Skip to content

fix: Run codejail with app user; more docs #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
timmc-edx merged 2 commits into from
Mar 19, 2025
Merged

fix: Run codejail with app user; more docs #124

timmc-edx merged 2 commits into from
Mar 19, 2025

Conversation

@timmc-edx
Copy link
Member

@timmc-edx timmc-edx commented Mar 19, 2025

  • Use app user by default; may need to switch back to root at some point for ease of development, but for now let's try to keep it as similar as possible to stage and prod so that we can find issues sooner.
  • Document the situation, and note how to enter as root (same as for any container, but may be helpful in this uncommon situation).
  • Correct comment for FSIZE
  • Copy NPROC and PROXY defaults into settings for reference

This depends on edx/edx-arch-experiments#983, otherwise the service will start failing.

I've completed each of the following or determined they are not applicable:

  • Made a plan to communicate any major developer interface changes (or N/A)

@timmc-edx
fix: Run codejail with app user; more docs
116f122 
- Use `app` user by default; may need to switch back to `root` at some
  point for ease of development, but for now let's try to keep it as
  similar as possible to stage and prod so that we can find issues sooner.
- Document the situation, and note how to enter as root (same as for any
  container, but may be helpful in this uncommon situation).
- Correct comment for `FSIZE`
- Copy `NPROC` and `PROXY` defaults into settings for reference

This depends on edx/edx-arch-experiments#983,
otherwise the service will start failing.
@timmc-edx timmc-edx mentioned this pull request Mar 19, 2025
Closed
8 tasks
robrap
robrap approved these changes Mar 19, 2025
View reviewed changes
Copy link
Contributor

@robrap robrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comment.

docs/codejail.rst Outdated

If you need to debug the confinement, either because it is restricting too much or too little, a good strategy is to run ``tail -F /var/log/kern.log | grep codejail`` and watch for ``DENIED`` lines. You should expect to see several appear during service startup, as the service is designed to probe the confinement as part of its initial healthcheck.

Unlike other devstack services, this one runs as the ``app`` user rather than as ``root``. In order to enter the container as root, you can use ``docker compose exec -it --user root codejail bash`` rather than ``make codejail-shell``.
Copy link
Contributor

@robrap robrap Mar 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add something like the following from your PR description:

Although this isn't strictly needed to develop, it better matches our production environment.

@timmc-edx timmc-edx merged commit 1cd0fd8 into master Mar 19, 2025
4 of 14 checks passed
@timmc-edx timmc-edx deleted the timmc/cj-app branch March 19, 2025 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robrap robrap robrap approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@timmc-edx @robrap