.static_url_prefix = ''## Paths to search for serving jinja templates.#  #  Can be used to override templates from notebook.templates.#c.ExtensionApp.template_paths = []#------------------------------------------------------------------------------# LabServerApp(ExtensionAppJinjaMixin,LabConfig,ExtensionApp) configuration#------------------------------------------------------------------------------## A Lab Server Application that runs out-of-the-box## "A list of comma-separated URIs to get the allowed extensions list#  #  .. versionchanged:: 2.0.0#      `LabServerApp.whitetlist_uris` renamed to `allowed_extensions_uris`#c.LabServerApp.allowed_extensions_uris = ''## Deprecated, use `LabServerApp.blocked_extensions_uris`#c.LabServerApp.blacklist_uris = ''## A list of comma-separated URIs to get the blocked extensions list#  #  .. versionchanged:: 2.0.0#      `LabServerApp.blacklist_uris` renamed to `blocked_extensions_uris`#c.LabServerApp.blocked_extensions_uris = ''## The interval delay in seconds to refresh the lists#c.LabServerApp.listings_refresh_seconds = 3600## The optional kwargs to use for the listings HTTP requests             as#  described on https://2.python-requests.org/en/v2.7.0/api/#requests.request#c.LabServerApp.listings_request_options = {}## Deprecated, use `LabServerApp.allowed_extensions_uris`#c.LabServerApp.whitelist_uris = ''#------------------------------------------------------------------------------# LabApp(NBClassicConfigShimMixin,LabServerApp) configuration#------------------------------------------------------------------------------## The app directory to launch JupyterLab from.#c.LabApp.app_dir = None## Whether to enable collaborative mode.#c.LabApp.collaborative = False## Whether to start the app in core mode. In this mode, JupyterLab will run using#  the JavaScript assets that are within the installed JupyterLab Python package.#  In core mode, third party extensions are disabled. The `--dev-mode` flag is an#  alias to this to be used when the Python package itself is installed in#  development mode (`pip install -e .`).#c.LabApp.core_mode = False## The default URL to redirect to from `/`#c.LabApp.default_url = '/lab'## Whether to start the app in dev mode. Uses the unpublished local JavaScript#  packages in the `dev_mode` folder.  In this case JupyterLab will show a red#  stripe at the top of the page.  It can only be used if JupyterLab is installed#  as `pip install -e .`.#c.LabApp.dev_mode = False## Whether to expose the global app instance to browser via window.jupyterlab#c.LabApp.expose_app_in_browser = False## Whether to load prebuilt extensions in dev mode. This may be useful to run and#  test prebuilt extensions in development installs of JupyterLab. APIs in a#  JupyterLab development install may be incompatible with published packages, so#  prebuilt extensions compiled against published packages may not work#  correctly.#c.LabApp.extensions_in_dev_mode = False## The override url for static lab assets, typically a CDN.#c.LabApp.override_static_url = ''## The override url for static lab theme assets, typically a CDN.#c.LabApp.override_theme_url = ''## Splice source packages into app directory.#c.LabApp.splice_source = False## The directory for user settings.#c.LabApp.user_settings_dir = '/root/.jupyter/lab/user-settings'## Whether to serve the app in watch mode#c.LabApp.watch = False## The directory for workspaces#c.LabApp.workspaces_dir = '/root/.jupyter/lab/workspaces'#------------------------------------------------------------------------------# ServerApp(JupyterApp) configuration#------------------------------------------------------------------------------## Set the Access-Control-Allow-Credentials: true header#c.ServerApp.allow_credentials = False## Set the Access-Control-Allow-Origin header#  #  Use '*' to allow any origin to access your server.#  #  Takes precedence over allow_origin_pat.#c.ServerApp.allow_origin = ''## Use a regular expression for the Access-Control-Allow-Origin header#  #  Requests from an origin matching the expression will get replies with:#  #      Access-Control-Allow-Origin: origin#  #  where `origin` is the origin of the request.#  #  Ignored if allow_origin is set.#c.ServerApp.allow_origin_pat = ''## Allow password to be changed at login for the Jupyter server.#  #  While logging in with a token, the Jupyter server UI will give the opportunity#  to the user to enter a new password at the same time that will replace the#  token login mechanism.#  #  This can be set to false to prevent changing password from the UI/API.#c.ServerApp.allow_password_change = True## Allow requests where the Host header doesn't point to a local server#  #  By default, requests get a 403 forbidden response if the 'Host' header shows#  that the browser thinks it's on a non-local domain. Setting this option to#  True disables this check.#  #  This protects against 'DNS rebinding' attacks, where a remote web server#  serves you a page and then changes its DNS to send later requests to a local#  IP, bypassing same-origin checks.#  #  Local IP addresses (such as 127.0.0.1 and ::1) are allowed as local, along#  with hostnames configured in local_hostnames.c.ServerApp.allow_remote_access = True## Whether to allow the user to run the server as root.c.ServerApp.allow_root = True## " Require authentication to access prometheus metrics.#c.ServerApp.authenticate_prometheus = True## Reload the webapp when changes are made to any Python src files.#c.ServerApp.autoreload = False## The base URL for the Jupyter server.#  #  Leading and trailing slashes can be omitted, and will automatically be added.#c.ServerApp.base_url = '/'## Specify what command to use to invoke a web browser when starting the server.#  If not specified, the default browser will be determined by the `webbrowser`#  standard library module, which allows setting of the BROWSER environment#  variable to override it.#c.ServerApp.browser = ''## The full path to an SSL/TLS certificate file.#c.ServerApp.certfile = ''## The full path to a certificate authority certificate for SSL/TLS client#  authentication.#c.ServerApp.client_ca = ''## The config manager class to use#c.ServerApp.config_manager_class = 'jupyter_server.services.config.manager.ConfigManager'## The content manager class to use.#c.ServerApp.contents_manager_class = 'jupyter_server.services.contents.largefilemanager.LargeFileManager'## Extra keyword arguments to pass to `set_secure_cookie`. See tornado's#  set_secure_cookie docs for details.#c.ServerApp.cookie_options = {}## The random bytes used to secure cookies. By default this is a new random#  number every time you start the server. Set it to a value in a config file to#  enable logins to persist across server sessions.#  #  Note: Cookie secrets should be kept private, do not share config files with#  cookie_secret stored in plaintext (you can read the value from a file).#c.ServerApp.cookie_secret = b''## The file where the cookie secret is stored.#c.ServerApp.cookie_secret_file = ''## Override URL shown to users.#  #  Replace actual URL, including protocol, address, port and base URL, with the#  given value when displaying URL to the users. Do not change the actual#  connection URL. If authentication token is enabled, the token is added to the#  custom URL automatically.#  #  This option is intended to be used when the URL to display to the user cannot#  be determined reliably by the Jupyter server (proxified or containerized#  setups for example).#c.ServerApp.custom_display_url = ''## The default URL to redirect to from `/`#c.ServerApp.default_url = '/'## Disable cross-site-request-forgery protection#  #  Jupyter notebook 4.3.1 introduces protection from cross-site request#  forgeries, requiring API requests to either:#  #  - originate from pages served by this server (validated with XSRF cookie and#  token), or - authenticate with a token#  #  Some anonymous compute resources still desire the ability to run code,#  completely without authentication. These services can disable all#  authentication and security checks, with the full knowledge of what that#  implies.#c.ServerApp.disable_check_xsrf = False## handlers that should be loaded at higher priority than the default services#c.ServerApp.extra_services = []## Extra paths to search for serving static files.#  #  This allows adding javascript/css to be available from the Jupyter server#  machine, or overriding individual files in the IPython#c.ServerApp.extra_static_paths = []## Extra paths to search for serving jinja templates.#  #  Can be used to override templates from jupyter_server.templates.#c.ServerApp.extra_template_paths = []## Open the named file when the application is launched.#c.ServerApp.file_to_run = ''## The URL prefix where files are opened directly.#c.ServerApp.file_url_prefix = 'notebooks'## Extra keyword arguments to pass to `get_secure_cookie`. See tornado's#  get_secure_cookie docs for details.#c.ServerApp.get_secure_cookie_kwargs = {}## (bytes/sec) Maximum rate at which stream output can be sent on iopub before#  they are limited.#c.ServerApp.iopub_data_rate_limit = 1000000## (msgs/sec) Maximum rate at which messages can be sent on iopub before they are#  limited.#c.ServerApp.iopub_msg_rate_limit = 1000## The IP address the Jupyter server will listen on.c.ServerApp.ip = '*'## Supply extra arguments that will be passed to Jinja environment.#c.ServerApp.jinja_environment_options = {}## Extra variables to supply to jinja templates when rendering.#c.ServerApp.jinja_template_vars = {}## Dict of Python modules to load as Jupyter server extensions.Entry values can#  be used to enable and disable the loading ofthe extensions. The extensions#  will be loaded in alphabetical order.#c.ServerApp.jpserver_extensions = {}## The kernel manager class to use.#c.ServerApp.kernel_manager_class = 'jupyter_server.services.kernels.kernelmanager.AsyncMappingKernelManager'## The kernel spec manager class to use. Should be a subclass of#  `jupyter_client.kernelspec.KernelSpecManager`.#  #  The Api of KernelSpecManager is provisional and might change without warning#  between this version of Jupyter and the next stable one.#c.ServerApp.kernel_spec_manager_class = 'jupyter_client.kernelspec.KernelSpecManager'## The full path to a private key file for usage with SSL/TLS.#c.ServerApp.keyfile = ''## Hostnames to allow as local when allow_remote_access is False.#  #  Local IP addresses (such as 127.0.0.1 and ::1) are automatically accepted as#  local as well.#c.ServerApp.local_hostnames = ['localhost']## The login handler class to use.#c.ServerApp.login_handler_class = 'jupyter_server.auth.login.LoginHandler'## The logout handler class to use.#c.ServerApp.logout_handler_class = 'jupyter_server.auth.logout.LogoutHandler'## Sets the maximum allowed size of the client request body, specified in the#  Content-Length request header field. If the size in a request exceeds the#  configured value, a malformed HTTP message is returned to the client.#  #  Note: max_body_size is applied even in streaming mode.#c.ServerApp.max_body_size = 536870912## Gets or sets the maximum amount of memory, in bytes, that is allocated for use#  by the buffer manager.#c.ServerApp.max_buffer_size = 536870912## Gets or sets a lower bound on the open file handles process resource limit.#  This may need to be increased if you run into an OSError: [Errno 24] Too many#  open files. This is not applicable when running on Windows.#c.ServerApp.min_open_files_limit = 0## DEPRECATED, use root_dir.#c.ServerApp.notebook_dir = ''## Whether to open in a browser after starting. The specific browser used is#  platform dependent and determined by the python standard library `webbrowser`#  module, unless it is overridden using the --browser (ServerApp.browser)#  configuration option.#c.ServerApp.open_browser = False## Hashed password to use for web authentication.#  #  To generate, type in a python/IPython shell:#  #    from jupyter_server.auth import passwd; passwd()#  #  The string should be of the form type:salt:hashed-password.# password = 1c.ServerApp.password = 'argon2:$argon2id$v=19$m=10240,t=10,p=8$3SVwOn5jZCsVPToRwHfo6A$/Q67MolIfT+ztoV26F6eeuE0NxfhFFsyzLV//9IV+J4'## Forces users to use a password for the Jupyter server. This is useful in a#  multi user environment, for instance when everybody in the LAN can access each#  other's machine through ssh.#  #  In such a case, serving on localhost is not secure since any user can connect#  to the Jupyter server via ssh.#c.ServerApp.password_required = False## The port the server will listen on (env: JUPYTER_PORT).c.ServerApp.port = 8888## The number of additional ports to try if the specified port is not available#  (env: JUPYTER_PORT_RETRIES).#c.ServerApp.port_retries = 50## Preferred starting directory to use for notebooks and kernels.#c.ServerApp.preferred_dir = ''## DISABLED: use %pylab or %matplotlib in the notebook to enable matplotlib.#c.ServerApp.pylab = 'disabled'## If True, display controls to shut down the Jupyter server, such as menu items#  or buttons.#c.ServerApp.quit_button = True## (sec) Time window used to check the message and data rate limits.#c.ServerApp.rate_limit_window = 3## Reraise exceptions encountered loading server extensions?#c.ServerApp.reraise_server_extension_failures = False## The directory to use for notebooks and kernels.c.ServerApp.root_dir = '/home/jupyterlab'## The session manager class to use.#c.ServerApp.session_manager_class = 'jupyter_server.services.sessions.sessionmanager.SessionManager'## Shut down the server after N seconds with no kernels or terminals running and#  no activity. This can be used together with culling idle kernels#  (MappingKernelManager.cull_idle_timeout) to shutdown the Jupyter server when#  it's not in use. This is not precisely timed: it may shut down up to a minute#  later. 0 (the default) disables this automatic shutdown.#c.ServerApp.shutdown_no_activity_timeout = 0## The UNIX socket the Jupyter server will listen on.#c.ServerApp.sock = ''## The permissions mode for UNIX socket creation (default: 0600).#c.ServerApp.sock_mode = '0600'## Supply SSL options for the tornado HTTPServer. See the tornado docs for#  details.#c.ServerApp.ssl_options = {}## Supply overrides for terminado. Currently only supports "shell_command".#c.ServerApp.terminado_settings = {}## Set to False to disable terminals.#  #  This does *not* make the server more secure by itself. Anything the user can#  in a terminal, they can also do in a notebook.#  #  Terminals may also be automatically disabled if the terminado package is not#  available.#c.ServerApp.terminals_enabled = True## Token used for authenticating first-time connections to the server.#  #  The token can be read from the file referenced by JUPYTER_TOKEN_FILE or set#  directly with the JUPYTER_TOKEN environment variable.#  #  When no password is enabled, the default is to generate a new, random token.#  #  Setting to an empty string disables authentication altogether, which is NOT#  RECOMMENDED.#c.ServerApp.token = '<generated>'## Supply overrides for the tornado.web.Application that the Jupyter server uses.#c.ServerApp.tornado_settings = {}## Whether to trust or not X-Scheme/X-Forwarded-Proto and X-Real-Ip/X-Forwarded-#  For headerssent by the upstream reverse proxy. Necessary if the proxy handles#  SSL#c.ServerApp.trust_xheaders = False## Disable launching browser by redirect file For versions of notebook > 5.7.2, a#  security feature measure was added that prevented the authentication token#  used to launch the browser from being visible. This feature makes it difficult#  for other users on a multi-user system from running code in your Jupyter#  session as you. However, some environments (like Windows Subsystem for Linux#  (WSL) and Chromebooks), launching a browser using a redirect file can lead the#  browser failing to load. This is because of the difference in file#  structures/paths between the runtime and the browser.#  #  Disabling this setting to False will disable this behavior, allowing the#  browser to launch by using a URL and visible token (as before).#c.ServerApp.use_redirect_file = True## Specify where to open the server on startup. This is the `new` argument passed#  to the standard library method `webbrowser.open`. The behaviour is not#  guaranteed, but depends on browser support. Valid values are:#  #   - 2 opens a new tab,#   - 1 opens a new window,#   - 0 opens in an existing window.#  #  See the `webbrowser.open` documentation for details.#c.ServerApp.webbrowser_open_new = 2## Set the tornado compression options for websocket connections.#  #  This value will be returned from#  :meth:`WebSocketHandler.get_compression_options`. None (default) will disable#  compression. A dict (even an empty one) will enable compression.#  #  See the tornado docs for WebSocketHandler.get_compression_options for details.#c.ServerApp.websocket_compression_options = None## The base URL for websockets, if it differs from the HTTP server (hint: it#  almost certainly doesn't).#  #  Should be in the form of an HTTP origin: ws[s]://hostname[:port]#c.ServerApp.websocket_url = ''

3-jupyter-class.yaml

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:name: nfs-jupyterlabnamespace: jupyterlabannotations:storageclass.kubernetes.io/is-default-class: "false" ## 是否设置为默认的storageclass
provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME'
#provisioner: nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME'
parameters:archiveOnDelete: "true"pathPattern: "${.PVC.namespace}/${.PVC.name}/${.PVC.annotations.nfs.io/storage-path}"# pathPattern: "${.PVC.namespace}/${.PVC.annotations.nfs.io/storage-path}"# pathPattern: "${.PVC.namespace}-${.PVC.name}"

5-pvc.yaml

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: nfs-jupyterlabnamespace: jupyterlabannotations:volume.beta.kubernetes.io/storage-class: "nfs-jupyterlab"
spec:accessModes:- ReadWriteManyresources:requests:storage: 50Mi

6-jupyter-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:name: jupyterlab-deploymentnamespace: jupyterlablabels:app1: jupyterlabapp.kubernetes.io/name: jupyterlab
spec:replicas: 1selector:matchLabels:app1: jupyterlabapp.kubernetes.io/name: jupyterlabtemplate:metadata:labels:app1: jupyterlabapp.kubernetes.io/name: jupyterlabspec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/hostnameoperator: NotInvalues:- master01- master02- master03hostNetwork: truecontainers:- name: jupyterlabimage: reporsitory:5000/jupyterlab:1.1imagePullPolicy: Alwaysports:- name: jupyterlabcontainerPort: 8888command:- bash- "-c"- |set -ex/usr/local/bin/jupyter-labresources:requests:cpu: 250mmemory: 500Milimits:cpu: 250mmemory: 500MivolumeMounts:- name: datamountPath: "/home/jupyterlab/data"- name: jupyter-configmountPath: /root/.jupyter/- name: jupytermountPath: /home/jupyterlabvolumes:- name: datapersistentVolumeClaim:claimName: nfs-jupyter-mysql- name: jupyterpersistentVolumeClaim:claimName: nfs-jupyterlab- name: jupyter-configconfigMap:name: jupyter-config

7-services.yaml

---
apiVersion: v1
kind: Service
metadata:name: jupyterlab-svcnamespace: jupyterlablabels:app1: jupyterlabapp.kubernetes.io/name: jupyterlab
spec:ports:- name: jupyterlabport: 8888selector:app1: jupyterlabtype: NodePort

成功

后端状况：

网页访问：

Jupyterlab服务的Pod提升

部署kubectl + bash-completion

在 Linux 系统中安装并设置 kubectl | Kubernetes

使用 kubeconfig 文件组织集群访问 | Kubernetes

更新数据库使用者权限

grant all privileges on *.* to 'root'@'%' identified by '1' with grant option;
flush privileges;

参考文档

https://developer.aliyun.com/article/857365
https://www.jianshu.com/p/743ed2209a8c
https://www.runoob.com/linux/linux-comm-nohup.html
https://cloud.tencent.com/developer/article/1783227
https://zhuanlan.zhihu.com/p/468585680