Base update and documentation for Cloudflare tunnels

.env

@@ -1,6 +1,7 @@
 IMAGE_BASE="ghcr.io/ai-dock/python:all-cuda-11.8.0-cudnn8-runtime-22.04"
 IMAGE_TAG="all-cuda-11.8.0-cudnn8-runtime-22.04"
 
+CF_TUNNEL_TOKEN=
 JUPYTER_PORT=8888
 JUPYTER_PORT_HOST=8888
 SSH_PORT=22

README.md

@@ -93,14 +93,20 @@ This is fine if you are working locally but can be **dangerous for remote connec
 
 _**SSH Tunnel**_
 
-This is the preferred method. You will only need to expose `port 22` (SSH) which can then be used with port forwarding to allow **secure** connections to your services.
+You will only need to expose `port 22` (SSH) which can then be used with port forwarding to allow **secure** connections to your services.
 
 If you are unfamiliar with port forwarding then you should read the guides [here](https://link.ai-dock.org/guide-ssh-tunnel-do-a) and [here](https://link.ai-dock.org/guide-ssh-tunnel-do-b).
 
+_**Cloudflare Tunnel**_
+
+You can use the included `cloudflared` service to make secure connections without having to expose any ports to the public internet. See more below.
+
 ## Environment Variables
 
 | Variable              | Description |
 | --------------------- | ----------- |
+| `CF_TUNNEL_TOKEN`     | Cloudflare zero trust tunnel token - See [documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/). |
+| `CF_QUICK_TUNNELS`    | Create ephemeral Cloudflare tunnels for web services (default `false`) |
 | `GPU_COUNT`           | Limit the number of available GPUs |
 | `JUPYTER_MODE`        | `lab` (default), `notebook` |
 | `JUPYTER_PORT`        | Set an alternative port (default `8888`) |
@@ -203,6 +209,24 @@ A python kernel will be installed coresponding with the python version(s) of the
 
 Jupyter's official documentation is available at https://jupyter.org/ 
 
+### Cloudflared
+
+The Cloudflare tunnel daemon will start if you have provided a token with the `CF_TUNNEL_TOKEN` environment variable.
+
+This service allows you to connect to your local services via https without exposing any ports.
+
+You can also create a private network to enable remote connecions to the container at its local address (`172.x.x.x`) if your local machine is running a Cloudflare WARP client.
+
+If you do not wish to provide a tunnel token, you could enable `CF_QUICK_TUNNELS` which will create a throwaway tunnel for your web services.
+
+Full documentation for Cloudflare tunnels is [here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/).
+
+>[!NOTE]  
+>_Cloudflared is included so that secure networking is available in all cloud environments._
+
+>[!WARNING]  
+>You should only provide tunnel tokens in secure cloud environments.
+
 ### SSHD
 
 A SSH server will be started if at least one valid public key is found inside the running container in the file `/root/.ssh/authorized_keys`
@@ -292,6 +316,9 @@ Some ports need to be exposed for the services to run or for certain features of
 - In Registry Username enter `x` (Paperspace bug)
 - In Command enter `init.sh WORKSPACE=/notebooks`
 
+>[!WARNING]  
+>Do not attempt to use tunnels to circumvent Paperspace restrictions (eg. SSH & private networking) - You will lose your account.
+
 ---
 
 >[!NOTE]  

build/COPY_ROOT/etc/supervisor/supervisord/conf.d/jupyter.conf

@@ -3,9 +3,9 @@ command=/opt/ai-dock/bin/supervisor-jupyter.sh
 process_name=%(program_name)s
 numprocs=1
 directory=/root
-priority=300
+priority=800
 autostart=true
-startsecs=0
+startsecs=5
 startretries=3
 autorestart=unexpected
 stopsignal=TERM

build/COPY_ROOT/opt/ai-dock/bin/supervisor-jupyter.sh

@@ -17,7 +17,10 @@ fi
 
 printf "Starting Jupyter %s...\n" $JUPYTER_MODE
 
-wait -n
+if [[ $CF_QUICK_TUNNELS = "true" ]]; then
+    cloudflared tunnel --url localhost:${JUPYTER_PORT} > /var/log/supervisor/quicktunnel-jupyter.log 2>&1 &
+fi
+
 micromamba run -n jupyter jupyter \
     $JUPYTER_MODE \
     --allow-root \
@@ -32,3 +35,4 @@ micromamba run -n jupyter jupyter \
     --ServerApp.root_dir=$WORKSPACE \
     --ServerApp.preferred_dir=$WORKSPACE \
     --KernelSpecManager.ensure_native_kernel=False
+

docker-compose.yaml

@@ -58,6 +58,8 @@ services:
         # Allows running true SSH alongside provider proxy SSH
         - SSH_PORT=${SSH_PORT}
         - WORKSPACE=/workspace/
+        - CF_TUNNEL_TOKEN=${CF_TUNNEL_TOKEN}
+        - CF_QUICK_TUNNELS=true
         #- PROVISIONING_SCRIPT=https://raw.githubusercontent.com/ai-dock/base-image/main/demo/provisioning.sh
 
     env_file: config/env.conf