Closed jhamrick closed 2 years ago
perllaghu
commented
2 years ago @perllaghu do you have any insight on this from your deployment of nbgrader?
I'm not seeing any errors like this, however we dropped use of jupyterhub some time ago, and spawn notebooks in docker images directly into kubernetes from our external service management code, and our own exchange get_current_user authenticator.
jhamrick
commented
2 years ago Ah ok, I didn't realize you weren't using JupyterHub!
Perhaps @minrk might be able to help?
perllaghu
commented
2 years ago Ah ok, I didn't realize you weren't using JupyterHub!
We found that the jupyterhub proxy (linking users to their spawned notebooks) was getting slower as the number of simultanious users increased, and badly failed if the hub crashed
minrk
commented
2 years ago @jhamrick I was able to run the jupyterhub demo, and the permissions do seem to work with exactly your config. The only thing I could find is that there's a typo in your load_roles, where the load_groups in the demo has formgrade-course101 (no 'r') while your load_roles has formgrader-course101. This results in the (not loud enough and should probably be an error) log message:
[I 2022-06-09 11:41:14.284 JupyterHub app:2151] Found unexisting groups formgrader-course101 in role definition formgrader-course101Making the group name match gives the appropriate group members access to the service.
@perllaghu I certainly don't want to push folks to JupyterHub who have found something that's a better fit, but I'm curious about the scale and activity when you had performance issues. We do now have a horizontally scalable proxy implementation with traefik, but have found that the default single process configurable-http-proxy has never been a performance bottleneck and comfortably handles at least several hundred concurrent users, given sufficient resources.
perllaghu
commented
2 years ago @perllaghu I certainly don't want to push folks to JupyterHub who have found something that's a better fit, but I'm curious about the scale and activity when you had performance issues. We do now have a horizontally scalable proxy implementation with traefik, but have found that the default single process configurable-http-proxy has never been a performance bottleneck and comfortably handles at least several hundred concurrent users, given sufficient resources.
Likewise, I'm interested in what other people have.
We seem to run about a steady 300-400 notebooks during term time, with the occasional peaks trying to double that, and run everything in a k8 cluster (35 nodes, 136 cores, 800GiB Memory.... and, likewise, now use traefik)
Perhaps there'd be interest in a [virtual] get-together to see how/why people have the services they have
jhamrick
commented
2 years ago @minrk Hmm strange, I don't have that typo and when I try to access the formgrader via the instructor accounts it doesn't work. This is the full config I'm using:
c = get_config()
# Our user list
c.Authenticator.allowed_users = [
'instructor1',
'instructor2',
'student1',
]
# instructor1 and instructor2 have access to a shared server:
c.JupyterHub.load_groups = {
'formgrader-course101': [
'instructor1',
'instructor2'
]
}
c.JupyterHub.load_roles = [
{
'name': 'formgrader-course101',
'groups': ['formgrader-course101'],
'scopes': [
'access:services!service=course101',
]
}
]
# Start the notebook server as a service. The port can be whatever you want
# and the group has to match the name of the group defined above. The name of
# the service MUST match the name of your course.
c.JupyterHub.services = [
{
'name': 'course101',
'url': 'http://127.0.0.1:9999',
'command': [
'jupyterhub-singleuser',
'--debug',
],
'user': 'grader-course101',
'cwd': '/home/grader-course101'
}
]Then when I log in as instructor1 and go to the "Courses" tab, it says "There are no available formgrader services." and the error message I pasted above can be found in the terminal. But for you that works and you can access the formgrader? 🤔
minrk
commented
2 years ago I was able to access formgrader. Testing again with that exact config. Can you share logs from the service startup?
minrk
commented
2 years ago I just ran it again with your config unmodified, and it's working.
I followed the restart_demo.sh script to set up a fresh Ubuntu 20.04 VM (a couple minor tweaks, because pip install -e didn't seem to work, but pip install . did)
My env, if it helps:
Can you provide a more detailed log dump?
jhamrick
commented
2 years ago Huh, I am also using a new VM I just created yesterday (though I am using Ubuntu 22.04). Just to be safe I tried uninstalling and reinstalling JupyterHub and Jupyter, but no difference. The pip install command in the demo works fine for me though; the only changes I had to make was to do git checkout main rather than git checkout master, and to add mkdir -p /etc/jupyter before copying the global nbgrader config. Did you make any other tweaks to the demo scripts?
Here's the JupyterHub log output and output from pip freeze: demo.log pip.log
Thanks so much for helping me debug this!
minrk
commented
2 years ago I'll try again in the morning and capture more logs. Maybe even try to encapsulate it in docker so it's portable.
I did set the dummy authenticator, but that shouldn't affect anything after login: https://github.com/jupyter/nbgrader/compare/main...minrk:debug . I also switched the jupyter install to notebook.
jhamrick
commented
2 years ago Thanks for sending your changes!
So one thing I found is that if I navigate to the formgrader directly, i.e. going to /services/course101/formgrader, then I can access it as well---but it doesn't show up in the course list extension and that's where I'm getting that error message. So it is a problem with the course list extension that for some reason it thinks it doesn't have access to the formgrader. Will continue to investigate...
jhamrick
commented
2 years ago For reference, this is the function where it's failing the authorization to see the formgrader: https://github.com/jupyter/nbgrader/blob/main/nbgrader/server_extensions/course_list/handlers.py#L90
minrk
commented
2 years ago Aha! I suspect that's an issue with the permission of the server token, which makes the API request to the Hub from the server extension. The server's API token has significantly reduced permissions by default. I'll look into a fix in #1597
minrk
commented
2 years ago The course list seems to work now in #1597
What should the student see in these demos? I don't see anything, but I don't know if they should.
jhamrick
commented
2 years ago Amazing, thanks so much! We can continue the conversation over in https://github.com/jupyter/nbgrader/pull/1597...
With JupyterHub 2.0, the demos that use services (i.e.
demo_one_class_multiple_gradersanddemo_multiple_classes) no longer work in that the instructors do not have permission to access the formgrader. I thought it would be a matter of simply adding something like the following (fordemo_one_class_multiple_graders) tojupyterhub_config.py:but this doesn't seem to work; I get an error message that
[D 2022-06-08 19:38:28.329 SingleUserNotebookApp auth:995] Hub user instructor1 needs scope(s) {'access:services', 'access:services!service=course101'}, has scope(s) ['access:servers!user=instructor1', 'read:users:activity!user=instructor1', 'users:activity!user=instructor1']. This is true also if I use'users': ['instructor1']rather than'groups'. I am not sure why the scopes are not being correctly set.This is related to #1533, which documents that there is an incorrect scope configuration for the formgrader service itself too.
@perllaghu do you have any insight on this from your deployment of nbgrader?