From 116f122e81e7f27b57a659f5f4afe4597ca61da3 Mon Sep 17 00:00:00 2001 From: Tim McCormack Date: Tue, 18 Mar 2025 13:43:14 +0000 Subject: [PATCH 1/2] fix: Run codejail with app user; more docs - Use `app` user by default; may need to switch back to `root` at some point for ease of development, but for now let's try to keep it as similar as possible to stage and prod so that we can find issues sooner. - Document the situation, and note how to enter as root (same as for any container, but may be helpful in this uncommon situation). - Correct comment for `FSIZE` - Copy `NPROC` and `PROXY` defaults into settings for reference This depends on https://github.com/edx/edx-arch-experiments/issues/983, otherwise the service will start failing. --- docker-compose.yml | 1 + docs/codejail.rst | 2 ++ py_configuration_files/codejail.py | 6 +++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 930dbf8b..c5e882dc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -731,6 +731,7 @@ services: DJANGO_SETTINGS_MODULE: codejail_service.settings.devstack ports: - "18030:8080" + user: app security_opt: - apparmor=openedx_codejail_service diff --git a/docs/codejail.rst b/docs/codejail.rst index d94b9af5..42e3371f 100644 --- a/docs/codejail.rst +++ b/docs/codejail.rst @@ -42,3 +42,5 @@ Debugging To check whether the profile has been applied, run ``sudo aa-status | grep codejail``. This won't tell you if the profile is out of date, but it will tell you if you have *some* version of it installed. If you need to debug the confinement, either because it is restricting too much or too little, a good strategy is to run ``tail -F /var/log/kern.log | grep codejail`` and watch for ``DENIED`` lines. You should expect to see several appear during service startup, as the service is designed to probe the confinement as part of its initial healthcheck. + +Unlike other devstack services, this one runs as the ``app`` user rather than as ``root``. In order to enter the container as root, you can use ``docker compose exec -it --user root codejail bash`` rather than ``make codejail-shell``. diff --git a/py_configuration_files/codejail.py b/py_configuration_files/codejail.py index a4ef39eb..b795e777 100644 --- a/py_configuration_files/codejail.py +++ b/py_configuration_files/codejail.py @@ -26,7 +26,11 @@ # Need at least 300 MiB memory for matplotlib alone. 512 MiB should be # enough headroom in general. 'VMEM': 512 * 1024 * 1024, - # 1 MB file write limit + # 1 MB file size limit 'FSIZE': 1 * 1024 * 1024, + # 15 processes and threads (codejail default) + 'NPROC': 15, + # Match production configuration + 'PROXY': 0, }, } From 23b8611ca31342673ea14efa991b75656877f2aa Mon Sep 17 00:00:00 2001 From: Tim McCormack Date: Wed, 19 Mar 2025 16:20:09 +0000 Subject: [PATCH 2/2] fixup! Clarify why we use app here --- docs/codejail.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codejail.rst b/docs/codejail.rst index 42e3371f..64864060 100644 --- a/docs/codejail.rst +++ b/docs/codejail.rst @@ -43,4 +43,4 @@ To check whether the profile has been applied, run ``sudo aa-status | grep codej If you need to debug the confinement, either because it is restricting too much or too little, a good strategy is to run ``tail -F /var/log/kern.log | grep codejail`` and watch for ``DENIED`` lines. You should expect to see several appear during service startup, as the service is designed to probe the confinement as part of its initial healthcheck. -Unlike other devstack services, this one runs as the ``app`` user rather than as ``root``. In order to enter the container as root, you can use ``docker compose exec -it --user root codejail bash`` rather than ``make codejail-shell``. +Unlike other devstack services, this one runs as the ``app`` user rather than as ``root``. (Although this isn't strictly needed to develop, it better matches our production environment, and allows proper testing of several aspects of the sandboxing.) In order to enter the container as root, you can use ``docker compose exec -it --user root codejail bash`` rather than ``make codejail-shell``.