0

I cant access jupyter lab on GCP Debian 10 machine (made from Google stock image).

I configured GCP firewall to allow 8888 and 8080 and GCP Connectivity Test shows they are reacheable.

Debian however doesnt seem to have firewalld or uwf installed.

Is it possible Google uses standard images without firewall installed?

Is there a way to check if a port blocked and by what process in Debian?

These are services that are enabled:

$ systemctl list-unit-files --type service -all | grep enabled
apparmor.service                       enabled        
[email protected]                        enabled        
chrony.service                         enabled        
chronyd.service                        enabled        
containerd.service                     enabled        
cron.service                           enabled        
dbus-org.freedesktop.timesync1.service enabled        
docker.service                         enabled        
gce_instance_monitor.service           enabled        
gcs_sync.service                       enabled        
[email protected]                         enabled        
google-c2d-startup.service             enabled        
google-disk-expand.service             enabled        
google-guest-agent.service             enabled        
google-osconfig-agent.service          enabled        
google-shutdown-scripts.service        enabled        
google-startup-scripts.service         enabled        
haveged.service                        enabled        
jupyter.service                        enabled        
networking.service                     enabled        
nvidia-hibernate.service               enabled        
nvidia-resume.service                  enabled        
nvidia-suspend.service                 enabled        
rc-local.service                       enabled-runtime
rc.local.service                       enabled-runtime
rsync.service                          enabled        
rsyslog.service                        enabled        
ssh-session-cleanup.service            enabled        
ssh.service                            enabled        
sshd.service                           enabled        
syslog.service                         enabled        
systemd-fsck-root.service              enabled-runtime
systemd-timesyncd.service              enabled        
unattended-upgrades.service            enabled
Improve this question
3
  • 1
    Please see this answer. You can ask the kernel to filter packets without firewalld, ufw or such; all you need is an interface: iptables, nftables or such. I'm not sure what happens in your case. I'm just pointing out that common firewalls in Linux do not filter packets, they tell the kernel by what rules to filter packets. The actual firewall is in the Linux kernel.
    – Kamil Maciorowski
    Commented Sep 26, 2022 at 16:08
  • I see you have Docker running, so don’t get surprised if you see a ton of Iptables rules. Docker does create a lot of them. // I’m not familiar with this “GCP Connectivity Test” you mention. Are you positive the Jupyter stuff is set to listen “on the internet” (often * or 0.0.0.0)?
    – Daniel B
    Commented Sep 26, 2022 at 16:54
  • docker is a red herring in this case. but yeah the problem was the IP Jupyter was binding by default.. see my answer to my question :)
    – Boppity Bop
    Commented Sep 26, 2022 at 17:28

1 Answer 1

Reset to default
0

Apparently when you run Jupyter Lab like this:

jupyter-lab --no-browser

it binds to 127.0.0.1 and somehow not accessible from outside.

Once I changed it to:

jupyter-lab --no-browser --ip=0.0.0.0

it worked. I cannot explain it but it seems GCP somehow separates 127.0.0.1 from external interface.

Improve this answer
2
  • 127.0.0.1 is a loopback address. That network address is not routable, therefore not reachable from outside the machine.
    – John Hanley
    Commented Sep 26, 2022 at 19:58
  • so the --ip argument is setting the listening interface binding for the ports the service creates at runtime. if you look at netstat -ntlup | grep LISTEN you should find the ports open, and the local address set to match the IP you entered with the command. when you bind a port to 127.x.y.z it can only be accessed from the local system. if you set it to 192.168.5.5 then it would only be accessible to devices that can connect to 192.168.5.5 (eg devices on the LAN) and 0.0.0.0 will allow the service to be accessed from any IP address.
    – Frank Thomas
    Commented Sep 26, 2022 at 20:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .