Run Linux Desktop Apps in mybinder.org / your JupyterHub

The excellent jupyter-remote-desktop-proxy enables you to run arbitrary Linux desktop applications in mybinder.org or on your own JupyterHub! Here are a few fun examples:

• qgis, a very popular Geospatial application (via @giswqs)
  

  

  image800×564 78 KB

• ds9 a popular application for viewing some astro file formats

  

  image1920×1181 89 KB

Basically anything you can run on a Linux desktop can run inside your browser, with fairly usable latencies. This is extremely helpful when part of your workflow might involve pre-developed scientific software that is not really web friendly. It’s also cool, so there’s that.

I’ve developed a template repository with instructions on how you can make your own binderable repo that can run any desktop app you want. There’s more work to be done in the upstream library, but this should hopefully help you play with unlocking new scientific and educational workflows that were not possible before.

Special thanks to my friend Sanjay Bhangar for recent encouragement!

Very cool! Jason Grout wanted me to post that I implemented something similar for CoCalc – CoCalc – Run X11 Desktop Graphical Linux Applications

User feedback is interesting, since this can make it possible for them to do solve subtle edge case problems. E.g., often people run Firefox this way, or a random obscure ancient Java UI library for some scientific application.

Wow, https://xpra.org/ looks super cool, @William_Stein! Thank you for sharing that! Have you had experience with people running stuff that requires GL / GPUs on it? How has that been?

I’ve discovered that GitHub - FZJ-JSC/jupyter-xprahtml5-proxy: Jupyter extensions for running a Xpra Session proxy exists as well!

I don’t have such experience. If you want to test out what we wrote via Docker, install this GitHub - sagemathinc/cocalc-docker: Docker setup for running CoCalc as downloadable software on your own computer and it is easy to then use our xpra integration…

This has really been a great help for my students, so thank you for your work on this @yuvipanda ! We have been using it for the last month or so on our JHub/JLab servers. We have had to check over network policy and ensure traffic is limited to prevent intruder access, but that’s all very reasonable for something like this.

Hey, this is a great post!

Is it possible to run the application from a container (say if the container exposes vnc)?

The remote desktop route also gives you the opportunity to run some old Windows desktop apps under wine, eg GitHub - ouseful-demos/jupyter-desktop-server: Run a Linux Desktop on a JupyterHub - Wine Demo

One issue I’ve found with a lot of remote web desktops is that video can be choppy and audio support either not available or a hassle to try to figure out… (RDP tends to work a bit better, IIRC.)

I’m trying to get web-based RDP working for another side-project using Guacamole… I’ll let you know if it works

@manics - re: RDP; that could be interesting:-) I don’t think I ever tried to get RDP sessions running from MyBinder; I think I (re)used a Linux-RDP container on hosting elsewhere with all my RDP experiments.

–tony

Hi,

I am looking at Guacamole as well but in a slightly different context. I have been working on Trusted Research Environments for the past few years and z2jh has been a central part of it.

However, this is currently served through a remote desktop environment with additional safeguards against downloading, copy+paste, etc.

I was wondering if there was a way to serve the remote desktop environment (preferably through Apache Guacamole) through JupyterHub (either the same z2jh instance or a separate one) and make the actual analytics workspace with sensitive data available through this.

ie. The first singleuser_server brings up Guacamole and the actual analytics workspace pod is only acccessible from within Guacamole. And, this could be enforced through network policies (eg. Calico).

Does this even make sense? Something like a stripped-down, cloud-agnostic, k8s native version of https://microsoft.github.io/AzureTRE/.

I’ve got an old (private) GitHub repo where I tried running Guacamole in an (independent) container alongside the singleuser server, with access via GitHub - ideonate/jhsingle-native-proxy: Wrap an arbitrary webapp so it can be used in place of jupyter-singleuser in a JupyterHub setting. It spins up VMs using a custom spawner (needed to support Windows desktops as well as Linux- Windows containers don’t support desktops), but if it’s Linux only I think doing it in Z2JH with a customised KubeSpawner shouldn’t be too difficult.

And, if we set it up so that any time a user requests a ‘workspace’ aka ‘server’, the following happens:

2 containers get spun up - ideally as 2 separate pods (rather than 2 containers in a pod)

• Pod A: Lightweight, Linux desktop environment with limited tools and a modern browser, wrapped in Guacamole.
• Pod B: The usual single user server with a choice of interfaces running on customisable compute, etc.
• Pod A and Pod B can potentially be scheduled to run on different node pools with different resources, etc.

Pod B is only accessible from Pod A - enforced through network policy ?Calico.

Persistent storage is disabled on Pod A so that even if the user downloads data from JupyterLab served via Pod B - this ends up in Pod A which is entirely ephemeral and is lost when the user has to shutdown the server to access a different workspace. Pod A (Guacamole) prevents removal of data from the desktop environment.

Pod B gets its persistence storage through PV/PVC, in our case Azure File storage.

This prevents moving data from one workspace to another. Let’s discuss when we talk on Wednesday.

Let’s drag one more person to the party

@yuvipanda - I have been looking at this → [Request for Implementations] Disabling downloads from a JupyterHub in the context of this → Secure data environment for NHS health and social care data - policy guidelines - GOV.UK.

Will be great to get your thoughts. NHS England has budgeted £100m for Secure Data Environments and seeing that a major chunk of data science happens within the Jupyter universe, will be good to discover what is possible and what has already been done. I love z2jh and will be great to see what others are doing in this space.

@vvcb as far as I know, nobody has really worked on anything in [Request for Implementations] Disabling downloads from a JupyterHub. Would love to get people working on it! I think most of the items there are fairly straightforward if a bunch of work…

I’ve worked around the need to block/limit copy/paste/download by using Apache Guacamole to provide access to a Jupyter desktop. The advantage of guacamole over NoVNC is it runs separately from the desktop so you don’t need a custom image, and you can disable the clipboard server-side:

There’s an example Z2JH config in there.

You can also use Guacamole to access Windows cloud desktops launched with a custom JupyterHub spawner if you really want

@manics Ooh… a spawner for fully blown VMs? Interesting… Do you know if there’s a docker-compose spawner anywhere that lets you deploy a set of networked containers?

I haven’t seen one, but it shouldn’t be too difficult to subclass DockerSpawner.
Alternatively you could use GitHub - manics/podmanclispawner: Spawner to use podman with JupyterHub as a framework, and replace the podman command line with docker-compose.

If you want something more offbeat… GitHub - manics/jupyterhub-ansiblespawner: Spawn JupyterHub single user notebook servers using Ansible allows you to spin up anything that Ansible can control, though I found it was a layuer of abstraction too far so haven’t used it for anything.

There was a recent blog post about this Desktop GIS software in the cloud with JupyterHub: A QGreenland workshop success story | by Matt Fisher | Aug, 2023 | Jupyter Blog