feat: Set up sandbox environment inside codejail image #103
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Install Python 3.8 from deadsnakes for sandbox Python - Install depencies for use inside sandbox - Install sudo for entering sandbox - Document relationship to codejail's docs Also, some cleanup: - Rename args `GITHUB_REPO` to `APP_REPO` and `VERSION` to `APP_VERSION` to help distinguish from sandbox args - Similarly, rename `PYVER` to `APP_PY_VER` for clarity
9 tasks
timmc-edx
commented
Feb 13, 2025
robrap
reviewed
Feb 14, 2025
Also move SAND_DEPS a bit later in the file since it doesn't actually relate to codejail's sandboxing structure. (It's just a temporary file used only during image building.)
robrap
reviewed
Feb 14, 2025
| # - This Dockerfile is for the codejail-service, a wrapper around the codejail | ||
| # *library*. When used in isolation, "codejail" usually refers to the library. | ||
| # - "Sandbox" refers to the secured execution environment for user-submitted | ||
| # code, not to the sandbox deployment environments used for debugging. This |
There was a problem hiding this comment.
Suggested change
| # code, not to the sandbox deployment environments used for debugging. This | |
| # code, not to the sandbox deployment environments used for debugging. This |
| # Some of this structure can be changed, and some cannot. Any changes that are | ||
| # possible will also need to be coordinated with changes to the apparmor profile | ||
| # as well as to the `CODE_JAIL` Django settings. Accordingly, it's best to just | ||
| # *avoid* making making changes to this part. |
There was a problem hiding this comment.
Suggested change
| # *avoid* making making changes to this part. | |
| # *avoid* making changes to this part. |
Comment on lines
+58
to
+59
| # possible will also need to be coordinated with changes to the apparmor profile | ||
| # as well as to the `CODE_JAIL` Django settings. Accordingly, it's best to just |
There was a problem hiding this comment.
You didn't like the idea of providing links/descriptions of where these things live? Is there a doc that notes how all these things hang together and also provides a way to navigate to all the related parts?
| ARG SAND_VENV=/sandbox/venv | ||
| # Sandbox user account | ||
| # The OS account that will run code executions, described just as "the sandbox |
There was a problem hiding this comment.
Is "OS account" different than a "user account"? Why does "user account" seem more recognizable to me? Is "OS user account" a different thing, or a better term that adds what you want, but retains "user"?
Note: Later you have a comment that includes "...switch to app user..." it would be great if the term "user" could appear in the initial comment for consistency.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Also, some cleanup:
GITHUB_REPOtoAPP_REPOandVERSIONtoAPP_VERSIONto help distinguish from sandbox argsPYVERtoAPP_PY_VERfor clarity