feat: Build multipel test containers for codejail.

Before we can test on the newer versions of python we need to build the new images. This PR updates the Dockerfile to Ubuntu 22.04 instead of 20.04 and uses deadksnakes to be able to install any relevant python versions we might need. We also update the publsh workflow to allow publishing multiple images. We create new sudoers and apparmor profiles to be able to run with the new version of python as well.
openedx · Apr 23, 2024 · cf66b1e · cf66b1e
1 parent 96abed1
commit cf66b1e
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 10 deletions.
diff --git a/.github/workflows/push-docker-image.yml b/.github/workflows/push-docker-image.yml
@@ -8,6 +8,13 @@ on:
 jobs:
   push:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - python_version: '3.8'
+            docker_tag: latest
+          - python_version: '3.11'
+            docker_tag: '3.11'
 
     steps:
       - name: Checkout
@@ -28,7 +35,6 @@ jobs:
         env:
           ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
           ECR_REPOSITORY: openedx-codejail
-          IMAGE_TAG: latest
         run: |
-          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ matrix.docker_tag }} --build-arg ${{ matrix.python_version }} .
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:${{ matrix.docker_tag }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,21 +1,26 @@
-FROM ubuntu:focal
+FROM ubuntu:22.04
 SHELL ["/bin/bash", "-c"]
 
+ARG python_version=3.8
+
 # Install Codejail Packages
-RUN apt-get update && apt-get upgrade -y
-RUN apt-get install -y vim python3-virtualenv python3-pip
+ENV TZ=Etc/UTC
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y software-properties-common
+RUN add-apt-repository -y ppa:deadsnakes/ppa && apt-get update && apt-get upgrade -y
+RUN apt-get install -y vim python3-virtualenv python${python_version} python${python_version}-dev python${python_version}-distutils
 RUN apt-get install -y sudo git
 
 # Define Environment Variables
 ENV CODEJAIL_GROUP=sandbox
 ENV CODEJAIL_SANDBOX_CALLER=ubuntu
 ENV CODEJAIL_TEST_USER=sandbox
-ENV CODEJAIL_TEST_VENV=/home/sandbox/codejail_sandbox-python3.8
+ENV CODEJAIL_TEST_VENV=/home/sandbox/codejail_sandbox-python${python_version}
 
 # Create Virtualenv for sandbox user
-RUN virtualenv -p python3.8 --always-copy $CODEJAIL_TEST_VENV
+RUN virtualenv -p /usr/bin/python${python_version} --always-copy $CODEJAIL_TEST_VENV
 
-RUN virtualenv -p python3.8 venv
+RUN virtualenv -p /usr/bin/python${python_version} venv
 ENV VIRTUAL_ENV=/venv
 
 # Add venv/bin to path
@@ -48,7 +53,7 @@ RUN pip install -r /codejail/requirements/sandbox.txt && pip install -r /codejai
 COPY . /codejail
 
 # Setup sudoers file
-COPY sudoers-file/01-sandbox /etc/sudoers.d/01-sandbox
+COPY sudoers-file/01-sandbox-python-${python_version} /etc/sudoers.d/01-sandbox
 
 # Change Sudoers file permissions
 RUN chmod 0440 /etc/sudoers.d/01-sandbox

diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.11.bin.python b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.11.bin.python
@@ -0,0 +1,26 @@
+#include <tunables/global>
+
+profile apparmor_profile /home/sandbox/codejail_sandbox-python3.11/bin/python {
+    #include <abstractions/base>
+    #include <abstractions/python>
+
+    /home/sandbox/codejail_sandbox-python3.11/** mr,
+    /tmp/codejail-*/ rix,
+    /tmp/codejail-*/** wrix,
+
+    # Whitelist particiclar shared objects from the system
+    # python installation
+    #
+    /usr/lib/python3.11/lib-dynload/_json.so mr,
+    /usr/lib/python3.11/lib-dynload/_ctypes.so mr,
+    /usr/lib/python3.11/lib-dynload/_heapq.so mr,
+    /usr/lib/python3.11/lib-dynload/_io.so mr,
+    /usr/lib/python3.11/lib-dynload/_csv.so mr,
+    /usr/lib/python3.11/lib-dynload/datetime.so mr,
+    /usr/lib/python3.11/lib-dynload/_elementtree.so mr,
+    /usr/lib/python3.11/lib-dynload/pyexpat.so mr,
+    #
+    # Allow access to selections from /proc
+    #
+    /proc/*/mounts r,
+}
diff --git a/sudoers-file/01-sandbox → sudoers-file/01-sandbox-python-3.11 b/sudoers-file/01-sandbox → sudoers-file/01-sandbox-python-3.11
diff --git a/sudoers-file/01-sandbox-python-3.8 b/sudoers-file/01-sandbox-python-3.8
@@ -0,0 +1,7 @@
+ubuntu ALL=(sandbox) SETENV:NOPASSWD:/home/sandbox/codejail_sandbox-python3.8/bin/python
+ubuntu ALL=(sandbox) SETENV:NOPASSWD:/usr/bin/find
+ubuntu ALL=(ALL) NOPASSWD:/usr/bin/pkill
+
+Defaults!/home/sandbox/codejail_sandbox-python3.8/bin/python !requiretty
+Defaults!/usr/bin/find !requiretty
+Defaults!/usr/bin/pkill !requiretty