From cf66b1ebf3bb8ecf668eae16845537dda097aa8b Mon Sep 17 00:00:00 2001 From: Feanil Patel Date: Tue, 23 Apr 2024 15:12:14 -0400 Subject: [PATCH] feat: Build multipel test containers for codejail. Before we can test on the newer versions of python we need to build the new images. This PR updates the Dockerfile to Ubuntu 22.04 instead of 20.04 and uses deadksnakes to be able to install any relevant python versions we might need. We also update the publsh workflow to allow publishing multiple images. We create new sudoers and apparmor profiles to be able to run with the new version of python as well. --- .github/workflows/push-docker-image.yml | 12 ++++++--- Dockerfile | 19 +++++++++----- ...box.codejail_sandbox-python3.11.bin.python | 26 +++++++++++++++++++ .../{01-sandbox => 01-sandbox-python-3.11} | 0 sudoers-file/01-sandbox-python-3.8 | 7 +++++ 5 files changed, 54 insertions(+), 10 deletions(-) create mode 100644 apparmor-profiles/home.sandbox.codejail_sandbox-python3.11.bin.python rename sudoers-file/{01-sandbox => 01-sandbox-python-3.11} (100%) create mode 100644 sudoers-file/01-sandbox-python-3.8 diff --git a/.github/workflows/push-docker-image.yml b/.github/workflows/push-docker-image.yml index 3eb8feb21..121ae9ac2 100644 --- a/.github/workflows/push-docker-image.yml +++ b/.github/workflows/push-docker-image.yml @@ -8,6 +8,13 @@ on: jobs: push: runs-on: ubuntu-latest + strategy: + matrix: + include: + - python_version: '3.8' + docker_tag: latest + - python_version: '3.11' + docker_tag: '3.11' steps: - name: Checkout @@ -28,7 +35,6 @@ jobs: env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} ECR_REPOSITORY: openedx-codejail - IMAGE_TAG: latest run: | - docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ matrix.docker_tag }} --build-arg ${{ matrix.python_version }} . + docker push $ECR_REGISTRY/$ECR_REPOSITORY:${{ matrix.docker_tag }} diff --git a/Dockerfile b/Dockerfile index e74c91cba..2ce5c4f81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,26 @@ -FROM ubuntu:focal +FROM ubuntu:22.04 SHELL ["/bin/bash", "-c"] +ARG python_version=3.8 + # Install Codejail Packages -RUN apt-get update && apt-get upgrade -y -RUN apt-get install -y vim python3-virtualenv python3-pip +ENV TZ=Etc/UTC +ENV DEBIAN_FRONTEND=noninteractive +RUN apt-get update && apt-get install -y software-properties-common +RUN add-apt-repository -y ppa:deadsnakes/ppa && apt-get update && apt-get upgrade -y +RUN apt-get install -y vim python3-virtualenv python${python_version} python${python_version}-dev python${python_version}-distutils RUN apt-get install -y sudo git # Define Environment Variables ENV CODEJAIL_GROUP=sandbox ENV CODEJAIL_SANDBOX_CALLER=ubuntu ENV CODEJAIL_TEST_USER=sandbox -ENV CODEJAIL_TEST_VENV=/home/sandbox/codejail_sandbox-python3.8 +ENV CODEJAIL_TEST_VENV=/home/sandbox/codejail_sandbox-python${python_version} # Create Virtualenv for sandbox user -RUN virtualenv -p python3.8 --always-copy $CODEJAIL_TEST_VENV +RUN virtualenv -p /usr/bin/python${python_version} --always-copy $CODEJAIL_TEST_VENV -RUN virtualenv -p python3.8 venv +RUN virtualenv -p /usr/bin/python${python_version} venv ENV VIRTUAL_ENV=/venv # Add venv/bin to path @@ -48,7 +53,7 @@ RUN pip install -r /codejail/requirements/sandbox.txt && pip install -r /codejai COPY . /codejail # Setup sudoers file -COPY sudoers-file/01-sandbox /etc/sudoers.d/01-sandbox +COPY sudoers-file/01-sandbox-python-${python_version} /etc/sudoers.d/01-sandbox # Change Sudoers file permissions RUN chmod 0440 /etc/sudoers.d/01-sandbox diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.11.bin.python b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.11.bin.python new file mode 100644 index 000000000..49a3ae2fa --- /dev/null +++ b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.11.bin.python @@ -0,0 +1,26 @@ +#include + +profile apparmor_profile /home/sandbox/codejail_sandbox-python3.11/bin/python { + #include + #include + + /home/sandbox/codejail_sandbox-python3.11/** mr, + /tmp/codejail-*/ rix, + /tmp/codejail-*/** wrix, + + # Whitelist particiclar shared objects from the system + # python installation + # + /usr/lib/python3.11/lib-dynload/_json.so mr, + /usr/lib/python3.11/lib-dynload/_ctypes.so mr, + /usr/lib/python3.11/lib-dynload/_heapq.so mr, + /usr/lib/python3.11/lib-dynload/_io.so mr, + /usr/lib/python3.11/lib-dynload/_csv.so mr, + /usr/lib/python3.11/lib-dynload/datetime.so mr, + /usr/lib/python3.11/lib-dynload/_elementtree.so mr, + /usr/lib/python3.11/lib-dynload/pyexpat.so mr, + # + # Allow access to selections from /proc + # + /proc/*/mounts r, +} diff --git a/sudoers-file/01-sandbox b/sudoers-file/01-sandbox-python-3.11 similarity index 100% rename from sudoers-file/01-sandbox rename to sudoers-file/01-sandbox-python-3.11 diff --git a/sudoers-file/01-sandbox-python-3.8 b/sudoers-file/01-sandbox-python-3.8 new file mode 100644 index 000000000..bd7f51a93 --- /dev/null +++ b/sudoers-file/01-sandbox-python-3.8 @@ -0,0 +1,7 @@ +ubuntu ALL=(sandbox) SETENV:NOPASSWD:/home/sandbox/codejail_sandbox-python3.8/bin/python +ubuntu ALL=(sandbox) SETENV:NOPASSWD:/usr/bin/find +ubuntu ALL=(ALL) NOPASSWD:/usr/bin/pkill + +Defaults!/home/sandbox/codejail_sandbox-python3.8/bin/python !requiretty +Defaults!/usr/bin/find !requiretty +Defaults!/usr/bin/pkill !requiretty