From 65993ed392aa1365e90d880356f6c537809d547a Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Sat, 22 May 2021 16:04:34 -0500 Subject: [PATCH 01/14] feat: Cookiecutter + initial settings and patches --- .gitignore | 7 +++ MANIFEST.in | 2 + setup.py | 61 +++++++++++++++++++ tutorcodejail/__about__.py | 1 + tutorcodejail/__init__.py | 0 tutorcodejail/patches/.gitignore | 0 .../patches/local-docker-compose-dev-services | 4 ++ .../patches/local-docker-compose-services | 8 +++ tutorcodejail/plugin.py | 38 ++++++++++++ .../templates/codejail/apps/.gitignore | 0 .../templates/codejail/build/.gitignore | 0 .../codejail/build/codejail/Dockerfile | 19 ++++++ .../templates/codejail/hooks/.gitignore | 0 13 files changed, 140 insertions(+) create mode 100644 .gitignore create mode 100644 MANIFEST.in create mode 100644 setup.py create mode 100644 tutorcodejail/__about__.py create mode 100644 tutorcodejail/__init__.py create mode 100644 tutorcodejail/patches/.gitignore create mode 100644 tutorcodejail/patches/local-docker-compose-dev-services create mode 100644 tutorcodejail/patches/local-docker-compose-services create mode 100644 tutorcodejail/plugin.py create mode 100644 tutorcodejail/templates/codejail/apps/.gitignore create mode 100644 tutorcodejail/templates/codejail/build/.gitignore create mode 100644 tutorcodejail/templates/codejail/build/codejail/Dockerfile create mode 100644 tutorcodejail/templates/codejail/hooks/.gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f6a874f --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +.*.swp +!.gitignore +TODO +__pycache__ +*.egg-info/ +/build/ +/dist/ diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..0cdecf5 --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1,2 @@ +recursive-include tutorcodejail/patches * +recursive-include tutorcodejail/templates * diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..04804e4 --- /dev/null +++ b/setup.py @@ -0,0 +1,61 @@ +import io +import os +from setuptools import setup, find_packages + +HERE = os.path.abspath(os.path.dirname(__file__)) + + +def load_readme(): + with io.open(os.path.join(HERE, "README.rst"), "rt", encoding="utf8") as f: + return f.read() + + +def load_about(): + about = {} + with io.open( + os.path.join(HERE, "tutorcodejail", "__about__.py"), + "rt", + encoding="utf-8", + ) as f: + exec(f.read(), about) # pylint: disable=exec-used + return about + + +ABOUT = load_about() + + +setup( + name="tutor-contrib-codejail", + version=ABOUT["__version__"], + url="https://github.com/github/tutor-contrib-codejail", + project_urls={ + "Code": "https://github.com/github/tutor-contrib-codejail", + "Issue tracker": "https://github.com/github/tutor-contrib-codejail/issues", + }, + license="AGPLv3", + author="Eric Herrera", + description="codejail plugin for Tutor", + long_description=load_readme(), + packages=find_packages(exclude=["tests*"]), + include_package_data=True, + python_requires=">=3.5", + install_requires=["tutor-openedx"], + entry_points={ + "tutor.plugin.v0": [ + "codejail = tutorcodejail.plugin" + ] + }, + classifiers=[ + "Development Status :: 3 - Alpha", + "Intended Audience :: Developers", + "License :: OSI Approved :: GNU Affero General Public License v3", + "Operating System :: OS Independent", + "Programming Language :: Python", + "Programming Language :: Python :: 3.5", + "Programming Language :: Python :: 3.6", + "Programming Language :: Python :: 3.7", + "Programming Language :: Python :: 3.8", + "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + ], +) diff --git a/tutorcodejail/__about__.py b/tutorcodejail/__about__.py new file mode 100644 index 0000000..3dc1f76 --- /dev/null +++ b/tutorcodejail/__about__.py @@ -0,0 +1 @@ +__version__ = "0.1.0" diff --git a/tutorcodejail/__init__.py b/tutorcodejail/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/tutorcodejail/patches/.gitignore b/tutorcodejail/patches/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/tutorcodejail/patches/local-docker-compose-dev-services b/tutorcodejail/patches/local-docker-compose-dev-services new file mode 100644 index 0000000..a41df08 --- /dev/null +++ b/tutorcodejail/patches/local-docker-compose-dev-services @@ -0,0 +1,4 @@ +codejailservice: + command: ./manage.py runserver 0.0.0.0:8170 + ports: + - "8170:8170" \ No newline at end of file diff --git a/tutorcodejail/patches/local-docker-compose-services b/tutorcodejail/patches/local-docker-compose-services new file mode 100644 index 0000000..c64e48b --- /dev/null +++ b/tutorcodejail/patches/local-docker-compose-services @@ -0,0 +1,8 @@ +#############Codejail service +codejailservice: + image: {{ CODEJAIL_DOCKER_IMAGE }} + environment: + DJANGO_SETTINGS_MODULE: notesserver.settings.tutor + volumes: + - ../../data/codejail:/openedx/data + restart: unless-stopped diff --git a/tutorcodejail/plugin.py b/tutorcodejail/plugin.py new file mode 100644 index 0000000..63a49a2 --- /dev/null +++ b/tutorcodejail/plugin.py @@ -0,0 +1,38 @@ +from glob import glob +import os +import pkg_resources + +from .__about__ import __version__ + +templates = pkg_resources.resource_filename( + "tutorcodejail", "templates" +) + +config = { + "add": { + "SECRET_KEY": "{{ 24|random_string }}", + }, + "defaults": { + "VERSION": __version__, + "HOST": "codejailservice.{{ LMS_HOST }}", + "DOCKER_IMAGE": "docker.io/ednxops/codejailservice:latest", + } +} + +hooks = { + "build-image": {"codejail": "{{ CODEJAIL_DOCKER_IMAGE }}"}, + "remote-image": {"codejail": "{{ CODEJAIL_DOCKER_IMAGE }}"}, +} + + +def patches(): + all_patches = {} + patches_dir = pkg_resources.resource_filename( + "tutorcodejail", "patches" + ) + for path in glob(os.path.join(patches_dir, "*")): + with open(path) as patch_file: + name = os.path.basename(path) + content = patch_file.read() + all_patches[name] = content + return all_patches diff --git a/tutorcodejail/templates/codejail/apps/.gitignore b/tutorcodejail/templates/codejail/apps/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/tutorcodejail/templates/codejail/build/.gitignore b/tutorcodejail/templates/codejail/build/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/tutorcodejail/templates/codejail/build/codejail/Dockerfile b/tutorcodejail/templates/codejail/build/codejail/Dockerfile new file mode 100644 index 0000000..be46d34 --- /dev/null +++ b/tutorcodejail/templates/codejail/build/codejail/Dockerfile @@ -0,0 +1,19 @@ +FROM docker.io/ubuntu:20.04 +MAINTAINER eduNEXT + +RUN apt update && \ + apt upgrade -y && \ + # python 3.8 + apt install -y language-pack-en git python3 python3-pip libmysqlclient-dev +RUN ln -s /usr/bin/python3 /usr/bin/python \ + && ln -s /usr/bin/pip3 /usr/bin/pip + + +RUN mkdir /openedx +RUN git clone https://github.com/eduNEXT/codejailservice.git --branch eric/mvp --depth 1 /openedx/codejailservice +WORKDIR /openedx/codejailservice + +RUN pip3 install -r requirements/base.txt + +EXPOSE 8000 +CMD gunicorn --workers=2 --name codejailservice --bind=0.0.0.0:8000 --max-requests=1000 codejailservice.wsgi:application diff --git a/tutorcodejail/templates/codejail/hooks/.gitignore b/tutorcodejail/templates/codejail/hooks/.gitignore new file mode 100644 index 0000000..e69de29 From 0d94906f84cc52effd383fb97be1d52762af45c1 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Mon, 24 May 2021 16:02:20 -0500 Subject: [PATCH 02/14] Add settings and configura dockerfile to run two different venvs (codejailservice and sandbox). --- .../patches/local-docker-compose-services | 5 +- .../templates/codejail/apps/settings/tutor.py | 39 +++++++++++ .../codejail/build/codejail/Dockerfile | 67 ++++++++++++++++--- 3 files changed, 102 insertions(+), 9 deletions(-) create mode 100644 tutorcodejail/templates/codejail/apps/settings/tutor.py diff --git a/tutorcodejail/patches/local-docker-compose-services b/tutorcodejail/patches/local-docker-compose-services index c64e48b..12507b4 100644 --- a/tutorcodejail/patches/local-docker-compose-services +++ b/tutorcodejail/patches/local-docker-compose-services @@ -2,7 +2,10 @@ codejailservice: image: {{ CODEJAIL_DOCKER_IMAGE }} environment: - DJANGO_SETTINGS_MODULE: notesserver.settings.tutor + DJANGO_SETTINGS_MODULE: codejailservice.settings.tutor + security_opt: + - apparmor:docker-edx-sandbox volumes: + - ../plugins/codejail/apps/settings/tutor.py:/openedx/codejailservice/codejailservice/settings/tutor.py:ro - ../../data/codejail:/openedx/data restart: unless-stopped diff --git a/tutorcodejail/templates/codejail/apps/settings/tutor.py b/tutorcodejail/templates/codejail/apps/settings/tutor.py new file mode 100644 index 0000000..7fe7c0d --- /dev/null +++ b/tutorcodejail/templates/codejail/apps/settings/tutor.py @@ -0,0 +1,39 @@ +from .base import * + +from codejail.django_integration_utils import apply_django_settings + +SECRET_KEY = "{{ CODEJAIL_SECRET_KEY }}" +ALLOWED_HOSTS = [ + "*", + "codejailservice", + "{{ CODEJAIL_HOST }}", +] + +#################### Python sandbox ############################################ + +CODE_JAIL = { + 'python_bin': '/sandbox/venv/bin/python', + # User to run as in the sandbox. + 'user': '', + + # Configurable limits. + 'limits': { + # How many CPU seconds can jailed code use? + 'CPU': 1, + # Limit the memory of the jailed process to something high but not + # infinite (512MiB in bytes) + 'VMEM': 268435456, + # Time in seconds that the jailed process has to run. + 'REALTIME': 3, + 'PROXY': 0, + # Needs to be non-zero so that jailed code can use it as their temp directory.(1MiB in bytes) + 'FSIZE': 1048576, + }, + + # Overrides to default configurable 'limits' (above). + # Keys should be course run ids. + # Values should be dictionaries that look like 'limits'. + "limit_overrides": {}, +} + +apply_django_settings(CODE_JAIL) diff --git a/tutorcodejail/templates/codejail/build/codejail/Dockerfile b/tutorcodejail/templates/codejail/build/codejail/Dockerfile index be46d34..d64f6d2 100644 --- a/tutorcodejail/templates/codejail/build/codejail/Dockerfile +++ b/tutorcodejail/templates/codejail/build/codejail/Dockerfile @@ -1,19 +1,70 @@ -FROM docker.io/ubuntu:20.04 -MAINTAINER eduNEXT +FROM docker.io/ubuntu:20.04 as minimal +MAINTAINER Overhang.io +ENV DEBIAN_FRONTEND=noninteractive RUN apt update && \ - apt upgrade -y && \ - # python 3.8 - apt install -y language-pack-en git python3 python3-pip libmysqlclient-dev -RUN ln -s /usr/bin/python3 /usr/bin/python \ - && ln -s /usr/bin/pip3 /usr/bin/pip + apt install -y build-essential curl git language-pack-en +ENV LC_ALL en_US.UTF-8 +###### Install python with pyenv in /opt/pyenv and create virtualenv in /openedx/venv +FROM minimal as python +# https://github.com/pyenv/pyenv/wiki/Common-build-problems#prerequisites +RUN apt update && \ + apt install -y libssl-dev zlib1g-dev libbz2-dev \ + libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev \ + xz-utils tk-dev libffi-dev liblzma-dev python-openssl git subversion +ENV PYENV_ROOT /opt/pyenv +RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v1.2.21 --depth 1 + +ARG CODEJAILSERVICE_PYTHON_VERSION=3.8.6 +RUN $PYENV_ROOT/bin/pyenv install $CODEJAILSERVICE_PYTHON_VERSION + +ARG SANDBOX_PYTHON_VERSION=3.5.10 +RUN $PYENV_ROOT/bin/pyenv install $SANDBOX_PYTHON_VERSION + +RUN $PYENV_ROOT/versions/$CODEJAILSERVICE_PYTHON_VERSION/bin/python -m venv /openedx/venv +RUN $PYENV_ROOT/versions/$SANDBOX_PYTHON_VERSION/bin/python -m venv /sandbox/venv -RUN mkdir /openedx +###### Codejail service code +FROM minimal as code RUN git clone https://github.com/eduNEXT/codejailservice.git --branch eric/mvp --depth 1 /openedx/codejailservice WORKDIR /openedx/codejailservice +###### Install python requirements in virtualenv +FROM python as codejailservice-python-requirements + +ENV PATH /openedx/venv/bin:${PATH} +ENV VIRTUAL_ENV /openedx/venv/ + +COPY --from=code /openedx/codejailservice /openedx/codejailservice +WORKDIR /openedx/codejailservice RUN pip3 install -r requirements/base.txt +RUN pip3 install ipdb + +###### Install python requirements in virtualenv +FROM python as sandbox-python-requirements + +ENV PATH /sandbox/venv/bin:${PATH} +ENV VIRTUAL_ENV /sandbox/venv/ + +WORKDIR /var/tmp +RUN mkdir -p common/lib/ +RUN svn export https://github.com/edx/edx-platform.git/tags/open-release/koa.3/common/lib/sandbox-packages common/lib/sandbox-packages +RUN svn export https://github.com/edx/edx-platform.git/tags/open-release/koa.3/common/lib/symmath common/lib/symmath +# RUN wget https://raw.githubusercontent.com/edx/edx-platform/open-release/koa.3/requirements/edx-sandbox/base.txt && pip3 install base.txt +RUN wget https://raw.githubusercontent.com/edx/edx-platform/open-release/koa.3/requirements/edx-sandbox/py35.txt && pip3 install -r py35.txt + +##### Prod image +FROM minimal as production + +COPY --from=code /openedx/codejailservice /openedx/codejailservice +COPY --from=python /opt/pyenv /opt/pyenv +COPY --from=codejailservice-python-requirements /openedx/venv /openedx/venv +COPY --from=sandbox-python-requirements /sandbox/venv /sandbox/venv + +ENV PATH /openedx/venv/bin:${PATH} +ENV VIRTUAL_ENV /openedx/venv/ +WORKDIR /openedx/codejailservice EXPOSE 8000 CMD gunicorn --workers=2 --name codejailservice --bind=0.0.0.0:8000 --max-requests=1000 codejailservice.wsgi:application From e3aa9f66d1a7c95352420bfd81d6983bb31de5ac Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Fri, 28 May 2021 09:23:41 -0500 Subject: [PATCH 03/14] Install sandbox virtualenv using copies, so the python inside the virtualenv is a binary an not a symlink (Required by AppArmor). Add sandbox user and install sudo, so sandbox code run without root permissions. --- .../templates/codejail/build/codejail/Dockerfile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tutorcodejail/templates/codejail/build/codejail/Dockerfile b/tutorcodejail/templates/codejail/build/codejail/Dockerfile index d64f6d2..47e97b7 100644 --- a/tutorcodejail/templates/codejail/build/codejail/Dockerfile +++ b/tutorcodejail/templates/codejail/build/codejail/Dockerfile @@ -23,7 +23,7 @@ ARG SANDBOX_PYTHON_VERSION=3.5.10 RUN $PYENV_ROOT/bin/pyenv install $SANDBOX_PYTHON_VERSION RUN $PYENV_ROOT/versions/$CODEJAILSERVICE_PYTHON_VERSION/bin/python -m venv /openedx/venv -RUN $PYENV_ROOT/versions/$SANDBOX_PYTHON_VERSION/bin/python -m venv /sandbox/venv +RUN $PYENV_ROOT/versions/$SANDBOX_PYTHON_VERSION/bin/python -m venv --copies /sandbox/venv ###### Codejail service code FROM minimal as code @@ -57,11 +57,19 @@ RUN wget https://raw.githubusercontent.com/edx/edx-platform/open-release/koa.3/r ##### Prod image FROM minimal as production +# Install system requirements +RUN apt update && \ + apt install -y sudo + COPY --from=code /openedx/codejailservice /openedx/codejailservice COPY --from=python /opt/pyenv /opt/pyenv COPY --from=codejailservice-python-requirements /openedx/venv /openedx/venv COPY --from=sandbox-python-requirements /sandbox/venv /sandbox/venv +# Setup sandbox +ENV SANDBOX_ENV=/sandbox/venv +RUN groupadd -r sandbox && useradd -m -r -g sandbox sandbox && chown -R sandbox:sandbox /sandbox + ENV PATH /openedx/venv/bin:${PATH} ENV VIRTUAL_ENV /openedx/venv/ WORKDIR /openedx/codejailservice From 5efde16f3f4f03b1e718c1e352181eefab419c67 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Sun, 30 May 2021 17:11:51 -0500 Subject: [PATCH 04/14] Add lms feature and setting. Add sandbox as codejail user. --- tutorcodejail/patches/common-env-features | 1 + tutorcodejail/patches/openedx-lms-common-settings | 1 + tutorcodejail/templates/codejail/apps/settings/tutor.py | 4 ++-- 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 tutorcodejail/patches/common-env-features create mode 100644 tutorcodejail/patches/openedx-lms-common-settings diff --git a/tutorcodejail/patches/common-env-features b/tutorcodejail/patches/common-env-features new file mode 100644 index 0000000..e2e5450 --- /dev/null +++ b/tutorcodejail/patches/common-env-features @@ -0,0 +1 @@ +ENABLE_CODEJAIL_REST_SERVICE: True \ No newline at end of file diff --git a/tutorcodejail/patches/openedx-lms-common-settings b/tutorcodejail/patches/openedx-lms-common-settings new file mode 100644 index 0000000..a028da6 --- /dev/null +++ b/tutorcodejail/patches/openedx-lms-common-settings @@ -0,0 +1 @@ +CODE_JAIL_REST_SERVICE_HOST: "http://codejailservice:8000" \ No newline at end of file diff --git a/tutorcodejail/templates/codejail/apps/settings/tutor.py b/tutorcodejail/templates/codejail/apps/settings/tutor.py index 7fe7c0d..1bf70c2 100644 --- a/tutorcodejail/templates/codejail/apps/settings/tutor.py +++ b/tutorcodejail/templates/codejail/apps/settings/tutor.py @@ -4,7 +4,7 @@ SECRET_KEY = "{{ CODEJAIL_SECRET_KEY }}" ALLOWED_HOSTS = [ - "*", + # "*", "codejailservice", "{{ CODEJAIL_HOST }}", ] @@ -14,7 +14,7 @@ CODE_JAIL = { 'python_bin': '/sandbox/venv/bin/python', # User to run as in the sandbox. - 'user': '', + 'user': 'sandbox', # Configurable limits. 'limits': { From f61cb35866202455d4c37d22983a68bfca5a5720 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Tue, 1 Jun 2021 08:47:21 -0500 Subject: [PATCH 05/14] Add AppArmor profile for the sandboxed python. Add codejail_apparmmor image to run an init job that creates the AppArmor profile on the host. Add lms patches to set additional settings. Update/fix codejail service settings. Set codejail processes limits to 0 (disable) to avoid errors while running jailed code. --- tutorcodejail/patches/common-env-features | 2 +- tutorcodejail/patches/lms-env | 1 + .../patches/local-docker-compose-dev-services | 4 +- .../local-docker-compose-jobs-services | 7 ++ .../patches/openedx-lms-common-settings | 1 - tutorcodejail/plugin.py | 11 ++- .../codejail/apps/profiles/docker-edx-sandbox | 69 +++++++++++++++++++ .../templates/codejail/apps/settings/tutor.py | 16 +++-- .../build/codejail_apparmor/Dockerfile | 15 ++++ .../codejail/hooks/codejail_apparmor/init | 1 + 10 files changed, 114 insertions(+), 13 deletions(-) create mode 100644 tutorcodejail/patches/lms-env create mode 100644 tutorcodejail/patches/local-docker-compose-jobs-services delete mode 100644 tutorcodejail/patches/openedx-lms-common-settings create mode 100644 tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox create mode 100644 tutorcodejail/templates/codejail/build/codejail_apparmor/Dockerfile create mode 100644 tutorcodejail/templates/codejail/hooks/codejail_apparmor/init diff --git a/tutorcodejail/patches/common-env-features b/tutorcodejail/patches/common-env-features index e2e5450..dc1a84d 100644 --- a/tutorcodejail/patches/common-env-features +++ b/tutorcodejail/patches/common-env-features @@ -1 +1 @@ -ENABLE_CODEJAIL_REST_SERVICE: True \ No newline at end of file +"ENABLE_CODEJAIL_REST_SERVICE": true \ No newline at end of file diff --git a/tutorcodejail/patches/lms-env b/tutorcodejail/patches/lms-env new file mode 100644 index 0000000..d072912 --- /dev/null +++ b/tutorcodejail/patches/lms-env @@ -0,0 +1 @@ +"CODE_JAIL_REST_SERVICE_HOST": "http://{{ CODEJAIL_HOST }}:8550" \ No newline at end of file diff --git a/tutorcodejail/patches/local-docker-compose-dev-services b/tutorcodejail/patches/local-docker-compose-dev-services index a41df08..2e96550 100644 --- a/tutorcodejail/patches/local-docker-compose-dev-services +++ b/tutorcodejail/patches/local-docker-compose-dev-services @@ -1,4 +1,4 @@ codejailservice: - command: ./manage.py runserver 0.0.0.0:8170 + command: ./manage.py runserver 0.0.0.0:8550 ports: - - "8170:8170" \ No newline at end of file + - "8550:8550" \ No newline at end of file diff --git a/tutorcodejail/patches/local-docker-compose-jobs-services b/tutorcodejail/patches/local-docker-compose-jobs-services new file mode 100644 index 0000000..3a1a113 --- /dev/null +++ b/tutorcodejail/patches/local-docker-compose-jobs-services @@ -0,0 +1,7 @@ +codejail_apparmor-job: + image: ednxops/codejail_apparmor_loader:latest + privileged: true + volumes: + - ../plugins/codejail/apps/profiles/docker-edx-sandbox:/profiles/docker-edx-sandbox:ro + - /sys:/sys + - /etc/apparmor.d:/etc/apparmor.d diff --git a/tutorcodejail/patches/openedx-lms-common-settings b/tutorcodejail/patches/openedx-lms-common-settings deleted file mode 100644 index a028da6..0000000 --- a/tutorcodejail/patches/openedx-lms-common-settings +++ /dev/null @@ -1 +0,0 @@ -CODE_JAIL_REST_SERVICE_HOST: "http://codejailservice:8000" \ No newline at end of file diff --git a/tutorcodejail/plugin.py b/tutorcodejail/plugin.py index 63a49a2..eb2690d 100644 --- a/tutorcodejail/plugin.py +++ b/tutorcodejail/plugin.py @@ -20,8 +20,15 @@ } hooks = { - "build-image": {"codejail": "{{ CODEJAIL_DOCKER_IMAGE }}"}, - "remote-image": {"codejail": "{{ CODEJAIL_DOCKER_IMAGE }}"}, + "build-image": { + "codejail": "{{ CODEJAIL_DOCKER_IMAGE }}", + "codejail_apparmor": "docker.io/ednxops/codejail_apparmor:latest" + }, + "remote-image": { + "codejail": "{{ CODEJAIL_DOCKER_IMAGE }}", + "codejail_apparmor": "docker.io/ednxops/codejail_apparmor:latest" + }, + "init": ["codejail_apparmor"] } diff --git a/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox b/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox new file mode 100644 index 0000000..376f053 --- /dev/null +++ b/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox @@ -0,0 +1,69 @@ +#include + +profile docker-edx-sandbox flags=(attach_disconnected,mediate_deleted) { + #include + + network, + capability, + file, + umount, + signal (receive) peer=unconfined, + signal (receive) peer=cri-containerd.apparmor.d, + signal (send,receive) peer=docker-edx-sandbox, + + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc//** or /proc/sys/** + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + deny @{PROC}/kcore rwklx, + + deny mount, + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/** rwklx, + deny /sys/kernel/security/** rwklx, + + ptrace (trace,read) peer=docker-edx-sandbox, + + /sandbox/venv/bin/python Cx -> child, + profile child flags=(attach_disconnected,mediate_deleted){ + #include + #include + + # + # Whitelist particiclar shared objects from the system + # python installation + # + /sandbox/venv/** mr, + /opt/pyenv/versions/3.5.10/** mr, + /tmp/codejail-*/ rix, + /tmp/codejail-*/** wrix, + + # + # Whitelist particular shared objects from the system + # python installation + # + /sandbox/venv/.config/ wrix, + /sandbox/venv/.cache/ wrix, + /sandbox/venv/.config/** wrix, + /sandbox/venv/.cache/** wrix, + + # Matplot lib needs fonts to make graphs + /usr/share/fonts/ r, + /usr/share/fonts/** r, + /usr/local/share/fonts/ r, + /usr/local/share/fonts/** r, + + # + # Allow access to selections from /proc + # + /proc/*/mounts r, + } +} \ No newline at end of file diff --git a/tutorcodejail/templates/codejail/apps/settings/tutor.py b/tutorcodejail/templates/codejail/apps/settings/tutor.py index 1bf70c2..dc22453 100644 --- a/tutorcodejail/templates/codejail/apps/settings/tutor.py +++ b/tutorcodejail/templates/codejail/apps/settings/tutor.py @@ -4,8 +4,6 @@ SECRET_KEY = "{{ CODEJAIL_SECRET_KEY }}" ALLOWED_HOSTS = [ - # "*", - "codejailservice", "{{ CODEJAIL_HOST }}", ] @@ -17,17 +15,21 @@ 'user': 'sandbox', # Configurable limits. + # Setting all of them to 0 to disable limits in conatiners. 'limits': { + # + 'NPROC': 0, # How many CPU seconds can jailed code use? - 'CPU': 1, + 'CPU': 0, # Limit the memory of the jailed process to something high but not # infinite (512MiB in bytes) - 'VMEM': 268435456, + 'VMEM': 0, # Time in seconds that the jailed process has to run. - 'REALTIME': 3, + 'REALTIME': 0, + # Needs to be non-zero so that jailed code can use it as their temp directory.(10MiB in bytes) + 'FSIZE': 10485760, + # Disable usage of proxy (force thread-safe) 'PROXY': 0, - # Needs to be non-zero so that jailed code can use it as their temp directory.(1MiB in bytes) - 'FSIZE': 1048576, }, # Overrides to default configurable 'limits' (above). diff --git a/tutorcodejail/templates/codejail/build/codejail_apparmor/Dockerfile b/tutorcodejail/templates/codejail/build/codejail_apparmor/Dockerfile new file mode 100644 index 0000000..f3595d5 --- /dev/null +++ b/tutorcodejail/templates/codejail/build/codejail_apparmor/Dockerfile @@ -0,0 +1,15 @@ +FROM golang:latest as go_compiler + +RUN mkdir /app +WORKDIR /app +ADD https://raw.githubusercontent.com/kubernetes/kubernetes/master/test/images/apparmor-loader/loader.go loader.go +RUN go mod init loader +RUN go get k8s.io/klog/v2 +RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -a -installsuffix cgo --ldflags '-w' -o loader . + +FROM alpine:latest + +RUN apk add apparmor libapparmor --update-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing/ --allow-untrusted && \ + apk add --no-cache musl\>1.1.20 --repository http://dl-cdn.alpinelinux.org/alpine/edge/main/ + +COPY --from=go_compiler /app/loader /usr/bin/loader diff --git a/tutorcodejail/templates/codejail/hooks/codejail_apparmor/init b/tutorcodejail/templates/codejail/hooks/codejail_apparmor/init new file mode 100644 index 0000000..fa2ce78 --- /dev/null +++ b/tutorcodejail/templates/codejail/hooks/codejail_apparmor/init @@ -0,0 +1 @@ +/usr/bin/loader -logtostderr -v=2 /profiles \ No newline at end of file From eda975fe367ce8335a2ecd8bd9b773235b21f5a3 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Tue, 1 Jun 2021 08:51:07 -0500 Subject: [PATCH 06/14] Fix repo url. --- setup.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup.py b/setup.py index 04804e4..0156d30 100644 --- a/setup.py +++ b/setup.py @@ -29,8 +29,8 @@ def load_about(): version=ABOUT["__version__"], url="https://github.com/github/tutor-contrib-codejail", project_urls={ - "Code": "https://github.com/github/tutor-contrib-codejail", - "Issue tracker": "https://github.com/github/tutor-contrib-codejail/issues", + "Code": "https://github.com/edunext/tutor-contrib-codejail", + "Issue tracker": "https://github.com/edunext/tutor-contrib-codejail/issues", }, license="AGPLv3", author="Eric Herrera", From 8b713490fb185e187f8290e29ac7afdad426bf77 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Wed, 2 Jun 2021 14:57:20 -0500 Subject: [PATCH 07/14] Adress PR comment. Get sandbox requirements form openedx edxapp image. --- .../templates/codejail/build/codejail/Dockerfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tutorcodejail/templates/codejail/build/codejail/Dockerfile b/tutorcodejail/templates/codejail/build/codejail/Dockerfile index 47e97b7..35bd3b5 100644 --- a/tutorcodejail/templates/codejail/build/codejail/Dockerfile +++ b/tutorcodejail/templates/codejail/build/codejail/Dockerfile @@ -49,10 +49,11 @@ ENV VIRTUAL_ENV /sandbox/venv/ WORKDIR /var/tmp RUN mkdir -p common/lib/ -RUN svn export https://github.com/edx/edx-platform.git/tags/open-release/koa.3/common/lib/sandbox-packages common/lib/sandbox-packages -RUN svn export https://github.com/edx/edx-platform.git/tags/open-release/koa.3/common/lib/symmath common/lib/symmath -# RUN wget https://raw.githubusercontent.com/edx/edx-platform/open-release/koa.3/requirements/edx-sandbox/base.txt && pip3 install base.txt -RUN wget https://raw.githubusercontent.com/edx/edx-platform/open-release/koa.3/requirements/edx-sandbox/py35.txt && pip3 install -r py35.txt + +COPY --from={{ DOCKER_IMAGE_OPENEDX }} /openedx/edx-platform/common/lib/sandbox-packages common/lib/sandbox-packages +COPY --from={{ DOCKER_IMAGE_OPENEDX }} /openedx/edx-platform/common/lib/sandbox-packages common/lib/symmath +COPY --from={{ DOCKER_IMAGE_OPENEDX }} /openedx/edx-platform/requirements/edx-sandbox/py35.txt py35.txt +RUN pip3 install -r py35.txt ##### Prod image FROM minimal as production From 4c018608266f1f6e414566f15778577fa121944b Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Wed, 2 Jun 2021 22:20:59 -0500 Subject: [PATCH 08/14] Add sandbox python version as variable. Add codejail service version as variable. --- tutorcodejail/__about__.py | 2 +- tutorcodejail/plugin.py | 3 +++ tutorcodejail/templates/codejail/build/codejail/Dockerfile | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/tutorcodejail/__about__.py b/tutorcodejail/__about__.py index 3dc1f76..5b46116 100644 --- a/tutorcodejail/__about__.py +++ b/tutorcodejail/__about__.py @@ -1 +1 @@ -__version__ = "0.1.0" +__version__ = "11.0.0" diff --git a/tutorcodejail/plugin.py b/tutorcodejail/plugin.py index eb2690d..3b90023 100644 --- a/tutorcodejail/plugin.py +++ b/tutorcodejail/plugin.py @@ -16,6 +16,9 @@ "VERSION": __version__, "HOST": "codejailservice.{{ LMS_HOST }}", "DOCKER_IMAGE": "docker.io/ednxops/codejailservice:latest", + }, + "set":{ + "SANDBOX_PYTHON_VERSION": "3.5.10", } } diff --git a/tutorcodejail/templates/codejail/build/codejail/Dockerfile b/tutorcodejail/templates/codejail/build/codejail/Dockerfile index 35bd3b5..a553f0b 100644 --- a/tutorcodejail/templates/codejail/build/codejail/Dockerfile +++ b/tutorcodejail/templates/codejail/build/codejail/Dockerfile @@ -19,7 +19,7 @@ RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v1.2.21 --dept ARG CODEJAILSERVICE_PYTHON_VERSION=3.8.6 RUN $PYENV_ROOT/bin/pyenv install $CODEJAILSERVICE_PYTHON_VERSION -ARG SANDBOX_PYTHON_VERSION=3.5.10 +ARG SANDBOX_PYTHON_VERSION={{ SANDBOX_PYTHON_VERSION }} RUN $PYENV_ROOT/bin/pyenv install $SANDBOX_PYTHON_VERSION RUN $PYENV_ROOT/versions/$CODEJAILSERVICE_PYTHON_VERSION/bin/python -m venv /openedx/venv @@ -27,7 +27,7 @@ RUN $PYENV_ROOT/versions/$SANDBOX_PYTHON_VERSION/bin/python -m venv --copies /sa ###### Codejail service code FROM minimal as code -RUN git clone https://github.com/eduNEXT/codejailservice.git --branch eric/mvp --depth 1 /openedx/codejailservice +RUN git clone https://github.com/eduNEXT/codejailservice.git --branch {{ CODEJAIL_VERSION }} --depth 1 /openedx/codejailservice WORKDIR /openedx/codejailservice ###### Install python requirements in virtualenv From b8857457f25f5481a5fdc56d7742f5f6b2420fb9 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Wed, 2 Jun 2021 22:22:26 -0500 Subject: [PATCH 09/14] Adjust plugin to work with flask. --- .../patches/local-docker-compose-dev-services | 5 ++- .../patches/local-docker-compose-services | 4 +- .../templates/codejail/apps/config/tutor.py | 7 ++++ .../templates/codejail/apps/settings/tutor.py | 41 ------------------- 4 files changed, 13 insertions(+), 44 deletions(-) create mode 100644 tutorcodejail/templates/codejail/apps/config/tutor.py delete mode 100644 tutorcodejail/templates/codejail/apps/settings/tutor.py diff --git a/tutorcodejail/patches/local-docker-compose-dev-services b/tutorcodejail/patches/local-docker-compose-dev-services index 2e96550..67fef66 100644 --- a/tutorcodejail/patches/local-docker-compose-dev-services +++ b/tutorcodejail/patches/local-docker-compose-dev-services @@ -1,4 +1,7 @@ codejailservice: - command: ./manage.py runserver 0.0.0.0:8550 + command: flask run --host 0.0.0.0 --port 8550 + environment: + FLASK_ENV: development + FLASK_APP_SETTINGS: codejailservice.config.DevelopmentConfig ports: - "8550:8550" \ No newline at end of file diff --git a/tutorcodejail/patches/local-docker-compose-services b/tutorcodejail/patches/local-docker-compose-services index 12507b4..4394fcf 100644 --- a/tutorcodejail/patches/local-docker-compose-services +++ b/tutorcodejail/patches/local-docker-compose-services @@ -2,10 +2,10 @@ codejailservice: image: {{ CODEJAIL_DOCKER_IMAGE }} environment: - DJANGO_SETTINGS_MODULE: codejailservice.settings.tutor + FLASK_APP_SETTINGS: config.DevelopmentConfig security_opt: - apparmor:docker-edx-sandbox volumes: - - ../plugins/codejail/apps/settings/tutor.py:/openedx/codejailservice/codejailservice/settings/tutor.py:ro + - ../plugins/codejail/apps/config/tutor.py:/openedx/codejailservice/codejailservice/tutor.py:ro - ../../data/codejail:/openedx/data restart: unless-stopped diff --git a/tutorcodejail/templates/codejail/apps/config/tutor.py b/tutorcodejail/templates/codejail/apps/config/tutor.py new file mode 100644 index 0000000..0d92027 --- /dev/null +++ b/tutorcodejail/templates/codejail/apps/config/tutor.py @@ -0,0 +1,7 @@ +from base import BaseConfig + + class DevConfig(BaseConfig): + pass + + class ProductionConfig(BaseConfig) + pass diff --git a/tutorcodejail/templates/codejail/apps/settings/tutor.py b/tutorcodejail/templates/codejail/apps/settings/tutor.py deleted file mode 100644 index dc22453..0000000 --- a/tutorcodejail/templates/codejail/apps/settings/tutor.py +++ /dev/null @@ -1,41 +0,0 @@ -from .base import * - -from codejail.django_integration_utils import apply_django_settings - -SECRET_KEY = "{{ CODEJAIL_SECRET_KEY }}" -ALLOWED_HOSTS = [ - "{{ CODEJAIL_HOST }}", -] - -#################### Python sandbox ############################################ - -CODE_JAIL = { - 'python_bin': '/sandbox/venv/bin/python', - # User to run as in the sandbox. - 'user': 'sandbox', - - # Configurable limits. - # Setting all of them to 0 to disable limits in conatiners. - 'limits': { - # - 'NPROC': 0, - # How many CPU seconds can jailed code use? - 'CPU': 0, - # Limit the memory of the jailed process to something high but not - # infinite (512MiB in bytes) - 'VMEM': 0, - # Time in seconds that the jailed process has to run. - 'REALTIME': 0, - # Needs to be non-zero so that jailed code can use it as their temp directory.(10MiB in bytes) - 'FSIZE': 10485760, - # Disable usage of proxy (force thread-safe) - 'PROXY': 0, - }, - - # Overrides to default configurable 'limits' (above). - # Keys should be course run ids. - # Values should be dictionaries that look like 'limits'. - "limit_overrides": {}, -} - -apply_django_settings(CODE_JAIL) From 2b3cc681b6a6ecb37561bfa4614bdf8e2c80d7e5 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Sun, 1 Aug 2021 14:43:27 -0500 Subject: [PATCH 10/14] Include python abstractions adapted to pyenv in app armor profile. Fix codejail service default host. --- tutorcodejail/plugin.py | 2 +- .../codejail/apps/profiles/docker-edx-sandbox | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/tutorcodejail/plugin.py b/tutorcodejail/plugin.py index 3b90023..2f69257 100644 --- a/tutorcodejail/plugin.py +++ b/tutorcodejail/plugin.py @@ -14,7 +14,7 @@ }, "defaults": { "VERSION": __version__, - "HOST": "codejailservice.{{ LMS_HOST }}", + "HOST": "codejailservice", "DOCKER_IMAGE": "docker.io/ednxops/codejailservice:latest", }, "set":{ diff --git a/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox b/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox index 376f053..4851acf 100644 --- a/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox +++ b/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox @@ -35,7 +35,17 @@ profile docker-edx-sandbox flags=(attach_disconnected,mediate_deleted) { /sandbox/venv/bin/python Cx -> child, profile child flags=(attach_disconnected,mediate_deleted){ #include - #include + + # + # Python abstractions adapted from https://gitlab.com/apparmor/apparmor/-/raw/master/profiles/apparmor.d/abstractions/python + # + /opt/pyenv/versions/{2.[4-7].*,3.[0-9].*}/lib/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr, + /opt/pyenv/versions/{2.[4-7].*,3.[0-9].*}/lib/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r, + /opt/pyenv/versions/{2.[4-7].*,3.[0-9].*}/lib/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r, + /opt/pyenv/versions/3.[0-9].*/lib/python3.[0-9]/lib-dynload/*.so mr, + + /opt/pyenv/versions/{2.[4-7].*,3.[0-9].*}/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r, + # # Whitelist particiclar shared objects from the system From 011eb8dffa3f0d3d98c4464ac4f77881a28e3221 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Sun, 1 Aug 2021 18:41:38 -0500 Subject: [PATCH 11/14] Replace gunicorn by uwsgi to match edx-platofrm configuration. --- .../templates/codejail/build/codejail/Dockerfile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tutorcodejail/templates/codejail/build/codejail/Dockerfile b/tutorcodejail/templates/codejail/build/codejail/Dockerfile index a553f0b..9634abb 100644 --- a/tutorcodejail/templates/codejail/build/codejail/Dockerfile +++ b/tutorcodejail/templates/codejail/build/codejail/Dockerfile @@ -76,4 +76,12 @@ ENV VIRTUAL_ENV /openedx/venv/ WORKDIR /openedx/codejailservice EXPOSE 8000 -CMD gunicorn --workers=2 --name codejailservice --bind=0.0.0.0:8000 --max-requests=1000 codejailservice.wsgi:application +CMD uwsgi \ + --http 0.0.0.0:8000 \ + --thunder-lock \ + --single-interpreter \ + --enable-threads \ + --processes=${UWSGI_WORKERS:-2} \ + --buffer-size=8192 \ + --max-requests=1000 \ + --wsgi-file /openedx/codejailservice/wsgi.py From f085ef2c6bfa739ca618b873957dfe32c368d537 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Tue, 27 Jul 2021 11:03:01 -0500 Subject: [PATCH 12/14] Add settings to run ir using tutor dev env. --- tutorcodejail/patches/cms-env | 3 +++ tutorcodejail/patches/lms-env | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 tutorcodejail/patches/cms-env diff --git a/tutorcodejail/patches/cms-env b/tutorcodejail/patches/cms-env new file mode 100644 index 0000000..9f67ad6 --- /dev/null +++ b/tutorcodejail/patches/cms-env @@ -0,0 +1,3 @@ +"CODE_JAIL_REST_SERVICE_HOST": "http://{{ CODEJAIL_HOST }}:8550", +"CODE_JAIL_REST_SERVICE_CONNECT_TIMEOUT": 0.5, +"CODE_JAIL_REST_SERVICE_READ_TIMEOUT": 3.5 \ No newline at end of file diff --git a/tutorcodejail/patches/lms-env b/tutorcodejail/patches/lms-env index d072912..9f67ad6 100644 --- a/tutorcodejail/patches/lms-env +++ b/tutorcodejail/patches/lms-env @@ -1 +1,3 @@ -"CODE_JAIL_REST_SERVICE_HOST": "http://{{ CODEJAIL_HOST }}:8550" \ No newline at end of file +"CODE_JAIL_REST_SERVICE_HOST": "http://{{ CODEJAIL_HOST }}:8550", +"CODE_JAIL_REST_SERVICE_CONNECT_TIMEOUT": 0.5, +"CODE_JAIL_REST_SERVICE_READ_TIMEOUT": 3.5 \ No newline at end of file From 5a772c6f06792b5eb2a049999ec1d7f8ee0bda35 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Wed, 28 Jul 2021 18:33:40 -0500 Subject: [PATCH 13/14] Upgrade version. --- tutorcodejail/__about__.py | 2 +- tutorcodejail/plugin.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tutorcodejail/__about__.py b/tutorcodejail/__about__.py index 5b46116..0e21ac9 100644 --- a/tutorcodejail/__about__.py +++ b/tutorcodejail/__about__.py @@ -1 +1 @@ -__version__ = "11.0.0" +__version__ = "12.0.0" diff --git a/tutorcodejail/plugin.py b/tutorcodejail/plugin.py index 2f69257..7a745d1 100644 --- a/tutorcodejail/plugin.py +++ b/tutorcodejail/plugin.py @@ -15,7 +15,7 @@ "defaults": { "VERSION": __version__, "HOST": "codejailservice", - "DOCKER_IMAGE": "docker.io/ednxops/codejailservice:latest", + "DOCKER_IMAGE": f"docker.io/ednxops/codejailservice:{__version__}", }, "set":{ "SANDBOX_PYTHON_VERSION": "3.5.10", From 02c0c791fd91337575e4416fcd809aa5982ccef5 Mon Sep 17 00:00:00 2001 From: Eric Herrera Date: Sat, 11 Sep 2021 14:45:13 -0500 Subject: [PATCH 14/14] Address Regis PR comments --- tutorcodejail/patches/local-docker-compose-dev-services | 3 ++- tutorcodejail/patches/local-docker-compose-services | 2 +- tutorcodejail/plugin.py | 9 ++++----- tutorcodejail/templates/codejail/apps/config/tutor.py | 8 ++++---- .../templates/codejail/build/codejail/Dockerfile | 6 +++--- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/tutorcodejail/patches/local-docker-compose-dev-services b/tutorcodejail/patches/local-docker-compose-dev-services index 67fef66..d0d45e9 100644 --- a/tutorcodejail/patches/local-docker-compose-dev-services +++ b/tutorcodejail/patches/local-docker-compose-dev-services @@ -4,4 +4,5 @@ codejailservice: FLASK_ENV: development FLASK_APP_SETTINGS: codejailservice.config.DevelopmentConfig ports: - - "8550:8550" \ No newline at end of file + - "8550:8550" + restart: unless-stopped \ No newline at end of file diff --git a/tutorcodejail/patches/local-docker-compose-services b/tutorcodejail/patches/local-docker-compose-services index 4394fcf..d1d24cc 100644 --- a/tutorcodejail/patches/local-docker-compose-services +++ b/tutorcodejail/patches/local-docker-compose-services @@ -2,7 +2,7 @@ codejailservice: image: {{ CODEJAIL_DOCKER_IMAGE }} environment: - FLASK_APP_SETTINGS: config.DevelopmentConfig + FLASK_APP_SETTINGS: config.ProductionConfig security_opt: - apparmor:docker-edx-sandbox volumes: diff --git a/tutorcodejail/plugin.py b/tutorcodejail/plugin.py index 7a745d1..29e6a53 100644 --- a/tutorcodejail/plugin.py +++ b/tutorcodejail/plugin.py @@ -16,20 +16,19 @@ "VERSION": __version__, "HOST": "codejailservice", "DOCKER_IMAGE": f"docker.io/ednxops/codejailservice:{__version__}", - }, - "set":{ "SANDBOX_PYTHON_VERSION": "3.5.10", - } + }, + "set":{} } hooks = { "build-image": { "codejail": "{{ CODEJAIL_DOCKER_IMAGE }}", - "codejail_apparmor": "docker.io/ednxops/codejail_apparmor:latest" + "codejail_apparmor": f"docker.io/ednxops/codejail_apparmor:{__version__}" }, "remote-image": { "codejail": "{{ CODEJAIL_DOCKER_IMAGE }}", - "codejail_apparmor": "docker.io/ednxops/codejail_apparmor:latest" + "codejail_apparmor": f"docker.io/ednxops/codejail_apparmor:{__version__}" }, "init": ["codejail_apparmor"] } diff --git a/tutorcodejail/templates/codejail/apps/config/tutor.py b/tutorcodejail/templates/codejail/apps/config/tutor.py index 0d92027..547592b 100644 --- a/tutorcodejail/templates/codejail/apps/config/tutor.py +++ b/tutorcodejail/templates/codejail/apps/config/tutor.py @@ -1,7 +1,7 @@ from base import BaseConfig - class DevConfig(BaseConfig): - pass +class DevConfig(BaseConfig): + pass - class ProductionConfig(BaseConfig) - pass +class ProductionConfig(BaseConfig): + pass diff --git a/tutorcodejail/templates/codejail/build/codejail/Dockerfile b/tutorcodejail/templates/codejail/build/codejail/Dockerfile index 9634abb..b939c64 100644 --- a/tutorcodejail/templates/codejail/build/codejail/Dockerfile +++ b/tutorcodejail/templates/codejail/build/codejail/Dockerfile @@ -1,5 +1,5 @@ FROM docker.io/ubuntu:20.04 as minimal -MAINTAINER Overhang.io +MAINTAINER edunext.co ENV DEBIAN_FRONTEND=noninteractive RUN apt update && \ @@ -19,7 +19,7 @@ RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v1.2.21 --dept ARG CODEJAILSERVICE_PYTHON_VERSION=3.8.6 RUN $PYENV_ROOT/bin/pyenv install $CODEJAILSERVICE_PYTHON_VERSION -ARG SANDBOX_PYTHON_VERSION={{ SANDBOX_PYTHON_VERSION }} +ARG SANDBOX_PYTHON_VERSION={{ CODEJAIL_SANDBOX_PYTHON_VERSION }} RUN $PYENV_ROOT/bin/pyenv install $SANDBOX_PYTHON_VERSION RUN $PYENV_ROOT/versions/$CODEJAILSERVICE_PYTHON_VERSION/bin/python -m venv /openedx/venv @@ -51,7 +51,7 @@ WORKDIR /var/tmp RUN mkdir -p common/lib/ COPY --from={{ DOCKER_IMAGE_OPENEDX }} /openedx/edx-platform/common/lib/sandbox-packages common/lib/sandbox-packages -COPY --from={{ DOCKER_IMAGE_OPENEDX }} /openedx/edx-platform/common/lib/sandbox-packages common/lib/symmath +COPY --from={{ DOCKER_IMAGE_OPENEDX }} /openedx/edx-platform/common/lib/symmath common/lib/symmath COPY --from={{ DOCKER_IMAGE_OPENEDX }} /openedx/edx-platform/requirements/edx-sandbox/py35.txt py35.txt RUN pip3 install -r py35.txt