Proposal Date
2025-04-30
Target Ticket Acceptance Date
TBD
Earliest Open edX Named Release Without This Functionality
Ulmo - 2025-10
Rationale
The capability of using codejail for problems with code execution is not going away. This DEPR is for removing the ability to run this locally as part of edx-platform, in favor of running remotely in a new codejail-service.
Using the new service for code execution is more secure, most especially because if anyone were able to break out of the layers of security, they would not be executing code on the same box as the LMS, which has access to data which is important to keep secure. Keeping code execution in another service entirely also allows additional layers of security that would not be possible when colocated with the LMS, such as preventing all outbound network connections.
Removal
The local codejail allows unsafe execution (non-sandboxed) for configured courses. This functionality will likely not be carried over to the new remote service.
The darklaunch feature, which enables one to choose between local and remote, is a good starting place to find all of the local codejail code that can be removed. See this github search for locations.
Replacement
The replacement is the new codejail-service.
Note: 2U/edX is running this in production.
Deprecation
The legacy local calls could be marked as deprecated when someone moves this ticket forward.
Migration
A darklaunch capability was added so that the new remote codejail-service could be tested and tuned in production without causing issues. Once all is well, edx-platform configuration can be updated to switch users to the new service.
See https://docs.openedx.org/projects/edx-platform/en/latest/references/featuretoggles.html#featuretoggle-ENABLE_CODEJAIL_DARKLAUNCH
Additional Info
No response
Task List
Proposal Date
2025-04-30
Target Ticket Acceptance Date
TBD
Earliest Open edX Named Release Without This Functionality
Ulmo - 2025-10
Rationale
The capability of using codejail for problems with code execution is not going away. This DEPR is for removing the ability to run this locally as part of edx-platform, in favor of running remotely in a new codejail-service.
Using the new service for code execution is more secure, most especially because if anyone were able to break out of the layers of security, they would not be executing code on the same box as the LMS, which has access to data which is important to keep secure. Keeping code execution in another service entirely also allows additional layers of security that would not be possible when colocated with the LMS, such as preventing all outbound network connections.
Removal
The local codejail allows unsafe execution (non-sandboxed) for configured courses. This functionality will likely not be carried over to the new remote service.
The darklaunch feature, which enables one to choose between local and remote, is a good starting place to find all of the local codejail code that can be removed. See this github search for locations.
Replacement
The replacement is the new codejail-service.
Note: 2U/edX is running this in production.
Deprecation
The legacy local calls could be marked as deprecated when someone moves this ticket forward.
Migration
A darklaunch capability was added so that the new remote codejail-service could be tested and tuned in production without causing issues. Once all is well, edx-platform configuration can be updated to switch users to the new service.
See https://docs.openedx.org/projects/edx-platform/en/latest/references/featuretoggles.html#featuretoggle-ENABLE_CODEJAIL_DARKLAUNCH
Additional Info
No response
Task List
ubuntu-latestlike in this PR: build: updated ubuntu version to latest edx/edx-platform#75.