Hi @<1524922424720625664:profile|TartLeopard58>
- Opened container ports for VS Code, JupyterLab, and SSH.I think that by default it uses the host network so it can take care of that, are you saying you added k8s integration ?
- Added NodePort to the service to directly access via public IP:NodePort (previously only SSH was available, but now NodePort is added for VS Code and JupyterLab as well), allowing direct access without SSH tunneling.Interesting!
- Considering security vulnerabilities, SSH allows access with password or RSA key, VS Code requires a password, and JupyterLab allows access with a token."SSH allows access with password" it is a very long random password, not sure I see a risk here, wdyt?
- Since using the clearml-session CLI was inconvenient, I modified it to run as a task, allowing anyone who can access clearml-server to clone and enqueue the task.I'm assuming this only works if you are adding an HTTP/s routing ?
I'm with @<1529271085315395584:profile|AmusedCat74> , would love to learn more on what you did, sounds like a great addition
@<1523701205467926528:profile|AgitatedDove14> @<1529271085315395584:profile|AmusedCat74> Hi guys 🙌
- I think that by default it uses the host network so it can take care of that, are you saying you added k8s integration ?-> Yes, i modified clearml-agent helm chart.
- “SSH allows access with password” it is a very long random password, not sure I see a risk here, wdyt?-> Currently, when enqueueing a task, clearml-session generates a long random password for SSH and VS Code and displays it in the user properties(see pic). We only run the tasks when needed and turn them off when not in use. However, I understand that it may be less secure compared to using SSH tunneling. However, convenience is prioritized more in our company.
- I’m assuming this only works if you are adding an HTTP/s routing ?-> I haven’t added any HTTP/s routing myself. When creating services for SSH, VS Code, and Jupyter in the service-sessions.yaml file of the clearml-agent Helm chart, I used nodePort for each service. Later, when enqueueing tasks, the clearml-session script is aware of these nodePorts and generates the corresponding URLs.
I must admit that this approach is somewhat hardcoded. I wanted to use Istio, similar to Kubeflow Notebook, to create URLs like “<public ip>/jupyter/?ns=<namespace>“. So, as I’m planning to enhance the system, I thought it would be good to get your opinion in advance and consider submitting a PR to your side.
I’ve had some issues with clearml sessions. I’d be interested in seeing a PR. Would you mind posting a link please?