diff --git a/docker-compose.yml b/docker-compose.yml index 930dbf8b..c5e882dc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -731,6 +731,7 @@ services: DJANGO_SETTINGS_MODULE: codejail_service.settings.devstack ports: - "18030:8080" + user: app security_opt: - apparmor=openedx_codejail_service diff --git a/docs/codejail.rst b/docs/codejail.rst index d94b9af5..64864060 100644 --- a/docs/codejail.rst +++ b/docs/codejail.rst @@ -42,3 +42,5 @@ Debugging To check whether the profile has been applied, run ``sudo aa-status | grep codejail``. This won't tell you if the profile is out of date, but it will tell you if you have *some* version of it installed. If you need to debug the confinement, either because it is restricting too much or too little, a good strategy is to run ``tail -F /var/log/kern.log | grep codejail`` and watch for ``DENIED`` lines. You should expect to see several appear during service startup, as the service is designed to probe the confinement as part of its initial healthcheck. + +Unlike other devstack services, this one runs as the ``app`` user rather than as ``root``. (Although this isn't strictly needed to develop, it better matches our production environment, and allows proper testing of several aspects of the sandboxing.) In order to enter the container as root, you can use ``docker compose exec -it --user root codejail bash`` rather than ``make codejail-shell``. diff --git a/py_configuration_files/codejail.py b/py_configuration_files/codejail.py index a4ef39eb..b795e777 100644 --- a/py_configuration_files/codejail.py +++ b/py_configuration_files/codejail.py @@ -26,7 +26,11 @@ # Need at least 300 MiB memory for matplotlib alone. 512 MiB should be # enough headroom in general. 'VMEM': 512 * 1024 * 1024, - # 1 MB file write limit + # 1 MB file size limit 'FSIZE': 1 * 1024 * 1024, + # 15 processes and threads (codejail default) + 'NPROC': 15, + # Match production configuration + 'PROXY': 0, }, }