Skip to content

Tutor plugin that enables execution of untrusted code in secure sandboxes using an external service based on the codejail library.

License

Notifications You must be signed in to change notification settings

eduNEXT/tutor-contrib-codejail

Repository files navigation

Codejail plugin for Tutor

Tutor plugin that configures and runs a Codejail Service using a REST API. Codejail allows for the secure execution of untrusted code within sandboxes, providing a safe environment for running potentially dangerous code.

Installation

To install the latest version run:

pip install git+https://github.com/edunext/tutor-contrib-codejail

You can install a specific version by adding the tag, branch, or commit:

pip install git+https://github.com/edunext/[email protected]

Usage

Enable the plugin with:

tutor plugins enable codejail

Run the initialization jobs to install the required AppArmor profile on your host:

tutor config save
tutor local do init --limit codejail

Finally, the platform can be run as usual:

tutor local launch

Please remember: If the host is rebooted, the AppArmor profile needs to be reloaded.

Configuration

To customize the configuration, update the following settings in Tutor:

  • CODEJAIL_APPARMOR_DOCKER_IMAGE: (default: docker.io/ednxops/codejail_apparmor_loader:latest)
  • CODEJAIL_DOCKER_IMAGE: (default: docker.io/ednxops/codejailservice:{{__version__}})
  • CODEJAIL_ENFORCE_APPARMOR (default: True)
  • CODEJAIL_ENABLE_K8S_DAEMONSET (default: False)
  • CODEJAIL_SKIP_INIT (default: False)
  • CODEJAIL_SANDBOX_PYTHON_VERSION (default: 3.8.6)
  • CODEJAIL_EXTRA_PIP_REQUIREMENTS (optional) A list of pip requirements to add to your sandbox.
  • CODEJAIL_SERVICE_VERSION (default: release/redwood.1),
  • CODEJAIL_SERVICE_REPOSITORY (default https://github.com/edunext/codejailservice.git`)
CODEJAIL_EXTRA_PIP_REQUIREMENTS:
- pybryt

Custom Image

In most cases, you can work with the provided docker image for the release. However, you will need to re-build the docker image when:

. Additional requirements are included in the sandbox via CODEJAIL_EXTRA_PIP_REQUIREMENTS. - A different version of Python is set for the sandbox environment via CODEJAIL_SANDBOX_PYTHON_VERSION. - The custom version of edx-platform that changes the contents of requirements/edx-sandbox.

Create a new image running:

# Add the tutor configuration with the custom value
tutor config save \
--set 'CODEJAIL_EXTRA_PIP_REQUIREMENTS=["pybryt"]'

# Build the image
tutor images build codejail

Compatibility

Open edX Release Tutor Version
Lilac >= 12.x
Maple >= 13.x
Nutmeg >= 14.x
Olive >= 15.x
Palm >= 16.x
Quince >= 17.x
Redwood >= 18.x

NOTE: For the Open edX version of the Lilac release, the changes required for the Codejail service to interact with edx-platform are not included in open-release/lilac.master. To use the service with the changes, please review this PR.

Kubernetes Support

The CodeJail service provides a sandbox to run arbitrary code. Security enforcement in the sandbox is done through AppArmor, this means that AppArmor must be installed in the host machine and the provided profile must be loaded.

The plugin provides an init task running a privileged container capable of loading the AppArmor profile onto your machine. This is only compatible with a docker installation.

For Kubernetes environments, ensure each node has AppArmor installed and the profile loaded. Optionally, set CODEJAIL_ENABLE_K8S_DAEMONSET to True to use a DaemonSet for loading the AppArmor profile, assuming the nodes are already running AppArmor.

If you choose to run the service without enforcing the AppArmor profile, you can set CODEJAIL_ENFORCE_APPARMOR to False.

More info about this discussion can be found on this issue.

Testing Functionality

To verify if Codejail is working, use a course with loncapa problems in Studio and check for correct execution. You can import the provided example course.

Once the course is imported, go to any section and select an exercise (section example), the proper result is:

Example when codejail is working

In this case, the section's content will render correctly and work as specified in the instructions of the problem.

Possible failure case

In case you forget to run tutor local do init --limit codejail for AppArmor profile, this error in Studio will arise:

Error formatting HTML for the problem:
cannot create LoncapaProblem block-v1:edX+DemoX+Demo_Course+type@problem+block@integral1: Error while
executing script code: Codejail API Service is unavailable. Please try again in a few minutes.

Example when codejail is not working

This indicates that the Codejail service is either not turned on or not working properly. Please ensure to follow the steps outlined in the usage section to prevent this issue.

How to Contribute

Contributions are welcome! See our CONTRIBUTING file for more information – it also contains guidelines for how to maintain high code quality, which will make your contribution more likely to be accepted.

License

This software is licensed under the terms of the AGPLv3. See the LICENSE file for details.

About

Tutor plugin that enables execution of untrusted code in secure sandboxes using an external service based on the codejail library.

Resources

License

Stars

Watchers

Forks

Packages

No packages published