Allow setting low NPROC in codejail-service

[timmc-edx]

We currently need to set a very high CODE_JAIL.limits.NPROC for codejail-service, in the area of 2000, otherwise the sudo -u sandbox ... call fails to fork. This is much higher than the limit we actually want to set for a sandbox.

It turns out the issue is that while the NPROC setting constrains only one process, all processes owned by the same UID contribute to the usage count. And Docker does not confine UIDs, just the mapping of usernames to UIDs. If codejail-service runs as the app user in the container with UID 1000, the rlimit system still sees all of the other processes owned by UID 1000 on the host as well, and there are hundreds or even thousands of those.

The best solution we have available is to assign app a UID that does not collide with anything on the host.

Implementation:

• Update django-ida helm chart to allow starting the container with a UID other than 1000
  • https://github.com/edx/helm-charts/pull/184
• Change app in the Dockerfile to use a new, randomly selected UID
  • fix!: Use new, non-colliding UID and GID for codejail app, sandbox users public-dockerfiles#113
• Update argocd stage config to specify new UID
  • https://github.com/edx/edx-internal/pull/12507
• Document this in codejail-service's docs/deployment.rst
  • docs: Document UID and NPROC issues openedx/codejail-service#30
• Once the above are complete, update devstack to run the service as the app user
  • fix: Run codejail with app user; more docs devstack#124
• Discover how low we can plausibly set NPROC
• Document this in codejail library (in configuration docs, and limitation docs)
  • docs: More accurate NPROC documentation openedx/codejail#239
• Optionally: Constrain the number of codejail pods that can run on the same host (because they'll still interfere with each other)