Codejail plugin for Tutor
Tutor plugin that configures and runs a Codejail Service using a REST API. Codejail allows for the secure execution of untrusted code within sandboxes, providing a safe environment for running potentially dangerous code.
To install the latest version run:
pip install git+https://github.com/edunext/tutor-contrib-codejailYou can install a specific version by adding the tag, branch, or commit:
pip install git+https://github.com/edunext/tutor-contrib-codejail@v18.0.0Enable the plugin with:
tutor plugins enable codejailRun the initialization jobs to install the required AppArmor profile on your host:
tutor config save
tutor local do init --limit codejailFinally, the platform can be run as usual:
tutor local launchPlease remember: If the host is rebooted, the AppArmor profile needs to be reloaded.
To customize the configuration, update the following settings in Tutor:
CODEJAIL_APPARMOR_DOCKER_IMAGE: (default:docker.io/ednxops/codejail_apparmor_loader:latest)CODEJAIL_DOCKER_IMAGE: (default:docker.io/ednxops/codejailservice:{{__version__}})CODEJAIL_ENFORCE_APPARMOR(default:True)CODEJAIL_ENABLE_K8S_DAEMONSET(default:False)CODEJAIL_SKIP_INIT(default:False)CODEJAIL_SANDBOX_PYTHON_VERSION(default:3.8.6)CODEJAIL_EXTRA_PIP_REQUIREMENTS(optional) A list of pip requirements to add to your sandbox.CODEJAIL_SERVICE_VERSION(default:release/redwood.1),CODEJAIL_SERVICE_REPOSITORY(defaulthttps://github.com/edunext/codejailservice.git`)
CODEJAIL_EXTRA_PIP_REQUIREMENTS:
- pybrytIn most cases, you can work with the provided docker image for the release. However, you will need to re-build the docker image when:
. Additional requirements are included in the sandbox via CODEJAIL_EXTRA_PIP_REQUIREMENTS.
- A different version of Python is set for the sandbox environment via CODEJAIL_SANDBOX_PYTHON_VERSION.
- The custom version of edx-platform that changes the contents of requirements/edx-sandbox.
Create a new image running:
# Add the tutor configuration with the custom value
tutor config save \
--set 'CODEJAIL_EXTRA_PIP_REQUIREMENTS=["pybryt"]'
# Build the image
tutor images build codejail| Open edX Release | Tutor Version |
|---|---|
| Lilac | >= 12.x |
| Maple | >= 13.x |
| Nutmeg | >= 14.x |
| Olive | >= 15.x |
| Palm | >= 16.x |
| Quince | >= 17.x |
| Redwood | >= 18.x |
NOTE: For the Open edX version of the Lilac release, the changes required for the Codejail service to interact with edx-platform are
not included in open-release/lilac.master. To use the service with the changes, please review this PR.
The CodeJail service provides a sandbox to run arbitrary code. Security enforcement in the sandbox is done through AppArmor, this means that AppArmor must be installed in the host machine and the provided profile must be loaded.
The plugin provides an init task running a privileged container capable of loading the AppArmor profile onto your machine. This is only compatible with a docker installation.
For Kubernetes environments, ensure each node has AppArmor installed and the profile loaded. Optionally,
set CODEJAIL_ENABLE_K8S_DAEMONSET to True to use a DaemonSet for loading the AppArmor profile,
assuming the nodes are already running AppArmor.
If you choose to run the service without enforcing the AppArmor profile, you can set CODEJAIL_ENFORCE_APPARMOR to False.
More info about this discussion can be found on this issue.
To verify if Codejail is working, use a course with loncapa problems in Studio and check for correct execution.
You can import the provided example course.
Once the course is imported, go to any section and select an exercise (section example), the proper result is:
In this case, the section's content will render correctly and work as specified in the instructions of the problem.
In case you forget to run tutor local do init --limit codejail for AppArmor profile, this error in
Studio will arise:
Error formatting HTML for the problem: cannot create LoncapaProblem block-v1:edX+DemoX+Demo_Course+type@problem+block@integral1: Error while executing script code: Codejail API Service is unavailable. Please try again in a few minutes.
This indicates that the Codejail service is either not turned on or not working properly. Please ensure to follow the steps outlined in the usage section to prevent this issue.
Contributions are welcome! See our CONTRIBUTING file for more information – it also contains guidelines for how to maintain high code quality, which will make your contribution more likely to be accepted.
This software is licensed under the terms of the AGPLv3. See the LICENSE file for details.