feat: use an "init service" to load the apparmor profile

This follows the same logic as the "permissions" service used by tutor core. The `codejail-apparmor-loader` service runs the command used previously by the init job. It makes more sense to handling loading of the apparmor profile with an init service: - The profile is ephemeral, rebooting the host will require to load it again. - The profile is a dependency for the container to start. Things like database migrations, which are the main use case for init jobs, don't block the start of the main service container.
eduNEXT · Dec 19, 2024 · 9a11838 · 9a11838
1 parent 8a9e678
commit 9a11838
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 55 deletions.
diff --git a/tutorcodejail/patches/k8s-jobs b/tutorcodejail/patches/k8s-jobs
diff --git a/tutorcodejail/patches/local-docker-compose-jobs-services b/tutorcodejail/patches/local-docker-compose-jobs-services
diff --git a/tutorcodejail/patches/local-docker-compose-services b/tutorcodejail/patches/local-docker-compose-services
@@ -11,3 +11,18 @@ codejailservice:
     - ../plugins/codejail/apps/config/tutor.py:/openedx/codejailservice/codejailservice/tutor.py:ro
     - ../../data/codejail:/openedx/data
   restart: unless-stopped
+  depends_on:
+    - codejail-apparmor-loader
+
+codejail-apparmor-loader:
+  image: {{ CODEJAIL_APPARMOR_DOCKER_IMAGE }}
+  privileged: true
+  command:
+    - /usr/bin/loader
+    - -logtostderr
+    - -v=2
+    - /profiles
+  volumes:
+    - ../plugins/codejail/apps/profiles/docker-edx-sandbox:/profiles/docker-edx-sandbox:ro
+    - /sys:/sys
+    - /etc/apparmor.d:/etc/apparmor.d
diff --git a/tutorcodejail/plugin.py b/tutorcodejail/plugin.py
@@ -68,26 +68,6 @@ def get_apparmor_abi():
     ]
 )
 
-# To add a custom initialization task, create a bash script template under:
-# tutorcodejail/templates/codejail/tasks/
-# and then add it to the MY_INIT_TASKS list. Each task is in the format:
-# ("<service>", ("<path>", "<to>", "<script>", "<template>"))
-MY_INIT_TASKS: list[tuple[str, tuple[str, ...], int]] = [
-    ("codejail-apparmor", ("codejail", "tasks", "codejail-apparmor", "init"), hooks.priorities.HIGH),
-]
-
-
-# For each task added to MY_INIT_TASKS, we load the task template
-# and add it to the CLI_DO_INIT_TASKS filter, which tells Tutor to
-# run it as part of the `init` job.
-for service, template_path, priority in MY_INIT_TASKS:
-    full_path: str = str(
-        importlib_resources.files("tutorcodejail") / os.path.join("templates", *template_path)
-    )
-    with open(full_path, encoding="utf-8") as init_task_file:
-        init_task: str = init_task_file.read()
-    hooks.Filters.CLI_DO_INIT_TASKS.add_item((service, init_task), priority=priority)
-
 
 hooks.Filters.IMAGES_BUILD.add_item((
     "codejail",

diff --git a/tutorcodejail/templates/codejail/tasks/.gitignore b/tutorcodejail/templates/codejail/tasks/.gitignore
diff --git a/tutorcodejail/templates/codejail/tasks/codejail-apparmor/init b/tutorcodejail/templates/codejail/tasks/codejail-apparmor/init