Livebook on Ubuntu 24.04 on Azure User Guide
Overview
Livebook is the open source interactive and collaborative notebook for Elixir. You combine code cells (Elixir and Erlang), Markdown prose, live inputs, data tables and charts in one reproducible .livemd document, and the BEAM runs each cell as real code, so notebooks are always live rather than static. It is used for data exploration, prototyping, teaching, building internal tools and producing reproducible reports.
Because Livebook executes arbitrary code, an open Livebook is effectively remote code execution, so this image is secure by default: the cloudimg image installs Livebook 0.19.8 on Erlang/OTP 28 and Elixir 1.20, runs the server bound to loopback behind an nginx reverse proxy that terminates HTTPS with a per VM self signed certificate, persists your notebooks on a dedicated Azure data disk, and generates a unique access password on the first boot of every VM with no default login. Backed by 24/7 cloudimg support.
What is included:
- Livebook 0.19.8 (Apache 2.0) as a self contained escript at
/opt/livebook/livebook - Erlang/OTP 28.5.0.3 and Elixir 1.20.2 on the system PATH (the notebook runtime the BEAM spawns per session)
- nginx on
:443terminating HTTPS in front of the loopback Livebook server, with WebSocket proxying for Livebook's live collaborative sessions - A per VM access password and per VM TLS certificate generated on first boot, never baked into the image
- A dedicated Azure data disk at
/var/lib/livebookholding your notebooks, separate from the OS disk and re provisioned with every VM - A sample
welcome.livemdnotebook on the data disk livebook.serviceandnginx.serviceas systemd units, enabled and active- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a good starting point; scale up for heavier notebooks. NSG inbound: allow 22/tcp from your management network and 443/tcp for the web UI (and 80/tcp, which only issues a redirect to HTTPS).
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Livebook by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTPS (443). Review the dedicated data disk on the Disks tab, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name livebook \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name livebook --port 443 --priority 1010
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm the services are running
systemctl is-active livebook.service nginx.service
Both report active. The Livebook server binds to loopback 127.0.0.1:8080 and nginx is the only network facing listener, terminating HTTPS on :443:

Step 5 - Retrieve your access password
A unique access password is generated on the first boot of your VM and written to a root only file:
sudo grep '^LIVEBOOK_PASSWORD=' /root/livebook-credentials.txt
The file also records the sign in URL and the Erlang distribution cookie. The secret values are shown redacted here; store the real password somewhere safe:

Step 6 - Check the health endpoint
Livebook serves an unauthenticated health endpoint that nginx exposes over HTTPS for load balancers and probes:
curl -sk -o /dev/null -w 'HTTP %{http_code}\n' https://localhost/public/health
It returns HTTP 200. An unauthenticated request to the application root is redirected to the sign in page, confirming the notebook is protected out of the box:

Step 7 - Sign in to the web UI
Browse to https://<vm-public-ip>/. The certificate is a per VM self signed certificate, so your browser will warn once; proceed to continue (or install a real certificate, see Enabling a trusted certificate). Livebook asks for the access password from Step 5:

After you sign in, Livebook opens its home page with the sidebar, your starred notebooks, and example notebooks to get started:

Step 8 - Run an Elixir notebook
Click New notebook (top right) to open the notebook editor. Each cell can be Elixir code or Markdown. Type an expression into the code cell and press the Evaluate button (or Ctrl/Cmd + Enter). Livebook starts a fresh Elixir runtime on the BEAM and renders the result underneath the cell:

The bundled welcome.livemd notebook on the data disk demonstrates code cells, Markdown and a chart. Open it from the Open button on the home page and browse to /var/lib/livebook/notebooks/welcome.livemd.
Step 9 - Explore the built in examples
The Learn section in the sidebar ships a set of example notebooks covering the Elixir ecosystem, from a guided tour to plotting with VegaLite and building apps with Kino. Open any of them to start experimenting:

Step 10 - Verify the security posture
Confirm the shipped versions and that the notebook requires authentication out of the box:
cat /opt/livebook/VERSION
An unauthenticated request to the root is redirected to the sign in page, and the notebook only grants access once the per VM password is supplied:

You can prove the full password round trip from the VM at any time:
sudo /opt/livebook/livebook-selftest.sh
It confirms the health endpoint returns 200, an unauthenticated request is redirected, and the per VM password authenticates over TLS.
Step 11 - Confirm the notebooks live on the dedicated disk
Your notebooks are stored on the dedicated Azure data disk so they survive OS changes and can be resized independently:
findmnt /var/lib/livebook
The mount is backed by a separate Azure data disk captured into the image and re provisioned on every VM. Add your own .livemd notebooks under /var/lib/livebook/notebooks.
Rotating the access password
The access password lives in /opt/livebook/livebook.env. To change it, edit that file and restart the service:
sudo nano /opt/livebook/livebook.env # edit LIVEBOOK_PASSWORD (minimum 12 characters)
sudo systemctl restart livebook
Enabling a trusted certificate
nginx terminates TLS on port 443 with a per VM self signed certificate at /etc/nginx/tls/livebook.crt. For production, add a DNS name for the VM and replace the certificate with a CA signed one, or put the companion cloudimg nginx-ssl-certbot image in front as a TLS reverse proxy. Keep Livebook bound to loopback so the only public surface is the authenticated, TLS terminated proxy, which already forwards the WebSocket that Livebook's live sessions need.
Maintenance
- Your notebooks: add
.livemdfiles to/var/lib/livebook/notebooks/(owned bylivebook:livebook); they appear on the Livebook home page. - Backups: snapshot the
/var/lib/livebookdata disk. - Upgrades: rebuild the escript with a newer release using the Elixir and Erlang on the PATH, then restart
livebook. - Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.