Changes to code sandbox config

* Don't specify sandbox group (will be same as sandbox user) * Don't manually create sandbox venv directory * Move the initial sandbox setup out of deploy.yml to main.yml * Factor out when: EDXAPP_CODE_SANDBOX to include * Put profile into complain mode when installing instead of disabling altogether * Add validate= to sudoer template module task * Use chdir= instead of cd in command * Use change_when on shell module

Changes to code sandbox config
* Don't specify sandbox group (will be same as sandbox user) * Don't manually create sandbox venv directory * Move the initial sandbox setup out of deploy.yml to main.yml * Factor out when: EDXAPP_CODE_SANDBOX to include * Put profile into complain mode when installing instead of disabling altogether * Add validate= to sudoer template module task * Use chdir= instead of cd in command * Use change_when on shell module
53ec2056 · Jason Bau · e31539e9 · 53ec2056 · 53ec2056 · 53ec2056
Commit 53ec2056 authored Jan 08, 2014 by Jason Bau
Showing with 20 additions and 75 deletions

playbooks/roles/edxapp/defaults/main.yml
+0 -1

playbooks/roles/edxapp/tasks/deploy.yml
+13 -32

playbooks/roles/edxapp/tasks/main.yml
+4 -0

playbooks/roles/edxapp/tasks/python_sandbox_env.yml
+3 -42

No files found.
--- a/playbooks/roles/edxapp/defaults/main.yml
+++ b/playbooks/roles/edxapp/defaults/main.yml
@@ -173,7 +173,6 @@ edxapp_workers:
 # setup for python codejail
 edxapp_sandbox_venv_dir:  '{{ edxapp_venvs_dir }}/edxapp-sandbox'
 edxapp_sandbox_user: 'sandbox'  # I think something about the codejail requires hardcoding this to sandbox:sandbox
-edxapp_sandbox_group: 'sandbox'

 # apparmor command
 edxapp_aa_command: "{% if EDXAPP_SANDBOX_ENFORCE %}aa-enforce{% else %}aa-complain{% endif %}"

--- a/playbooks/roles/edxapp/tasks/deploy.yml
+++ b/playbooks/roles/edxapp/tasks/deploy.yml
@@ -8,9 +8,6 @@
    mode=0644
  tags: deploy

-# Set up the python sandbox execution environment
- include: python_sandbox_env.yml
-
 # Do A Checkout
 - name: edxapp | checkout edx-platform repo into {{edxapp_code_dir}}
  git: dest={{edxapp_code_dir}} repo={{edx_platform_repo}} version={{edx_platform_version}}
@@ -167,7 +164,9 @@
  # Need to use shell rather than pip so that we can maintain the context of our current working directory; some
  # requirements are pathed relative to the edx-platform repo. Using the pip from inside the virtual environment implicitly
  # installs everything into that virtual environment.
-  shell: cd {{ edxapp_code_dir }} && {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+  shell: >
+    {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+    chdir={{ edxapp_code_dir }}
  with_items:
  - "{{ repo_requirements_file }}"
  - "{{ github_requirements_file }}"
@@ -184,7 +183,9 @@
  # Need to use shell rather than pip so that we can maintain the context of our current working directory; some
  # requirements are pathed relative to the edx-platform repo. Using the pip from inside the virtual environment implicitly
  # installs everything into that virtual environment.
-  shell: cd {{ edxapp_code_dir }} && {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+  shell: >
+    {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+    chdir={{ edxapp_code_dir }}
  with_items:
  - "{{ sandbox_base_requirements }}"
  - "{{ sandbox_local_requirements }}"
@@ -201,15 +202,9 @@

 # need to disable this profile, otherwise the pip inside the sandbox venv has no permissions
 # to install anything
- name: edxapp | code sandbox | disable apparmor profile for code sandbox
-  shell: "{{ item }}"
-  with_items:
-    - "ln -s /etc/apparmor.d/code.sandbox /etc/apparmor.d/disable/"
-    - "apparmor_parser -R /etc/apparmor.d/code.sandbox"
+- name: edxapp | code sandbox | put sandbox apparmor profile in complain mode
+  command: /usr/sbin/aa-complain /etc/apparmor.d/code.sandbox
  when: EDXAPP_PYTHON_SANDBOX
-  notify:
-  - "edxapp | restart edxapp"
-  - "edxapp | restart edxapp_workers"
  tags:
  - deploy
  - edxapp-sandbox
@@ -221,6 +216,7 @@
    state=present
    extra_args="-i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors"
  sudo_user: "{{ edxapp_sandbox_user }}"
+  when: EDXAPP_PYTHON_SANDBOX
  notify:
  - "edxapp | restart edxapp"
  - "edxapp | restart edxapp_workers"
@@ -230,27 +226,15 @@

 - name: edxapp | code sandbox | Install sandbox requirements into sandbox venv
  shell: >
-    cd {{ edxapp_code_dir }} &&
-    {{ edxapp_sandbox_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors
-    -r {{ item }}
+    {{ edxapp_sandbox_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+    chdir={{ edxapp_code_dir }}
  with_items:
  - "{{ sandbox_local_requirements }}"
  - "{{ sandbox_post_requirements }}"
  sudo_user: "{{ edxapp_sandbox_user }}"
  when: EDXAPP_PYTHON_SANDBOX
-  notify:
-  - "edxapp | restart edxapp"
-  - "edxapp | restart edxapp_workers"
-  tags:
-  - deploy
-  - edxapp-sandbox
-
- name: edxapp | code sandbox | re-enable apparmor profile for code sandbox
-  shell: "{{ item }}"
-  with_items:
-    - "unlink /etc/apparmor.d/disable/code.sandbox"
-    - "apparmor_parser -r /etc/apparmor.d/code.sandbox"
-  when: EDXAPP_PYTHON_SANDBOX
+  register: sandbox_install_output
+  changed_when: 'installed' in sandbox_install_output
  notify:
  - "edxapp | restart edxapp"
  - "edxapp | restart edxapp_workers"
@@ -261,9 +245,6 @@
 - name: edxapp | code sandbox | put code sandbox into aa-enforce or aa-complain mode, depending on EDXAPP_SANDBOX_ENFORCE
  command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
  when: EDXAPP_PYTHON_SANDBOX
-  notify:
-  - "edxapp | restart edxapp"
-  - "edxapp | restart edxapp_workers"
  tags:
  - deploy
  - edxapp-sandbox

--- a/playbooks/roles/edxapp/tasks/main.yml
+++ b/playbooks/roles/edxapp/tasks/main.yml
@@ -68,6 +68,10 @@
    mode=0750
  with_items: service_variants_enabled

+# Set up the python sandbox execution environment
+- include: python_sandbox_env.yml
+  when: EDXAPP_PYTHON_SANDBOX
+
 - include: deploy.yml

 - name: edxapp | create a symlink for venv python

--- a/playbooks/roles/edxapp/tasks/python_sandbox_env.yml
+++ b/playbooks/roles/edxapp/tasks/python_sandbox_env.yml
- name: edxapp | code sandbox | Create edxapp sandbox group
-  group: name={{ edxapp_sandbox_group }}
-  when: EDXAPP_PYTHON_SANDBOX
-  notify:
-  - "edxapp | restart edxapp"
-  - "edxapp | restart edxapp_workers"
-  tags:
-  - edxapp-sandbox
-  - deploy
-
 - name: edxapp | code sandbox | Create edxapp sandbox user
-  user: name={{ edxapp_sandbox_user }} group={{ edxapp_sandbox_group }} shell=/bin/false home={{ edxapp_sandbox_venv_dir }}
-  when: EDXAPP_PYTHON_SANDBOX
-  notify:
-  - "edxapp | restart edxapp"
-  - "edxapp | restart edxapp_workers"
-  tags:
-  - edxapp-sandbox
-  - deploy
-
- name: edxapp | code sandbox | Create edxapp sandbox virtual env directory
-  file: >
-    path="{{ edxapp_sandbox_venv_dir }}"
-    state=directory
-    owner=root
-    group=root
-    mode=0755
-  when: EDXAPP_PYTHON_SANDBOX
+  user: name={{ edxapp_sandbox_user }} group={{ edxapp_sandbox_user }} shell=/bin/false home={{ edxapp_sandbox_venv_dir }}
  notify:
  - "edxapp | restart edxapp"
  - "edxapp | restart edxapp_workers"
  tags:
  - edxapp-sandbox
-  - deploy

- name: edxapp | code sandbox | Install apparmor system pkg
+- name: edxapp | code sandbox | Install apparmor utils system pkg
  apt: pkg=apparmor-utils state=present
-  when: EDXAPP_PYTHON_SANDBOX
  notify:
  - "edxapp | restart edxapp"
  - "edxapp | restart edxapp_workers"
  tags:
  - edxapp-sandbox
-  - deploy

 - name: edxapp | code sandbox | write out apparmor code sandbox config
  template: src=code.sandbox.j2 dest=/etc/apparmor.d/code.sandbox mode=0644 owner=root group=root
-  when: EDXAPP_PYTHON_SANDBOX
  notify:
  - "edxapp | restart edxapp"
  - "edxapp | restart edxapp_workers"
  tags:
  - edxapp-sandbox
-  - deploy

 - name: edxapp | code sandbox | write out sandbox user sudoers config
-  template: src=95-sandbox-sudoer.j2 dest=/etc/sudoers.d/95-{{ edxapp_sandbox_user }} mode=0440 owner=root group=root
-  when: EDXAPP_PYTHON_SANDBOX
+  template: src=95-sandbox-sudoer.j2 dest=/etc/sudoers.d/95-{{ edxapp_sandbox_user }} mode=0440 owner=root group=root validate='visudo -c -f %s'
  notify:
  - "edxapp | restart edxapp"
  - "edxapp | restart edxapp_workers"
  tags:
  - edxapp-sandbox
-  - deploy

 # we boostrap and enable the apparmor service here.  in deploy.yml we disable, deploy, then re-enable
 # so we need to enable it in main.yml
 - name: edxapp | code sandbox | start apparmor service
  service: name=apparmor state=started
-  when: EDXAPP_PYTHON_SANDBOX
  notify:
  - "edxapp | restart edxapp"
  - "edxapp | restart edxapp_workers"
  tags:
  - edxapp-sandbox
-  - deploy

 - name: edxapp | code sandbox | (bootstrap) load code sandbox profile
  command: apparmor_parser -r /etc/apparmor.d/code.sandbox
-  when: EDXAPP_PYTHON_SANDBOX
  notify:
  - "edxapp | restart edxapp"
  - "edxapp | restart edxapp_workers"
  tags:
  - edxapp-sandbox
-  - deploy

 - name: edxapp | code sandbox | (bootstrap) put code sandbox into aa-enforce or aa-complain mode depending on EDXAPP_SANDBOX_ENFORCE
  command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
-  when: EDXAPP_PYTHON_SANDBOX
  notify:
  - "edxapp | restart edxapp"
  - "edxapp | restart edxapp_workers"
  tags:
  - edxapp-sandbox
-  - deploy