Developer Tools Azure

Livebook on Ubuntu 24.04 on Azure User Guide

| Product: Livebook on Ubuntu 24.04 LTS on Azure

Overview

Livebook is the open source interactive and collaborative notebook for Elixir. You combine code cells (Elixir and Erlang), Markdown prose, live inputs, data tables and charts in one reproducible .livemd document, and the BEAM runs each cell as real code, so notebooks are always live rather than static. It is used for data exploration, prototyping, teaching, building internal tools and producing reproducible reports.

Because Livebook executes arbitrary code, an open Livebook is effectively remote code execution, so this image is secure by default: the cloudimg image installs Livebook 0.19.8 on Erlang/OTP 28 and Elixir 1.20, runs the server bound to loopback behind an nginx reverse proxy that terminates HTTPS with a per VM self signed certificate, persists your notebooks on a dedicated Azure data disk, and generates a unique access password on the first boot of every VM with no default login. Backed by 24/7 cloudimg support.

What is included:

  • Livebook 0.19.8 (Apache 2.0) as a self contained escript at /opt/livebook/livebook
  • Erlang/OTP 28.5.0.3 and Elixir 1.20.2 on the system PATH (the notebook runtime the BEAM spawns per session)
  • nginx on :443 terminating HTTPS in front of the loopback Livebook server, with WebSocket proxying for Livebook's live collaborative sessions
  • A per VM access password and per VM TLS certificate generated on first boot, never baked into the image
  • A dedicated Azure data disk at /var/lib/livebook holding your notebooks, separate from the OS disk and re provisioned with every VM
  • A sample welcome.livemd notebook on the data disk
  • livebook.service and nginx.service as systemd units, enabled and active
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a good starting point; scale up for heavier notebooks. NSG inbound: allow 22/tcp from your management network and 443/tcp for the web UI (and 80/tcp, which only issues a redirect to HTTPS).

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Livebook by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTPS (443). Review the dedicated data disk on the Disks tab, then Review + create then Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name livebook \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name livebook --port 443 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active livebook.service nginx.service

Both report active. The Livebook server binds to loopback 127.0.0.1:8080 and nginx is the only network facing listener, terminating HTTPS on :443:

Terminal showing livebook and nginx services active and Livebook bound to loopback 127.0.0.1:8080 behind nginx on ports 80 and 443

Step 5 - Retrieve your access password

A unique access password is generated on the first boot of your VM and written to a root only file:

sudo grep '^LIVEBOOK_PASSWORD=' /root/livebook-credentials.txt

The file also records the sign in URL and the Erlang distribution cookie. The secret values are shown redacted here; store the real password somewhere safe:

Terminal showing the root only livebook credentials file with the password and cookie values redacted

Step 6 - Check the health endpoint

Livebook serves an unauthenticated health endpoint that nginx exposes over HTTPS for load balancers and probes:

curl -sk -o /dev/null -w 'HTTP %{http_code}\n' https://localhost/public/health

It returns HTTP 200. An unauthenticated request to the application root is redirected to the sign in page, confirming the notebook is protected out of the box:

Terminal showing the health endpoint returning HTTP 200, an unauthenticated request redirected with HTTP 302, and the credential round trip proving the per VM password authenticates over TLS

Step 7 - Sign in to the web UI

Browse to https://<vm-public-ip>/. The certificate is a per VM self signed certificate, so your browser will warn once; proceed to continue (or install a real certificate, see Enabling a trusted certificate). Livebook asks for the access password from Step 5:

Livebook authentication page asking for the access password before granting access to the notebook

After you sign in, Livebook opens its home page with the sidebar, your starred notebooks, and example notebooks to get started:

Livebook home page showing the sidebar, starred notebooks section, and example notebooks including Welcome to Livebook

Step 8 - Run an Elixir notebook

Click New notebook (top right) to open the notebook editor. Each cell can be Elixir code or Markdown. Type an expression into the code cell and press the Evaluate button (or Ctrl/Cmd + Enter). Livebook starts a fresh Elixir runtime on the BEAM and renders the result underneath the cell:

Livebook notebook editor with an Elixir code cell evaluated, showing the output list one four nine sixteen twenty five below the cell

The bundled welcome.livemd notebook on the data disk demonstrates code cells, Markdown and a chart. Open it from the Open button on the home page and browse to /var/lib/livebook/notebooks/welcome.livemd.

Step 9 - Explore the built in examples

The Learn section in the sidebar ships a set of example notebooks covering the Elixir ecosystem, from a guided tour to plotting with VegaLite and building apps with Kino. Open any of them to start experimenting:

Livebook Learn page listing built in example notebooks such as Distributed portals with Elixir, Build a chat app with Kino and Plotting with VegaLite

Step 10 - Verify the security posture

Confirm the shipped versions and that the notebook requires authentication out of the box:

cat /opt/livebook/VERSION

An unauthenticated request to the root is redirected to the sign in page, and the notebook only grants access once the per VM password is supplied:

Terminal showing the baked Livebook, Erlang OTP and Elixir versions and an unauthenticated request to the root returning HTTP 302 because authentication is required

You can prove the full password round trip from the VM at any time:

sudo /opt/livebook/livebook-selftest.sh

It confirms the health endpoint returns 200, an unauthenticated request is redirected, and the per VM password authenticates over TLS.

Step 11 - Confirm the notebooks live on the dedicated disk

Your notebooks are stored on the dedicated Azure data disk so they survive OS changes and can be resized independently:

findmnt /var/lib/livebook

The mount is backed by a separate Azure data disk captured into the image and re provisioned on every VM. Add your own .livemd notebooks under /var/lib/livebook/notebooks.

Rotating the access password

The access password lives in /opt/livebook/livebook.env. To change it, edit that file and restart the service:

sudo nano /opt/livebook/livebook.env    # edit LIVEBOOK_PASSWORD (minimum 12 characters)
sudo systemctl restart livebook

Enabling a trusted certificate

nginx terminates TLS on port 443 with a per VM self signed certificate at /etc/nginx/tls/livebook.crt. For production, add a DNS name for the VM and replace the certificate with a CA signed one, or put the companion cloudimg nginx-ssl-certbot image in front as a TLS reverse proxy. Keep Livebook bound to loopback so the only public surface is the authenticated, TLS terminated proxy, which already forwards the WebSocket that Livebook's live sessions need.

Maintenance

  • Your notebooks: add .livemd files to /var/lib/livebook/notebooks/ (owned by livebook:livebook); they appear on the Livebook home page.
  • Backups: snapshot the /var/lib/livebook data disk.
  • Upgrades: rebuild the escript with a newer release using the Elixir and Erlang on the PATH, then restart livebook.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.