Merge pull request #201 from openedx/feanil/publish_ubuntu_images

Drop ECR for testing builds

Author: feanil

.github/workflows/ci.yml

@@ -8,44 +8,40 @@ on:
 jobs:
   codejail_ci:
     name: tests
-    runs-on: ubuntu-20.04
+    runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         include:
-          - python_version: '3.8'
-            docker_tag: latest
           - python_version: '3.11'
-            docker_tag: '3.11'
+            ubuntu_version: '20.04'
+            os: "ubuntu-20.04"
+          - python_version: '3.11'
+            ubuntu_version: '22.04'
+            os: "ubuntu-22.04"
+          # Disabling this for now because it's failing and we need to figure out
+          # next steps to fix this.
+          # - python_version: '3.11'
+          #   ubuntu_version: '24.04'
+          #   os: "ubuntu-24.04"
 
     steps:
       - uses: actions/checkout@v4
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.TOOLS_EDX_ECR_USER_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.TOOLS_EDX_ECR_USER_AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-
       - name: Parse custom apparmor profile
         run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python
 
-      - name: Pull codejail CI image
-        run: docker pull 257477529851.dkr.ecr.us-east-1.amazonaws.com/openedx-codejail:latest
-
       - name: Build latest code changes into CI image
         run: |
-          docker build --cache-from 257477529851.dkr.ecr.us-east-1.amazonaws.com/openedx-codejail \
-            -t 257477529851.dkr.ecr.us-east-1.amazonaws.com/openedx-codejail \
-            --build-arg python_version=${{ matrix.python_version }} .
+          docker build -t openedx-codejail \
+            --cache-to type=gha \
+            --cache-from type=gha \
+            --build-arg python_version=${{ matrix.python_version }} \
+            --build-arg ubuntu_version=${{ matrix.ubuntu_version }} .
 
       - name: Run container with custom apparmor profile and codejail CI image
         run: |
           docker run --name=codejail --privileged -d --security-opt apparmor=apparmor_profile \
-            257477529851.dkr.ecr.us-east-1.amazonaws.com/openedx-codejail tail -f /dev/null
+            openedx-codejail tail -f /dev/null
 
       - name: Run Non Proxy Tests
         run: docker exec -t codejail bash -c 'make clean && make test_no_proxy'

.github/workflows/push-docker-image.yml

@@ -1,7 +1,9 @@
-FROM ubuntu:focal
+ARG ubuntu_version="20.04"
+
+FROM ubuntu:${ubuntu_version}
 SHELL ["/bin/bash", "-c"]
 
-ARG python_version=3.8
+ARG python_version="3.8"
 
 # Install Codejail Packages
 ENV TZ=Etc/UTC
@@ -33,8 +35,15 @@ RUN addgroup $CODEJAIL_GROUP
 RUN adduser --disabled-login --disabled-password $CODEJAIL_TEST_USER --ingroup $CODEJAIL_GROUP
 
 # Switch to non root user inside Docker container
-RUN addgroup ubuntu
-RUN adduser --disabled-login --disabled-password ubuntu --ingroup ubuntu
+RUN getent group ubuntu || groupadd ubuntu
+RUN getent passwd ubuntu || adduser --disabled-login --disabled-password ubuntu --ingroup ubuntu
+
+# Remove using PAM to set limits for sudo.
+# We want codejail to manage the limits so we remove this line from the sudo pam config
+# if we don't the forked process gets limits based on /etc/security/limits.conf which by
+# default does not set any limits on the forked process.
+# This line was not there on Ubuntu 20.04 but was added in 22.04
+RUN sed -i '/pam_limits.so/d' /etc/pam.d/sudo
 
 # Give Ownership of sandbox env to sandbox group and user
 RUN chown -R $CODEJAIL_TEST_USER:$CODEJAIL_GROUP $CODEJAIL_TEST_VENV

Dockerfile

@@ -19,11 +19,11 @@ using the same API, but will not guard against malicious code.  This allows the
 same code to be used on safe-configured or non-safe-configured developer's
 machines.
 
-A CodeJail sandbox consists of several pieces: 
+A CodeJail sandbox consists of several pieces:
 
 #) Sandbox environment. For a Python setup, this would be Python and
    associated core packages. This is denoted throughout this document
-   as **<SANDENV>**. This is read-only. 
+   as **<SANDENV>**. This is read-only.
 
 #) Sandbox packages. These are additional packages needed for a given
    run. For example, this might be a grader written by an instructor
@@ -34,7 +34,7 @@ A CodeJail sandbox consists of several pieces:
 #) Untrusted packages. This is typically the code submitted by the
    student to be tested on the server, as well as any data the code
    may need to modify. This is denoted throughout this document as
-   **<UNTRUSTED_PACK>**. This is currently read-only, but may need to 
+   **<UNTRUSTED_PACK>**. This is currently read-only, but may need to
    be read-write for some applications.
 
 #) OS packages. These are standard system libraries needed to run
@@ -48,6 +48,20 @@ sandboxes. This will be referred to as **<SANDBOX_CALLER>**. The
 second account is the account under which the sandbox runs. This is
 typically the account 'sandbox.'
 
+Supported Versions
+------------------
+
+This library currently is tested to work with the following versions
+
+Python:
+
+* 3.11
+
+Ubuntu:
+
+* 20.04
+* 22.04
+
 Installation
 ------------
 
@@ -129,6 +143,10 @@ Other details here that depend on your configuration:
 
 7. Reactivate your project's main virtualenv again.
 
+8. Disable using PAM to set rlimits::
+
+    sed -i '/pam_limits.so/d' /etc/pam.d/sudo
+
 Using CodeJail
 --------------
 
@@ -142,7 +160,7 @@ commands at your Python terminal::
     codejail.safe_exec.safe_exec("output=open('/etc/passwd').read()", jailed_globals)
     print(jailed_globals)  # should be unreachable if codejail is working properly
 
-This should fail with an exception. 
+This should fail with an exception.
 
 If you need to change the packages installed into your sandbox's virtualenv,
 you'll need to disable AppArmor, because your sandboxed Python doesn't have

README.rst

@@ -4,6 +4,16 @@ profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0
     #include <abstractions/base>
     #include <abstractions/python>
 
+    # Deny network access and socket operations
+    # Note: If this profile is being run on a docker container
+    # then this directive might not be sufficient.  Docker network
+    # interfaces are created in a different namespace from the one that
+    # apparmor can monitor and manage and so apparmor can't always deny
+    # network access to the container.  Please be sure to test
+    # network access from within your container for the jailed process
+    # to be sure that everything is secure.
+    deny network,
+
     /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr,
     /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth}       r,
     /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r,

apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python

@@ -1,3 +1,3 @@
 """init"""
 
-__version__ = '3.4.1'
+__version__ = '3.5.0'

codejail/__init__.py

@@ -184,6 +184,7 @@ def __init__(self):
         self.stdout = self.stderr = self.status = None
 
 
+# pylint: disable=too-many-positional-arguments
 def jail_code(command, code=None, files=None, extra_files=None, argv=None,
               stdin=None, limit_overrides_context=None, slug=None):
     """
@@ -229,6 +230,7 @@ def jail_code(command, code=None, files=None, extra_files=None, argv=None,
     # pylint: disable=too-many-statements
 
     if not is_configured(command):
+        # pylint: disable=broad-exception-raised
         raise Exception("jail_code needs to be configured for %r" % command)
 
     # We make a temp directory to serve as the home of the sandboxed code.

codejail/jail_code.py

@@ -71,7 +71,7 @@ def run_subprocess_through_proxy(*args, **kwargs):  # pylint: disable=inconsiste
             proxy_stdout = proxy.stdout.readline()
             if not proxy_stdout:
                 # EOF: the proxy must have died.
-                raise Exception("Proxy process died unexpectedly!")
+                raise Exception("Proxy process died unexpectedly!")  # pylint: disable=broad-exception-raised
             status, stdout, stderr, log_calls = deserialize_out(proxy_stdout.rstrip())
 
             # Write all the log messages to the log, and return.

codejail/proxy.py

@@ -37,6 +37,7 @@ class SafeExecException(Exception):
     """
 
 
+# pylint: disable=too-many-positional-arguments
 def safe_exec(
         code,
         globals_dict,
@@ -235,6 +236,7 @@ def decode_object(obj):
     return json.loads(json.dumps(jd))
 
 
+# pylint: disable=too-many-positional-arguments
 def not_safe_exec(
         code,
         globals_dict,

codejail/safe_exec.py

@@ -11,6 +11,7 @@
 log = logging.getLogger("codejail")
 
 
+# pylint: disable=too-many-positional-arguments
 def run_subprocess(
         cmd, stdin=None, cwd=None, env=None, rlimits=None, realtime=None,
         slug=None,