removing old workarounds

docker/build/xqwatcher/Dockerfile

+FROM edxops/trusty-common:v3
+MAINTAINER edxops
+
+RUN apt-get update
+ADD . /edx/app/edx_ansible/edx_ansible
+COPY docker/build/xqwatcher/ansible_overrides.yml /
+WORKDIR /edx/app/edx_ansible/edx_ansible/docker/plays
+RUN /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-playbook xqwatcher.yml -i '127.0.0.1,' -c local -t "install:base,install:configuration,install:system-requirements,install:application-requirements,install:code" -e@/ansible_overrides.yml
+WORKDIR /edx/app
+CMD ["/edx/app/supervisor/venvs/supervisor/bin/supervisord", "-n", "--configuration", "/edx/app/supervisor/supervisord.conf"]

docker/build/xqwatcher/ansible_overrides.yml

+---
+FLOCK_TLD: "edx"
+
+# Note that this is currently a non-working exemplar configuration,
+# there isn't a grader provided in the edx-demo-course yet.
+XQWATCHER_COURSES:
+  - COURSE: "demo"
+    GIT_REPO: "https://github.com/edx/edx-demo-course"
+    GIT_REF: "master"
+    QUEUE_NAME: "test-pull"
+    QUEUE_CONFIG:
+      SERVER: "http://xqueue.{{ FLOCK_TLD }}"
+      CONNECTIONS: 2
+      AUTH: ["lms", "password"]
+      HANDLERS:
+        - HANDLER: "xqueue_watcher.jailedgrader.JailedGrader"
+          CODEJAIL:
+            name: "demo"
+            python_bin: "{{ xqwatcher_venv_base }}/demo/bin/python"
+            user: "demo"
+          KWARGS:
+            grader_root: "../data/edx-demo-course/graders/"
+    PYTHON_REQUIREMENTS:
+      - { name: "numpy", version: "1.6.2" }
+      - { name: "lxml", version: "2.3.6" }

docker/plays/xqwatcher.yml

+- name: Deploy xqwatcher
+  hosts: all
+  sudo: True
+  gather_facts: True
+  roles:
+    - common_vars
+    - docker
+    - xqwatcher

playbooks/roles/xqwatcher/defaults/main.yml

@@ -86,7 +86,7 @@ xqwatcher_conf_dir: "{{ xqwatcher_app_dir }}"
 #TODO: remove after refactoring out all the git stuff
 xqwatcher_course_git_ssh_opts: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i {{ xqwatcher_app_dir }}/.ssh/{{ xqwatcher_service_name }}-courses"
 
-xqwatcher_requirements_file: "{{ xqwatcher_code_dir }}/requirements.txt"
+xqwatcher_requirements_file: "{{ xqwatcher_code_dir }}/requirements/production.txt"
 xqwatcher_log_dir: "{{ COMMON_LOG_DIR }}/{{ xqwatcher_service_name }}"
 xqwatcher_module: "xqueue_watcher"
 
@@ -114,6 +114,7 @@ xqwatcher_supervisor_available_dir: "{{ xqwatcher_supervisor_app_dir }}/conf.ava
 #
 
 xqwatcher_debian_pkgs:
+  - apparmor
   - apparmor-utils
 
 xqwatcher_redhat_pkgs: []

playbooks/roles/xqwatcher/tasks/code_jail.yml

@@ -8,6 +8,9 @@
     shell=/bin/false
     home="/dev/null"
   with_items: XQWATCHER_COURSES
+  tags:
+    - install
+    - install:base
 
 #
 # Need to disable aa to update the virutalenv
@@ -17,6 +20,9 @@
     dest="/etc/apparmor.d/code.jail.{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
     mode=0644 owner=root group=root
   with_items: XQWATCHER_COURSES
+  tags:
+    - install
+    - install:base
 
 - name: write out sudoers for watcher
   template: >
@@ -24,15 +30,25 @@
     dest=/etc/sudoers.d/95-xqwatcher-{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.user|replace('.', '') }}
     mode=0440 owner=root group=root validate='visudo -c -f %s'
   with_items: XQWATCHER_COURSES
+  tags:
+    - install
+    - install:base
 
+# see comment below as to why this is skipped.
 - name: put code jail into aa-complain
   command: /usr/sbin/aa-complain "/etc/apparmor.d/code.jail.{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
   with_items: XQWATCHER_COURSES
+  tags:
+    - disable-install
+    - disable-install:base
 
 - name: create jail virtualenv
   shell: >
     /usr/local/bin/virtualenv --no-site-packages {{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}
   with_items: XQWATCHER_COURSES
+  tags:
+    - install
+    - install:base
 
 - name: write out requirements.txt
   template: >
@@ -40,6 +56,9 @@
     dest={{ xqwatcher_app_dir }}/data/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}-requirements.txt
     mode=0440 owner=root group=root
   with_items: XQWATCHER_COURSES
+  tags:
+    - install
+    - install:base
 
 - name: install course specific python requirements
   pip: >
@@ -48,29 +67,45 @@
     state=present
     extra_args="{{ XQWATCHER_PIP_EXTRA_ARGS }}"
   with_items: XQWATCHER_COURSES
+  tags:
+    - install
+    - install:base
 
 - name: give other read permissions to the virtualenv
   shell: >
     chown -R {{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.user }} {{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}
   with_items: XQWATCHER_COURSES
+  tags:
+    - install
+    - install:base
 
 - name: start apparmor service
   service: name=apparmor state=started
+  tags:
+    - manage
 
 - name: load code sandbox profile
   command: apparmor_parser -r "/etc/apparmor.d/code.jail.{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
   with_items: XQWATCHER_COURSES
+  tags:
+    - manage
 
 #
 # Leaves aa in either complain or enforce depending upon the value of the
 # CODE_JAIL_COMPLAIN var.  Complain mode should never be run in an
 # environment where untrusted users can submit code
-- name: put code jail into aa-complain
-  command: /usr/sbin/aa-complain "/etc/apparmor.d/code.jail.{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
-  when: CODE_JAIL_COMPLAIN|bool
-  with_items: XQWATCHER_COURSES
+#- name: put code jail into aa-complain
+#   command: /usr/sbin/aa-complain "/etc/apparmor.d/code.jail.{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
+#   when: CODE_JAIL_COMPLAIN|bool
+#   with_items: XQWATCHER_COURSES
+#   # AA having issues on 14.04
+#   # https://github.com/edx/codejail/issues/38
+#   tags:
+#     - removed
 
-- name: put code sandbox into aa-enforce
-  command: /usr/sbin/aa-enforce "/etc/apparmor.d/code.jail.{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
-  when: not CODE_JAIL_COMPLAIN|bool
-  with_items: XQWATCHER_COURSES
+# - name: put code sandbox into aa-enforce
+#   command: /usr/sbin/aa-enforce "/etc/apparmor.d/code.jail.{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
+#   when: not CODE_JAIL_COMPLAIN|bool
+#   with_items: XQWATCHER_COURSES
+#   tags:
+#     - removed

playbooks/roles/xqwatcher/tasks/deploy.yml

@@ -3,13 +3,19 @@
     content="{{ XQWATCHER_GIT_IDENTITY }}"
     dest={{ xqwatcher_app_dir }}/.ssh/{{ xqwatcher_service_name }}-courses
     owner={{ xqwatcher_user }} group={{ xqwatcher_user }} mode=0600
-
+  tags:
+    - install
+    - install:base
+    
 #TODO: remove once xqwatcher.json can be pulled out into /edx/etc/
 - name: write out watcher config file
   template: >
     src=edx/app/xqwatcher/xqwatcher.json.j2
     dest={{ xqwatcher_conf_dir }}/xqwatcher.json
     mode=0644 owner={{ xqwatcher_user }} group={{ xqwatcher_user }}
+  tags:
+    - install
+    - install:base
     
 - include: deploy_watcher.yml
   tags:

playbooks/roles/xqwatcher/tasks/deploy_courses.yml

@@ -8,3 +8,6 @@
     version={{ item.GIT_REF }}
     ssh_opts="{{ xqwatcher_course_git_ssh_opts }}"
   with_items: XQWATCHER_COURSES
+  tags:
+    - install
+    - install:base

playbooks/roles/xqwatcher/tasks/deploy_watcher.yml

@@ -8,6 +8,9 @@
     virtualenv="{{ xqwatcher_app_dir }}/venvs/{{ xqwatcher_service_name }}" state=present
   sudo: true
   sudo_user: "{{ xqwatcher_user }}"
+  tags:
+    - install
+    - install:application-requirements
 
 - name: write out course config files
   template: >
@@ -15,12 +18,18 @@
     dest={{ xqwatcher_conf_dir }}/conf.d/{{ item.COURSE }}.json
     mode=0644 owner={{ xqwatcher_user }} group={{ xqwatcher_user }}
   with_items: XQWATCHER_COURSES
+  tags:
+    - install
+    - install:configuration
 
 - name: write supervisord config
   template: >
     src=edx/app/supervisor/conf.d/xqwatcher.conf.j2
     dest="{{ xqwatcher_supervisor_available_dir }}/xqwatcher.conf"
     group={{ xqwatcher_user }} mode=0650
+  tags:
+    - install
+    - install:configuration
 
 - name: enable supervisor script
   file: >
@@ -29,10 +38,16 @@
     state=link
     force=yes
   when: not disable_edx_services
+  tags:
+    - install
+    - install:configuration
 
 - name: update supervisor configuration
   shell: "{{ xqwatcher_supervisor_ctl }} -c {{ xqwatcher_supervisor_app_dir }}/supervisord.conf update"
   when: not disable_edx_services
+  tags:
+    - manage
+    - manage:update
 
 - name: restart xqwatcher
   supervisorctl: >
@@ -41,4 +56,7 @@
     config={{ xqwatcher_supervisor_app_dir }}/supervisord.conf
     name={{ xqwatcher_service_name }}
   when: not disable_edx_services
-  sudo_user: "{{ xqwatcher_user }}"
+  sudo_user: "{{ xqwatcher_user }}"
\ No newline at end of file
+  tags:
+    - manage
+    - manage:update

playbooks/roles/xqwatcher/tasks/main.yml

@@ -92,6 +92,9 @@
     state=directory
     owner="{{ xqwatcher_user }}"
     group="{{ xqwatcher_user }}"
+  tags:
+    - install
+    - install:base
 
 - name: create conf.d dir
   file: >
@@ -99,7 +102,9 @@
     state=directory
     owner="{{ xqwatcher_user }}"
     group="{{ xqwatcher_user }}"
-
+  tags:
+    - install
+    - install:base
 
 - include: code_jail.yml CODE_JAIL_COMPLAIN=false