fix: Run codejail with app user; more docs

docker-compose.yml

@@ -731,6 +731,7 @@ services:
       DJANGO_SETTINGS_MODULE: codejail_service.settings.devstack
     ports:
       - "18030:8080"
+    user: app
     security_opt:
       - apparmor=openedx_codejail_service
 

docs/codejail.rst

@@ -42,3 +42,5 @@ Debugging
 To check whether the profile has been applied, run ``sudo aa-status | grep codejail``. This won't tell you if the profile is out of date, but it will tell you if you have *some* version of it installed.
 
 If you need to debug the confinement, either because it is restricting too much or too little, a good strategy is to run ``tail -F /var/log/kern.log | grep codejail`` and watch for ``DENIED`` lines. You should expect to see several appear during service startup, as the service is designed to probe the confinement as part of its initial healthcheck.
+
+Unlike other devstack services, this one runs as the ``app`` user rather than as ``root``. (Although this isn't strictly needed to develop, it better matches our production environment, and allows proper testing of several aspects of the sandboxing.) In order to enter the container as root, you can use ``docker compose exec -it --user root codejail bash`` rather than ``make codejail-shell``.

py_configuration_files/codejail.py

@@ -26,7 +26,11 @@
         # Need at least 300 MiB memory for matplotlib alone. 512 MiB should be
         # enough headroom in general.
         'VMEM': 512 * 1024 * 1024,
-        # 1 MB file write limit
+        # 1 MB file size limit
         'FSIZE': 1 * 1024 * 1024,
+        # 15 processes and threads (codejail default)
+        'NPROC': 15,
+        # Match production configuration
+        'PROXY': 0,
     },
 }