Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
C
configuration
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
OpenEdx
configuration
Commits
830e9acb
Commit
830e9acb
authored
Jan 08, 2014
by
Jason Bau
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Rework code sandbox stuff to be more like master version
parent
aef730a0
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
114 additions
and
100 deletions
+114
-100
playbooks/roles/edxapp/defaults/main.yml
+17
-9
playbooks/roles/edxapp/tasks/deploy.yml
+33
-21
playbooks/roles/edxapp/tasks/main.yml
+2
-65
playbooks/roles/edxapp/tasks/python_sandbox_env.yml
+57
-0
playbooks/roles/edxapp/templates/95-sandbox-sudoer.j2
+3
-3
playbooks/roles/edxapp/templates/code.sandbox.j2
+2
-2
No files found.
playbooks/roles/edxapp/defaults/main.yml
View file @
830e9acb
...
...
@@ -106,14 +106,12 @@ EDXAPP_ENV_EXTRA: {}
EDXAPP_AUTH_EXTRA
:
{}
EDXAPP_MKTG_URL_LINK_MAP
:
{}
# whether to setup the python
sandbox
or not
# whether to setup the python
codejail
or not
EDXAPP_PYTHON_SANDBOX
:
false
EDXAPP_SANDBOX_VENV_DIR
:
'
{{
edxapp_venvs_dir
}}/edxapp-sandbox'
EDXAPP_SANDBOX_USER
:
'
sandbox'
EDXAPP_SANDBOX_GROUP
:
'
sandbox'
# this next setting, if true, turns on actual sandbox enforcement. If not true,
# it puts the sandbox in 'complain' mode, for reporting but not enforcement
EDXAPP_SANDBOX_ENFORCE
:
true
EDXAPP_USER
:
'
www-data'
COMMON_WEB_GROUP
:
'
www-data'
...
...
@@ -163,6 +161,13 @@ edxapp_workers:
service_variant
:
lms
concurrency
:
2
# setup for python codejail
edxapp_sandbox_venv_dir
:
'
{{
edxapp_venvs_dir
}}/edxapp-sandbox'
edxapp_sandbox_user
:
'
sandbox'
# I think something about the codejail requires hardcoding this to sandbox:sandbox
# apparmor command
edxapp_aa_command
:
"
{%
if
EDXAPP_SANDBOX_ENFORCE
%}aa-enforce{%
else
%}aa-complain{%
endif
%}"
# Requirement files we explicitely
# check for changes before attempting
# to update the venv
...
...
@@ -355,6 +360,14 @@ lms_auth_config:
lms_env_config
:
<<
:
*edxapp_generic_env
'
CODE_JAIL'
:
# from https://github.com/edx/codejail/blob/master/codejail/django_integration.py#L24, '' should be same as None
'
python_bin'
:
'
{%
if
EDXAPP_PYTHON_SANDBOX
%}{{
edxapp_sandbox_venv_dir
}}/bin/python{%
endif
%}'
'
limits'
:
'
VMEM'
:
0
'
REALTIME'
:
5
'
user'
:
'
{{
edxapp_sandbox_user
}}'
cms_auth_config
:
<<
:
*edxapp_generic_auth
cms_env_config
:
...
...
@@ -371,8 +384,6 @@ lms_preview_env_config:
# install dir for the edx-platform repo
edxapp_code_dir
:
"
{{
edxapp_app_dir
}}/edx-platform"
# sandbox command
edxapp_aa_command
:
"
{%
if
EDXAPP_SANDBOX_ENFORCE
%}aa-enforce{%
else
%}aa-complain{%
endif
%}"
# gunicorn ports/hosts, these shouldn't need to be overridden
edxapp_cms_gunicorn_port
:
8010
...
...
@@ -429,9 +440,6 @@ sandbox_base_requirements: "{{ edxapp_code_dir }}/requirements/edx-sandbox/base
sandbox_local_requirements
:
"
{{
edxapp_code_dir
}}/requirements/edx-sandbox/local.txt"
sandbox_post_requirements
:
"
{{
edxapp_code_dir
}}/requirements/edx-sandbox/post.txt"
#do we want to install the sandbox requirements into the regular virtual env
install_sandbox_reqs_into_regular_venv
:
true
edxapp_debian_pkgs
:
-
npm
# for compiling the virtualenv
...
...
playbooks/roles/edxapp/tasks/deploy.yml
View file @
830e9acb
...
...
@@ -161,7 +161,9 @@
# Need to use shell rather than pip so that we can maintain the context of our current working directory; some
# requirements are pathed relative to the edx-platform repo. Using the pip from inside the virtual environment implicitly
# installs everything into that virtual environment.
shell
:
cd {{ edxapp_code_dir }} && {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
shell
:
>
{{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
chdir={{ edxapp_code_dir }}
with_items
:
-
"
{{
repo_requirements_file
}}"
-
"
{{
github_requirements_file
}}"
...
...
@@ -178,7 +180,9 @@
# Need to use shell rather than pip so that we can maintain the context of our current working directory; some
# requirements are pathed relative to the edx-platform repo. Using the pip from inside the virtual environment implicitly
# installs everything into that virtual environment.
shell
:
cd {{ edxapp_code_dir }} && {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
shell
:
>
{{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
chdir={{ edxapp_code_dir }}
with_items
:
-
"
{{
sandbox_base_requirements
}}"
-
"
{{
sandbox_local_requirements
}}"
...
...
@@ -191,43 +195,51 @@
-
"
edxapp
|
restart
edxapp_workers"
tags
:
deploy
# The next few tasks set up the python code sandbox
# need to disable this profile, otherwise the pip inside the sandbox venv has no permissions
# to install anything
-
name
:
disable apparmor profile for code sandbox
shell
:
"
{{
item
}}"
with_items
:
-
"
ln
-s
/etc/apparmor.d/code.sandbox
/etc/apparmor.d/disable/"
-
"
apparmor_parser
-R
/etc/apparmor.d/code.sandbox"
-
name
:
edxapp | code sandbox | put sandbox apparmor profile in complain mode
command
:
/usr/sbin/aa-complain /etc/apparmor.d/code.sandbox
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
deploy
-
edxapp-sandbox
-
name
:
Install sandbox requirements into sandbox venv
shell
:
>
cd {{ edxapp_code_dir }} &&
{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors
-r {{ item }}
with_items
:
-
"
{{
sandbox_base_requirements
}}"
-
"
{{
sandbox_local_requirements
}}"
-
"
{{
sandbox_post_requirements
}}"
-
name
:
edxapp | code sandbox | Install base sandbox requirements and create sandbox virtualenv
pip
:
>
requirements="{{sandbox_base_requirements}}"
virtualenv="{{edxapp_sandbox_venv_dir}}"
state=present
extra_args="-i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors"
sudo_user
:
"
{{
edxapp_sandbox_user
}}"
when
:
EDXAPP_PYTHON_SANDBOX
notify
:
-
"
edxapp
|
restart
edxapp"
-
"
edxapp
|
restart
edxapp_workers"
tags
:
-
deploy
-
edxapp-sandbox
-
name
:
re-enable apparmor profile for code sandbox
shell
:
"
{{
item
}}"
-
name
:
edxapp | code sandbox | Install sandbox requirements into sandbox venv
shell
:
>
{{ edxapp_sandbox_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
chdir={{ edxapp_code_dir }}
with_items
:
-
"
unlink
/etc/apparmor.d/disable/code.sandbox"
-
"
apparmor_parser
-r
/etc/apparmor.d/code.sandbox"
-
"
{{
sandbox_local_requirements
}}"
-
"
{{
sandbox_post_requirements
}}"
sudo_user
:
"
{{
edxapp_sandbox_user
}}"
when
:
EDXAPP_PYTHON_SANDBOX
register
:
sandbox_install_output
changed_when
:
"
'installed'
in
sandbox_install_output"
notify
:
-
"
edxapp
|
restart
edxapp"
-
"
edxapp
|
restart
edxapp_workers"
tags
:
-
deploy
-
edxapp-sandbox
-
name
:
put code sandbox into aa-enforce or aa-complain mode, depending on EDXAPP_SANDBOX_ENFORCE
-
name
:
edxapp | code sandbox |
put code sandbox into aa-enforce or aa-complain mode, depending on EDXAPP_SANDBOX_ENFORCE
command
:
/usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
...
...
playbooks/roles/edxapp/tasks/main.yml
View file @
830e9acb
...
...
@@ -77,72 +77,9 @@
owner={{ edxapp_user }} group={{ common_web_user }}
mode=0644
-
name
:
Create edxapp sandbox group
group
:
name={{ EDXAPP_SANDBOX_GROUP }}
# Set up the python sandbox execution environment
-
include
:
python_sandbox_env.yml
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
edxapp-sandbox
-
name
:
Create edxapp sandbox user
user
:
name={{ EDXAPP_SANDBOX_USER }} group={{ EDXAPP_SANDBOX_GROUP }} shell=/bin/false home={{ EDXAPP_SANDBOX_VENV_DIR }}
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
edxapp-sandbox
-
name
:
Create edxapp sandbox virtual env directory
file
:
>
path="{{ EDXAPP_SANDBOX_VENV_DIR }}"
state=directory
owner=root
group=root
mode=0755
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
edxapp-sandbox
-
name
:
Create edxapp sandbox virtualenv
command
:
/usr/local/bin/virtualenv {{ EDXAPP_SANDBOX_VENV_DIR }} --distribute creates={{ EDXAPP_SANDBOX_VENV_DIR }}/bin/activate
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
edxapp-sandbox
-
name
:
Install apparmor system pkg
apt
:
pkg=apparmor-utils state=present
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
edxapp-sandbox
-
name
:
write out apparmor code sandbox config
template
:
src=code.sandbox.j2 dest=/etc/apparmor.d/code.sandbox mode=0644 owner=root group=root
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
edxapp-sandbox
-
name
:
write out sandbox user sudoers config
template
:
src=95-sandbox-sudoer.j2 dest=/etc/sudoers.d/95-{{ EDXAPP_SANDBOX_USER }} mode=0440 owner=root group=root
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
edxapp-sandbox
# we boostrap and enable the apparmor service here. in deploy.yml we disable, deploy, then re-enable
# so we need to enable it in main.yml
-
name
:
start apparmor service
service
:
name=apparmor state=started
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
edxapp-sandbox
-
name
:
(bootstrap) load code sandbox profile
command
:
apparmor_parser -r /etc/apparmor.d/code.sandbox
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
edxapp-sandbox
-
name
:
(bootstrap) put code sandbox into aa-enforce or aa-complain mode depending on EDXAPP_SANDBOX_ENFORCE
command
:
/usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
when
:
EDXAPP_PYTHON_SANDBOX
tags
:
-
edxapp-sandbox
-
include
:
deploy.yml
...
...
playbooks/roles/edxapp/tasks/python_sandbox_env.yml
0 → 100644
View file @
830e9acb
-
name
:
edxapp | code sandbox | Create edxapp sandbox user
user
:
name={{ edxapp_sandbox_user }} shell=/bin/false home={{ edxapp_sandbox_venv_dir }}
notify
:
-
"
edxapp
|
restart
edxapp"
-
"
edxapp
|
restart
edxapp_workers"
tags
:
-
edxapp-sandbox
-
name
:
edxapp | code sandbox | Install apparmor utils system pkg
apt
:
pkg=apparmor-utils state=present
notify
:
-
"
edxapp
|
restart
edxapp"
-
"
edxapp
|
restart
edxapp_workers"
tags
:
-
edxapp-sandbox
-
name
:
edxapp | code sandbox | write out apparmor code sandbox config
template
:
src=code.sandbox.j2 dest=/etc/apparmor.d/code.sandbox mode=0644 owner=root group=root
notify
:
-
"
edxapp
|
restart
edxapp"
-
"
edxapp
|
restart
edxapp_workers"
tags
:
-
edxapp-sandbox
-
name
:
edxapp | code sandbox | write out sandbox user sudoers config
template
:
src=95-sandbox-sudoer.j2 dest=/etc/sudoers.d/95-{{ edxapp_sandbox_user }} mode=0440 owner=root group=root validate='visudo -c -f %s'
notify
:
-
"
edxapp
|
restart
edxapp"
-
"
edxapp
|
restart
edxapp_workers"
tags
:
-
edxapp-sandbox
# we boostrap and enable the apparmor service here. in deploy.yml we disable, deploy, then re-enable
# so we need to enable it in main.yml
-
name
:
edxapp | code sandbox | start apparmor service
service
:
name=apparmor state=started
notify
:
-
"
edxapp
|
restart
edxapp"
-
"
edxapp
|
restart
edxapp_workers"
tags
:
-
edxapp-sandbox
-
name
:
edxapp | code sandbox | (bootstrap) load code sandbox profile
command
:
apparmor_parser -r /etc/apparmor.d/code.sandbox
notify
:
-
"
edxapp
|
restart
edxapp"
-
"
edxapp
|
restart
edxapp_workers"
tags
:
-
edxapp-sandbox
-
name
:
edxapp | code sandbox | (bootstrap) put code sandbox into aa-enforce or aa-complain mode depending on EDXAPP_SANDBOX_ENFORCE
command
:
/usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
notify
:
-
"
edxapp
|
restart
edxapp"
-
"
edxapp
|
restart
edxapp_workers"
tags
:
-
edxapp-sandbox
playbooks/roles/edxapp/templates/95-sandbox-sudoer.j2
View file @
830e9acb
{{
EDXAPP_USER }} ALL=({{ EDXAPP_SANDBOX_USER
}}) SETENV:NOPASSWD:{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/python
{{
EDXAPP_USER
}} ALL=(ALL) NOPASSWD:/bin/kill
{{
EDXAPP_USER
}} ALL=(ALL) NOPASSWD:/usr/bin/pkill
{{
edxapp_user }} ALL=({{ edxapp_sandbox_user
}}) SETENV:NOPASSWD:{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/python
{{
edxapp_user
}} ALL=(ALL) NOPASSWD:/bin/kill
{{
edxapp_user
}} ALL=(ALL) NOPASSWD:/usr/bin/pkill
playbooks/roles/edxapp/templates/code.sandbox.j2
View file @
830e9acb
#include <tunables/global>
{{
EDXAPP_SANDBOX_VENV_DIR
}}/bin/python flags=(complain) {
{{
edxapp_sandbox_venv_dir
}}/bin/python flags=(complain) {
#include <abstractions/base>
{{
EDXAPP_SANDBOX_VENV_DIR
}}/** mr,
{{
edxapp_sandbox_venv_dir
}}/** mr,
{{ edxapp_code_dir }}/common/lib/sandbox-packages/** r,
/tmp/codejail-*/ rix,
/tmp/codejail-*/** rix,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment