ECCO-GROUP
diff --git a/‎Cloud_Setup/JPL_setup_instructions.md‎
Lines changed: 67 additions & 0 deletions b/‎Cloud_Setup/JPL_setup_instructions.md‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎Cloud_Setup/jupyter_env_setup.sh‎
Lines changed: 130 additions & 0 deletions b/‎Cloud_Setup/jupyter_env_setup.sh‎
Lines changed: 130 additions & 0 deletions
diff --git a/‎Cloud_Setup/jupyter_lab_start.sh‎
Lines changed: 36 additions & 0 deletions b/‎Cloud_Setup/jupyter_lab_start.sh‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎Cloud_Setup/sshd_enable.sh‎
Lines changed: 74 additions & 0 deletions b/‎Cloud_Setup/sshd_enable.sh‎
Lines changed: 74 additions & 0 deletions
@@ -0,0 +1,67 @@
+# JPL setup for AWS EC2 instances
+
+If you are based at JPL and setting up an AWS EC2 instance, there are some steps you need to take to successfully set up the instance to comply with JPL's security requirements and enable `ssh` access on your instance (which is no longer enabled by default). Please follow these steps in place of Steps 2 and 3 of the [AWS Cloud: getting started](https://ecco-v4-python-tutorial.readthedocs.io/AWS_Cloud_getting_started.html) for general users.
+
+## Step 2: Start a JPL EC2 instance
+
+As a JPL user, more than likely you will be added as a user to an existing project AWS account rather than creating a new account. The account owner will need to [add you](https://wiki.jpl.nasa.gov/display/cloudcomputing/Granting+access+to+the+AWS+console+to+other+JPL+users) to the account as a `power_user`. Make sure the account owner/manager is OK with your use of it, as you *will* incur costs running your EC2 instance (free tier accounts do not have sufficient memory for JPL EC2 instances).
+
+Once you are a user on a JPL AWS account, make sure you are connected to the JPL network (with VPN if not at the lab), and go to the JPL AWS console [sign-in page](https://sso3.jpl.nasa.gov/awsconsole). Then bookmark the sign-in page, as you will be using it again and it is not the easiest to find. Once you have signed in, you should be at a screen with the title Console Home. First, let's make sure you are in the most optimal AWS "region" for accessing PO.DAAC datasets, which are hosted in region *us-west-2 (Oregon)*. In the upper-right corner of the page just to the left of your username, there is a drop-down menu with a place name on it. Select the **US West (Oregon)    us-west-2** region.
+
+Now let's start a new EC2 instance. We will need to do this using an Amazon Machine Image (AMI) generated by the [JPL Cloud Computing Team](https://wiki.jpl.nasa.gov/display/cloudcomputing/OS+Pipeline). Click on **Services** in the upper-left corner next to the AWS logo, then **Compute** --> **EC2**, then from the menu on the left **Images** --> **AMIs**. A list of JPL-specific AMIs should appear on the screen (if not make sure **Private images** is selected as a filter on the top left). It is recommended to use a recently-generated JPL AMI, as these AMIs are automatically deprecated after 2 years. Use the arrows next to **AMI name** or **Creation date** to see the newest AMIs first. Select an AMI and click **Launch instance from AMI** in the upper-right corner. There are some settings on this screen to configure before launching the new instance:
+
+*Name and tags*: Whatever you want (e.g., ECCO tutorials).
+
+*Application and OS images (Amazon Machine Image)*: Leave unchanged.
+
+*Instance type*: **t2.medium**/**t3.medium** or larger is recommended, and probably necessary to run a JPL-based EC2 instance successfully. (**t3** is a newer generation, with similar or slightly cheaper costs as **t2**.)
+
+*Key pair (login)*: Click on **Create new key pair**. In the pop-up window, make the name whatever you want (e.g., aws_ec2_jupyter), select *Key pair type*: **RSA** and *Private key file format*: **.pem**, then **Create key pair**. This downloads the key file to your Downloads folder, and you should move it to your `.ssh` folder: `mv ~/Downloads/aws_ec2_jupyter.pem ~/.ssh/`. Then change the permissions to read-only for the file owner `chmod 400 ~/.ssh/aws_ec2_jupyter.pem`.
+
+*Network settings*: Look at **Select existing security group** to see if you can use a security group that has VPC: vpc-0161fa19cefbd9635. If not, you can try **Create security group** and make sure that the boxes for allowing SSH, HTTPS, and HTTP traffic are checked. If you have issues launching or accessing your instance, you may need to consult with another JPL user or submit a ticket to [CloudHelp](https://goto.jpl.nasa.gov/cloudhelp).
+
+*Configure storage*: Specify a storage volume with at least **15 GiB gp3** as your root volume. This is important, since the python/conda installation with the packages we need will occupy ~7.5 GB, and we need some workspace as a buffer. If you are in Free tier then you can request up to 30 GB across all your instances, so you can use up the full amount in a single instance or split it across two instances with 15 GB each.
+
+*Advanced details*: You need to include an IAM profile with your instance. Check the *IAM instance profile* dropdown menu to see if there is one associated with your security group (might have a title like **SRV-standard-instance-profile**). If you can not select an IAM profile, check with other account users or [CloudHelp](https://goto.jpl.nasa.gov/cloudhelp).
+
+Finally, at the bottom-right of the page click the yellow **Launch instance** button. Wait a minute or two for the instance to initialize; you can check the **Instances** screen accessed from the menu on the left side to see that your Instance state is **Running**.
+
+### Step 3a: Enable ssh access
+
+JPL does not enable `ssh` access to AWS instances by default, instead preferring [SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html). However, most users will be much more familiar with `ssh`, and it is easier to transfer files to/from your instance with `ssh`. You can enable `ssh` using these steps:
+
+- *Connect using SSM in the browser*: Go to **EC2** --> **Instances** and click on the instance ID of the new instance. Then click **Connect** in the upper-right part of the page. There are a few options for connecting, select **Session Manager** and then click the yellow **Connect** button. If you can not connect and/or see an error message, you might need to wait several minutes for the session to be fully established. A tab or window should open in your browser with a terminal window on the instance.
+
+- *Initial set up and download GitHub repository*: Copy the following commands and paste in your SSM window (using shift-insert or right-click then **Paste**):
+
+```
+cd ~ && sudo dnf update -y && sudo dnf install git -y && git clone https://github.com/andrewdelman/ECCO-v4-Python-Tutorial-adelman.git
+```
+
+- *Enable ssh access*: There is a script in the GitHub repository to enable ssh access `sshd_enable.sh`. You want to run it as the *root* user, otherwise you will not have the necessary permissions. Again, copy and paste the following in your SSM window:
+
+```
+sudo ~/ECCO-v4-Python-Tutorial/Cloud_Setup/sshd_enable.sh
+```
+
+The script will ask if you want to move the git repo and change its ownership. Answer **Y** and enter **jpluser** for user name.
+
+Once the script is completed, you should be able to ssh into your new instance. You can close the SSM window and from your machine's terminal window, connect to the instance's *private* IPv4 address (given on the AWS instance summary page) with user name **jpluser**. For example, if the private IPv4 address is 100.104.70.37, then:
+
+```
+ssh -i "~/.ssh/aws_ec2_jupyter.pem" jpluser@100.104.70.37 -L 9889:localhost:9889
+```
+
+The `-L` option indicates a tunnel from the local machine's port 9889 to the instance's port 9889; this will be used later to open Jupyterlab through your local machine's web browser.
+
+### Step 3b: Set up conda environment
+
+Now you need to install software (conda/miniconda/miniforge) to run Python, and then install Python packages and the Jupyter interface to run these tutorial notebooks. A shell script to expedite this process is provided on the tutorial Github page, and here we will walk through setting this up.
+
+Now we will execute a shell script that will set up a conda environment called `jupyter`, and allow the user to input their NASA Earthdata username and password (which are written to the `~/.netrc` file on the instance). Copy, paste, and execute the following two commands on your instance:
+
+```
+sudo chmod 755 ~/ECCO-v4-Python-Tutorial/Cloud_Setup/jupyter_env_setup.sh && ~/ECCO-v4-Python-Tutorial/Cloud_Setup/jupyter_env_setup.sh
+```
+
+The script takes a few minutes to run, but it should set up our environment with the packages we need. Now you can return to Step 4 of the [AWS Cloud: getting started](https://ecco-v4-python-tutorial.readthedocs.io/AWS_Cloud_getting_started.html) tutorial.
@@ -0,0 +1,130 @@
+#!/bin/bash
+
+# Shell script for setting up conda, jupyter, essential Python packages on an AWS EC2 instance.
+# Assumes that the ECCO-v4-Python-Tutorial Github repository has already been downloaded using:
+# 
+# $ sudo dnf update -y
+# $ sudo dnf install git -y
+# $ cd ~
+# $ git clone https://github.com/ECCO-GROUP/ECCO-v4-Python-Tutorial.git
+
+# Then run this script:
+# 
+# $ sudo chmod 755 ~/ECCO-v4-Python-Tutorial/Cloud_Setup/jupyter_env_setup.sh
+# $ ~/ECCO-v4-Python-Tutorial/Cloud_Setup/jupyter_env_setup.sh
+
+
+
+# # Start body of script
+
+red_start='\033[0;31m'
+blue_start='\033[0;34m'
+nocolor_start='\033[0m'
+
+# install wget
+sudo dnf install wget -y
+echo -e "${red_start}Installed wget${nocolor_start}"
+
+# install tmux
+sudo dnf install tmux -y
+echo -e "${red_start}Installed tmux${nocolor_start}"
+
+# retrieve and install miniforge in /tmp/
+# assuming EBS volume is already attached to instance
+echo -e "${red_start}Starting Miniforge3 installation${nocolor_start}"
+mkdir -p /tmp
+wget "https://github.com/conda-forge/miniforge/releases/latest/download/Miniforge3-Linux-x86_64.sh" -O /tmp/Miniforge3.sh
+bash /tmp/Miniforge3.sh -b -p /tmp/conda
+rm -f /tmp/Miniforge.sh
+source "/tmp/conda/etc/profile.d/conda.sh"
+source "/tmp/conda/etc/profile.d/mamba.sh"
+
+echo -e "${red_start}Completed Miniforge3 installation${nocolor_start}"
+
+# add conda and mamba to path
+mamba init
+
+# set paths to environment and package directories
+printf '\n# set conda environment and package directories' >> ~/.bashrc
+printf '\nexport CONDA_ENVS_PATH=/tmp/conda/envs' >> ~/.bashrc
+printf '\nexport CONDA_PKGS_DIRS=/tmp/conda/pkgs' >> ~/.bashrc
+source ~/.bashrc
+
+# create jupyter environment under /tmp/conda/envs/
+# (in EBS storage to save space in home directory)
+mamba create --name jupyter python=3.11 -y
+echo -e "${red_start}Created jupyter environment${nocolor_start}"
+
+# install python packages (using mamba) in jupyter environment
+mamba activate jupyter
+echo -e "${red_start}Installing Python packages in jupyter environment${nocolor_start}"
+mamba install requests tqdm numpy pandas -y
+mamba install xorg-libice libexpat libevent -y
+mamba install nspr alsa-lib libogg libpq -y
+mamba install xorg-renderproto xorg-xf86vidmodeproto graphite2 expat -y
+mamba install libgpg-error dbus -y
+mamba install libflac gettext -y
+mamba install xcb-util-wm xorg-libx11 xcb-util-image -y
+mamba install xkeyboard-config -y
+mamba install libxkbcommon fonts-conda-forge font-ttf-ubuntu gstreamer zlib -y
+mamba install xorg-xextproto libpng attr mpg123 -y
+mamba install pixman libvorbis glib-tools -y
+mamba install libsystemd0 xcb-util-keysyms xorg-libxrender libllvm15 -y
+mamba install font-ttf-dejavu-sans-mono pcre2 font-ttf-inconsolata font-ttf-source-code-pro -y
+mamba install lame nss xorg-xproto pthread-stubs xorg-libxdmcp -y
+mamba install libgcrypt xorg-libsm xorg-libxext fonts-conda-ecosystem xorg-kbproto mysql-libs -y
+mamba install fontconfig libjpeg-turbo xcb-util-renderutil -y
+mamba install glib -y
+mamba install freetype libcap libcups libopus -y
+mamba install gst-plugins-base mysql-common xcb-util -y
+mamba install cairo -y
+mamba install libsndfile harfbuzz xorg-libxau -y
+mamba install libglib libxcb -y
+mamba install qt-main -y
+mamba install pyqt -y
+mamba install matplotlib -y
+mamba install netcdf4 -y
+mamba install h5netcdf -y
+mamba install boto3 lxml -y
+mamba install scipy -y
+mamba install geos -y
+mamba install proj pyproj -y
+mamba install cartopy -y
+mamba install notebook -y
+mamba install progressbar -y
+mamba install gsw -y
+mamba install nco -y
+
+# install remaining packages using pip
+# (mamba installs tend to get killed on t2.micro)
+pip install dask
+pip install "xarray[complete]"
+pip install jupyterlab
+pip install dask_labextension
+pip install s3fs
+pip install ecco_v4_py
+
+echo -e "${red_start}Completed Python package installations${nocolor_start}"
+
+echo -e "${red_start}Setting up NASA Earthdata authentication${nocolor_start}"
+# NASA Earthdata authentication
+# check if credentials are already archived in ~/.netrc, and if not then prompt the user for them
+earthdata_cred_stored=0
+if [ -f ~/.netrc ]; then
+    if grep -q "machine urs.earthdata.nasa.gov" ~/.netrc; then
+        earthdata_cred_stored=1
+        echo -e "${red_start}Earthdata credentials already archived"
+    fi
+fi
+if [ $earthdata_cred_stored -eq 0 ]; then
+    if [ -f ~/.netrc ]; then sudo chmod 600 ~/.netrc; fi
+    read -p 'NASA Earthdata username: ' uservar
+    read -sp 'NASA Earthdata password: ' passvar
+    echo -e "machine urs.earthdata.nasa.gov\n    login ${uservar}\n    password ${passvar}\n" >> ~/.netrc
+    
+    echo -e "\n${red_start}NASA Earthdata authentication info archived in ~/.netrc${nocolor_start}"
+fi
+sudo chmod 400 ~/.netrc
+
+# create symlink to jupyter_lab_start.sh from the user's home directory
+ln -s ~/ECCO-v4-Python-Tutorial/Cloud_Setup/jupyter_lab_start.sh ~/jupyter_lab_start.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Shell script to start a Jupyter lab session
+# in a tmux window (so it persists even if ssh tunnel is disconnected)
+
+red_start='\033[0;31m'
+blue_start='\033[0;34m'
+nocolor_start='\033[0m'
+
+source /tmp/conda/bin/activate
+conda activate jupyter
+
+# Start configuration for Jupyter lab
+echo "Enter password to access Jupyter lab from browser,"
+echo "or leave blank to not require a password."
+PW="$(python3 -c 'from jupyter_server.auth import passwd; import getpass; print(passwd(getpass.getpass(), algorithm="sha256"))')"
+jlab_start="jupyter Space lab Space --no-browser Space --autoreload Space --port=9889 Space --ip='127.0.0.1' Space --NotebookApp.token='' Space --NotebookApp.password=\"$PW\" Space --notebook-dir=\"~/ECCO-v4-Python-Tutorial\""
+
+# Start new tmux session
+tmux new -d -s jupyterlab
+
+# Execute commands in tmux window using send-keys
+tmux send-keys -t jupyterlab source Space /tmp/conda/bin/activate Enter
+tmux send-keys -t jupyterlab conda Space activate Space jupyter Enter
+tmux send-keys -t jupyterlab ${jlab_start} Enter
+
+# Print info about tmux session
+echo -e "${red_start}Started Jupyter lab in tmux session jupyterlab"
+echo -e "${red_start}Access from your local machine in a browser window at"
+echo -e "${blue_start}http://127.0.0.1:9889/"
+echo -e "${red_start}tmux session can be accessed with"
+echo -e "${blue_start}tmux a -t jupyterlab"
+echo -e "${red_start}and detached from current window by pressing keys"
+echo -e "${blue_start}Ctrl-b d"
+echo -e "${red_start}and terminated with"
+echo -e "${blue_start}tmux kill-ses -t jupyterlab${nocolor_start}"
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# Script to enable ssh connections,
+# on EC2 instances where they are disabled by default
+# (e.g., with JPL AMIs).
+# 
+# This script must be run as root, otherwise an error is returned:
+# $ sudo ./sshd_enable.sh
+# 
+# Once this script runs successfully,
+# it should be possible to login to the instance using ssh, e.g.:
+#
+# $ ssh -i "~/.ssh/key_pair.pem" jpluser@private_ip_address
+
+
+# Return error if not running as root
+if [ $( whoami ) != "root" ]; then
+    echo "Error: this script must be run as root"
+    echo "Please re-run using sudo, e.g.:"
+    echo "$ sudo ./sshd_enable.sh"
+    exit 1
+fi
+
+
+# Try to enable sshd
+systemctl enable sshd
+if [ $? -eq 0 ]; then
+    echo "Enabled sshd successfully"
+else
+    if [ $( readlink -f /etc/systemd/system/sshd.service) = "/dev/null" ]; then
+        # Delete this /dev/null symlink 
+        rm -f /etc/systemd/system/sshd.service
+        echo 'Deleted symlink to /dev/null'
+         
+        # Re-try enabling sshd
+        systemctl enable sshd
+        if [ $? -eq 0 ]; then
+            echo "Enabled sshd successfully"
+        else
+            echo "Error: symlink deletion did not allow sshd to be enabled"
+            exit 1
+        fi
+    else
+        echo "Error: sshd not enabled successfully"
+    fi
+fi
+ 
+# Create symlink to the service (if it does not already exist)
+if [ ! -f /usr/lib/systemd/system/sshd.service ]; then
+    ln -s /etc/systemd/system/multi-user.target.wants/sshd.service /usr/lib/systemd/system/sshd.service
+    echo "Created symlink to sshd.service"
+fi
+ 
+# create new ssh keys
+ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
+echo "Created new ssh keys"
+ 
+# start sshd service
+systemctl start sshd
+echo "Started sshd"
+echo "Now you can login to your instance using ssh, e.g.:"
+echo '$ ssh -i "~/.ssh/your_key_pair.pem" jpluser@private_ip_address'
+
+
+# move git repo to ssh user's directory and change ownership (if requested)
+read -p 'Move ECCO-v4-Python-Tutorial repo to different user? (Y/[N]) ' move_opt
+if [ $move_opt == "Y"] || [ $move_opt == "y" ]; then
+    read -p 'User name of new owner [jpluser for JPL]: ' ssh_user
+    cd /home
+    mv ./ssm-user/ECCO-v4-Python-Tutorial ./${ssh_user}/
+    echo "Moved ECCO-v4-Python-Tutorial repo to /home/${ssh_user}/"
+    chown -R ${ssh_user}:${ssh_user} ./${ssh_user}/ECCO-v4-Python-Tutorial
+    echo "Changed owner and group of git repo to ${ssh_user}"
+fi