Rework code sandbox stuff to be more like master version

playbooks/roles/edxapp/defaults/main.yml

@@ -106,14 +106,12 @@ EDXAPP_ENV_EXTRA: {}
 EDXAPP_AUTH_EXTRA: {}
 EDXAPP_MKTG_URL_LINK_MAP: {}
 
-# whether to setup the python sandbox or not
+# whether to setup the python codejail or not
 EDXAPP_PYTHON_SANDBOX: false
-EDXAPP_SANDBOX_VENV_DIR:  '{{ edxapp_venvs_dir }}/edxapp-sandbox'
-EDXAPP_SANDBOX_USER: 'sandbox'
-EDXAPP_SANDBOX_GROUP: 'sandbox'
 # this next setting, if true, turns on actual sandbox enforcement.  If not true,
 # it puts the sandbox in 'complain' mode, for reporting but not enforcement
 EDXAPP_SANDBOX_ENFORCE: true
+
 EDXAPP_USER: 'www-data'
 COMMON_WEB_GROUP: 'www-data'
 
@@ -163,6 +161,13 @@ edxapp_workers:
     service_variant: lms
     concurrency: 2
 
+# setup for python codejail
+edxapp_sandbox_venv_dir:  '{{ edxapp_venvs_dir }}/edxapp-sandbox'
+edxapp_sandbox_user: 'sandbox'  # I think something about the codejail requires hardcoding this to sandbox:sandbox
+
+# apparmor command
+edxapp_aa_command: "{% if EDXAPP_SANDBOX_ENFORCE %}aa-enforce{% else %}aa-complain{% endif %}"
+
 # Requirement files we explicitely
 # check for changes before attempting
 # to update the venv
@@ -355,6 +360,14 @@ lms_auth_config:
 
 lms_env_config:
   <<: *edxapp_generic_env
+  'CODE_JAIL':
+    # from https://github.com/edx/codejail/blob/master/codejail/django_integration.py#L24, '' should be same as None
+    'python_bin': '{% if EDXAPP_PYTHON_SANDBOX %}{{ edxapp_sandbox_venv_dir }}/bin/python{% endif %}'
+    'limits':
+      'VMEM': 0
+      'REALTIME': 5
+    'user': '{{ edxapp_sandbox_user }}'
+
 cms_auth_config:
   <<: *edxapp_generic_auth
 cms_env_config:
@@ -371,8 +384,6 @@ lms_preview_env_config:
 # install dir for the edx-platform repo
 edxapp_code_dir: "{{ edxapp_app_dir }}/edx-platform"
 
-# sandbox command
-edxapp_aa_command: "{% if EDXAPP_SANDBOX_ENFORCE %}aa-enforce{% else %}aa-complain{% endif %}"
 
 # gunicorn ports/hosts, these shouldn't need to be overridden
 edxapp_cms_gunicorn_port: 8010
@@ -429,9 +440,6 @@ sandbox_base_requirements:  "{{ edxapp_code_dir }}/requirements/edx-sandbox/base
 sandbox_local_requirements: "{{ edxapp_code_dir }}/requirements/edx-sandbox/local.txt"
 sandbox_post_requirements:  "{{ edxapp_code_dir }}/requirements/edx-sandbox/post.txt"
 
-#do we want to install the sandbox requirements into the regular virtual env
-install_sandbox_reqs_into_regular_venv: true
-
 edxapp_debian_pkgs:
   - npm
   # for compiling the virtualenv

playbooks/roles/edxapp/tasks/deploy.yml

@@ -161,7 +161,9 @@
   # Need to use shell rather than pip so that we can maintain the context of our current working directory; some
   # requirements are pathed relative to the edx-platform repo. Using the pip from inside the virtual environment implicitly
   # installs everything into that virtual environment.
-  shell: cd {{ edxapp_code_dir }} && {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+  shell: >
+    {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+    chdir={{ edxapp_code_dir }}
   with_items:
   - "{{ repo_requirements_file }}"
   - "{{ github_requirements_file }}"
@@ -178,7 +180,9 @@
   # Need to use shell rather than pip so that we can maintain the context of our current working directory; some
   # requirements are pathed relative to the edx-platform repo. Using the pip from inside the virtual environment implicitly
   # installs everything into that virtual environment.
-  shell: cd {{ edxapp_code_dir }} && {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+  shell: >
+    {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+    chdir={{ edxapp_code_dir }}
   with_items:
   - "{{ sandbox_base_requirements }}"
   - "{{ sandbox_local_requirements }}"
@@ -191,43 +195,51 @@
   - "edxapp | restart edxapp_workers"
   tags: deploy
 
+# The next few tasks set up the python code sandbox
+
 # need to disable this profile, otherwise the pip inside the sandbox venv has no permissions
 # to install anything
-- name: disable apparmor profile for code sandbox
-  shell: "{{ item }}"
-  with_items:
-    - "ln -s /etc/apparmor.d/code.sandbox /etc/apparmor.d/disable/"
-    - "apparmor_parser -R /etc/apparmor.d/code.sandbox"
+- name: edxapp | code sandbox | put sandbox apparmor profile in complain mode
+  command: /usr/sbin/aa-complain /etc/apparmor.d/code.sandbox
   when: EDXAPP_PYTHON_SANDBOX
   tags:
   - deploy
   - edxapp-sandbox
 
-- name: Install sandbox requirements into sandbox venv
-  shell: >
-    cd {{ edxapp_code_dir }} &&
-    {{ EDXAPP_SANDBOX_VENV_DIR }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors
-    -r {{ item }}
-  with_items:
-  - "{{ sandbox_base_requirements }}"
-  - "{{ sandbox_local_requirements }}"
-  - "{{ sandbox_post_requirements }}"
+- name: edxapp | code sandbox | Install base sandbox requirements and create sandbox virtualenv
+  pip: >
+    requirements="{{sandbox_base_requirements}}"
+    virtualenv="{{edxapp_sandbox_venv_dir}}"
+    state=present
+    extra_args="-i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors"
+  sudo_user: "{{ edxapp_sandbox_user }}"
   when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
   tags:
   - deploy
   - edxapp-sandbox
 
-- name: re-enable apparmor profile for code sandbox
-  shell: "{{ item }}"
+- name: edxapp | code sandbox | Install sandbox requirements into sandbox venv
+  shell: >
+    {{ edxapp_sandbox_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
+    chdir={{ edxapp_code_dir }}
   with_items:
-    - "unlink /etc/apparmor.d/disable/code.sandbox"
-    - "apparmor_parser -r /etc/apparmor.d/code.sandbox"
+  - "{{ sandbox_local_requirements }}"
+  - "{{ sandbox_post_requirements }}"
+  sudo_user: "{{ edxapp_sandbox_user }}"
   when: EDXAPP_PYTHON_SANDBOX
+  register: sandbox_install_output
+  changed_when: "'installed' in sandbox_install_output"
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
   tags:
   - deploy
   - edxapp-sandbox
 
-- name: put code sandbox into aa-enforce or aa-complain mode, depending on EDXAPP_SANDBOX_ENFORCE
+- name: edxapp | code sandbox | put code sandbox into aa-enforce or aa-complain mode, depending on EDXAPP_SANDBOX_ENFORCE
   command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
   when: EDXAPP_PYTHON_SANDBOX
   tags:

playbooks/roles/edxapp/tasks/main.yml

@@ -77,72 +77,9 @@
     owner={{ edxapp_user }}  group={{ common_web_user }}
     mode=0644
 
-- name: Create edxapp sandbox group
-  group: name={{ EDXAPP_SANDBOX_GROUP }}
+# Set up the python sandbox execution environment
+- include: python_sandbox_env.yml
   when: EDXAPP_PYTHON_SANDBOX
-  tags:
-  - edxapp-sandbox
-
-- name: Create edxapp sandbox user
-  user: name={{ EDXAPP_SANDBOX_USER }} group={{ EDXAPP_SANDBOX_GROUP }} shell=/bin/false home={{ EDXAPP_SANDBOX_VENV_DIR }}
-  when: EDXAPP_PYTHON_SANDBOX
-  tags:
-  - edxapp-sandbox
-
-- name: Create edxapp sandbox virtual env directory
-  file: >
-    path="{{ EDXAPP_SANDBOX_VENV_DIR }}"
-    state=directory
-    owner=root
-    group=root
-    mode=0755
-  when: EDXAPP_PYTHON_SANDBOX
-  tags:
-  - edxapp-sandbox
-
-- name: Create edxapp sandbox virtualenv
-  command: /usr/local/bin/virtualenv {{ EDXAPP_SANDBOX_VENV_DIR }} --distribute creates={{ EDXAPP_SANDBOX_VENV_DIR }}/bin/activate
-  when: EDXAPP_PYTHON_SANDBOX
-  tags:
-  - edxapp-sandbox
-
-- name: Install apparmor system pkg
-  apt: pkg=apparmor-utils state=present
-  when: EDXAPP_PYTHON_SANDBOX
-  tags:
-   edxapp-sandbox
-
-- name: write out apparmor code sandbox config
-  template: src=code.sandbox.j2 dest=/etc/apparmor.d/code.sandbox mode=0644 owner=root group=root
-  when: EDXAPP_PYTHON_SANDBOX
-  tags:
-  - edxapp-sandbox
-
-- name: write out sandbox user sudoers config
-  template: src=95-sandbox-sudoer.j2 dest=/etc/sudoers.d/95-{{ EDXAPP_SANDBOX_USER }} mode=0440 owner=root group=root
-  when: EDXAPP_PYTHON_SANDBOX
-  tags:
-  - edxapp-sandbox
-
-# we boostrap and enable the apparmor service here.  in deploy.yml we disable, deploy, then re-enable
-# so we need to enable it in main.yml
-- name: start apparmor service
-  service: name=apparmor state=started
-  when: EDXAPP_PYTHON_SANDBOX
-  tags:
-  - edxapp-sandbox
-
-- name: (bootstrap) load code sandbox profile
-  command: apparmor_parser -r /etc/apparmor.d/code.sandbox
-  when: EDXAPP_PYTHON_SANDBOX
-  tags:
-  - edxapp-sandbox
-
-- name: (bootstrap) put code sandbox into aa-enforce or aa-complain mode depending on EDXAPP_SANDBOX_ENFORCE
-  command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
-  when: EDXAPP_PYTHON_SANDBOX
-  tags:
-  - edxapp-sandbox
 
 - include: deploy.yml
 

playbooks/roles/edxapp/tasks/python_sandbox_env.yml

+- name: edxapp | code sandbox | Create edxapp sandbox user
+  user: name={{ edxapp_sandbox_user }} shell=/bin/false home={{ edxapp_sandbox_venv_dir }}
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+
+- name: edxapp | code sandbox | Install apparmor utils system pkg
+  apt: pkg=apparmor-utils state=present
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+
+- name: edxapp | code sandbox | write out apparmor code sandbox config
+  template: src=code.sandbox.j2 dest=/etc/apparmor.d/code.sandbox mode=0644 owner=root group=root
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+
+- name: edxapp | code sandbox | write out sandbox user sudoers config
+  template: src=95-sandbox-sudoer.j2 dest=/etc/sudoers.d/95-{{ edxapp_sandbox_user }} mode=0440 owner=root group=root validate='visudo -c -f %s'
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+
+# we boostrap and enable the apparmor service here.  in deploy.yml we disable, deploy, then re-enable
+# so we need to enable it in main.yml
+- name: edxapp | code sandbox | start apparmor service
+  service: name=apparmor state=started
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+
+- name: edxapp | code sandbox | (bootstrap) load code sandbox profile
+  command: apparmor_parser -r /etc/apparmor.d/code.sandbox
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+
+- name: edxapp | code sandbox | (bootstrap) put code sandbox into aa-enforce or aa-complain mode depending on EDXAPP_SANDBOX_ENFORCE
+  command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox

playbooks/roles/edxapp/templates/95-sandbox-sudoer.j2

-{{ EDXAPP_USER }} ALL=({{ EDXAPP_SANDBOX_USER }})  SETENV:NOPASSWD:{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/python
-{{ EDXAPP_USER }} ALL=(ALL) NOPASSWD:/bin/kill
-{{ EDXAPP_USER }} ALL=(ALL) NOPASSWD:/usr/bin/pkill
+{{ edxapp_user }} ALL=({{ edxapp_sandbox_user }})  SETENV:NOPASSWD:{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/python
+{{ edxapp_user }} ALL=(ALL) NOPASSWD:/bin/kill
+{{ edxapp_user }} ALL=(ALL) NOPASSWD:/usr/bin/pkill

playbooks/roles/edxapp/templates/code.sandbox.j2

 #include <tunables/global>
 
-{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/python flags=(complain) {
+{{ edxapp_sandbox_venv_dir }}/bin/python flags=(complain) {
     #include <abstractions/base>
 
-    {{ EDXAPP_SANDBOX_VENV_DIR }}/** mr,
+    {{ edxapp_sandbox_venv_dir }}/** mr,
     {{ edxapp_code_dir }}/common/lib/sandbox-packages/** r,
     /tmp/codejail-*/ rix,
     /tmp/codejail-*/** rix,