Codejail plugin for Tutor
Tutor plugin that configures and runs a Codejail Service using a REST API. Codejail allows for the secure execution of untrusted code within sandboxes, providing a safe environment for running potentially dangerous code.
To install the latest version, run:
pip install tutor-contrib-codejail
# or install from the source
pip install git+https://github.com/edunext/tutor-contrib-codejailYou can install a specific version by adding the tag, branch, or commit:
pip install tutor-contrib-codejail==v20.0.0
# or install from the source
pip install git+https://github.com/edunext/[email protected]Enable the plugin with:
tutor plugins enable codejailRun the initialization jobs to install the required AppArmor profile on your host:
tutor config saveFinally, the platform can be run as usual:
tutor local launchPlease remember: If the host is rebooted, the AppArmor profile needs to be reloaded.
To customize the configuration, update the following settings in Tutor:
CODEJAIL_APPARMOR_DOCKER_IMAGE: (default:docker.io/ednxops/codejail_apparmor_loader:latest)CODEJAIL_DOCKER_IMAGE: (default:docker.io/ednxops/codejailservice:{{__version__}})CODEJAIL_ENABLE_K8S_DAEMONSET(default:False)CODEJAIL_ENFORCE_APPARMOR(default:True)CODEJAIL_EXTRA_PIP_REQUIREMENTS(default:[])CODEJAIL_SANDBOX_PYTHON_VERSION(default:3.11.9)CODEJAIL_SERVICE_REPOSITORY(defaulthttps://github.com/edunext/codejailservice.git`)CODEJAIL_SERVICE_VERSION(default:release/teak.1),CODEJAIL_SKIP_INIT(default:False)
In most cases, you can work with the provided Docker image for the release. However, you will need to rebuild the Docker image when:
. Additional requirements are included in the sandbox via CODEJAIL_EXTRA_PIP_REQUIREMENTS.
- A different version of Python is set for the sandbox environment via CODEJAIL_SANDBOX_PYTHON_VERSION.
- You are using a custom version of edx-platform that changes the contents of requirements/edx-sandbox.
Create a new image running:
# Add the tutor configuration with the custom value
tutor config save \
--set 'CODEJAIL_EXTRA_PIP_REQUIREMENTS=["pybryt"]'
# Build the image
tutor images build codejail| Open edX Release | Tutor Version |
|---|---|
| Lilac | >= 12.x |
| Maple | >= 13.x |
| Nutmeg | >= 14.x |
| Olive | >= 15.x |
| Palm | >= 16.x |
| Quince | >= 17.x |
| Redwood | >= 18.x |
| Sumac | >= 19.x |
| Teak | >= 20.x |
NOTE: For the Open edX version of the Lilac release, the changes required for the Codejail service to interact with edx-platform are
not included in open-release/lilac.master. To use the service with the changes, please review this PR.
The CodeJail service provides a sandbox to run arbitrary code. Security enforcement in the sandbox is done through AppArmor, this means that AppArmor must be installed in the host machine, and the provided profile must be loaded.
The plugin provides an init task running a privileged container capable of loading the AppArmor profile onto your machine. This is only compatible with a Docker installation.
For Kubernetes environments, ensure each node has AppArmor installed and the profile loaded. Optionally,
set CODEJAIL_ENABLE_K8S_DAEMONSET to True to use a DaemonSet for loading the AppArmor profile,
assuming the nodes are already running AppArmor.
If you choose to run the service without enforcing the AppArmor profile, you can set CODEJAIL_ENFORCE_APPARMOR to False.
More info about this discussion can be found on this issue.
To verify if Codejail is working, use a course with loncapa problems in Studio and check for correct execution.
You can import the provided example course.
Once the course is imported, go to any section and select an exercise (section example), the proper result is:
In this case, the section's content will render correctly and work as specified in the instructions of the problem.
Contributions are welcome! See our CONTRIBUTING file for more information – it also contains guidelines for how to maintain high code quality, which will make your contribution more likely to be accepted.
This software is licensed under the terms of the AGPLv3. See the LICENSE file for details.