feat!: add support for the Ulmo release

This changes also include support for openedx/codejail-service as an
alternative implementation of the safe_exec REST API.

Author: MoisesGSalas

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-         python-version: ['3.9', '3.12']
+         python-version: ['3.10', '3.12']
 
     steps:
     - uses: actions/checkout@v4

README.rst

@@ -1,11 +1,18 @@
 Codejail plugin for `Tutor`_
 ============================
 
-Tutor plugin that configures and runs a `Codejail Service`_ using a REST API. `Codejail`_ allows for the
-secure execution of untrusted code within sandboxes, providing a safe environment for running potentially dangerous code.
+Tutor plugin that configures and runs a `Codejail Service`_ using a REST API.
+`Codejail`_ allows for the secure execution of untrusted code within sandboxes,
+providing a safe environment for running potentially dangerous code.
+
+Starting from the Ulmo release, the codejail plugin is transitioning to an
+alternative implementation of the safe-exec API ( `_Codejail Service V2`_).
+You can opt-in to use this new implementation on Ulmo before it finally becomes
+the default on the Verawood release.
 
 .. _Tutor: https://docs.tutor.overhang.io
 .. _Codejail Service: https://github.com/eduNEXT/codejailservice
+.. _Codejail Service V2: https://github.com/openedx/codejail-service
 .. _Codejail: https://github.com/openedx/codejail
 
 Installation
@@ -23,9 +30,9 @@ You can install a specific version by adding the tag, branch, or commit:
 
 .. code-block:: bash
 
-    pip install tutor-contrib-codejail==v20.0.0
+    pip install tutor-contrib-codejail~=21.0
     # or install from the source
-    pip install git+https://github.com/edunext/tutor-contrib-codejail@v20.0.0
+    pip install git+https://github.com/edunext/tutor-contrib-codejail@v21.0.0
 
 Usage
 -----
@@ -55,14 +62,26 @@ Configuration
 To customize the configuration, update the following settings in Tutor:
 
 - ``CODEJAIL_APPARMOR_DOCKER_IMAGE``: (default: ``docker.io/ednxops/codejail_apparmor_loader:latest``)
+- ``CODEJAIL_DOCKER_IMAGE_V2`` : (default: ``{{ CODEJAIL_DOCKER_IMAGE }}-v2``)
 - ``CODEJAIL_DOCKER_IMAGE``: (default: ``docker.io/ednxops/codejailservice:{{__version__}}``)
 - ``CODEJAIL_ENABLE_K8S_DAEMONSET`` (default: ``False``)
 - ``CODEJAIL_ENFORCE_APPARMOR`` (default: ``True``)
 - ``CODEJAIL_EXTRA_PIP_REQUIREMENTS`` (default: ``[]``)
 - ``CODEJAIL_SANDBOX_PYTHON_VERSION`` (default: ``3.11.9``)
-- ``CODEJAIL_SERVICE_REPOSITORY`` (default ``https://github.com/edunext/codejailservice.git```)
-- ``CODEJAIL_SERVICE_VERSION`` (default: ``release/teak.1``),
+- ``CODEJAIL_SERVICE_REPOSITORY`` (default: ``https://github.com/edunext/codejailservice.git```)
+- ``CODEJAIL_SERVICE_VERSION`` (default: ``{{ OPENEDX_COMMON_VERSION }}``),
 - ``CODEJAIL_SKIP_INIT`` (default: ``False``)
+- ``SERVICE_V2_REPOSITORY``: (default: ``https://github.com/openedx/codejail-service.git``)
+- ``SERVICE_V2_VERSION``: (default: ``{{ OPENEDX_COMMON_VERSION }}``)
+- ``USE_SERVICE_V2``: (default: ``False``)
+
+The ``CODEJAIL_V2_*`` settings are meant to be used only during the Ulmo
+release and will be phased-out during the Verawood release.
+
+To opt-in to the new implementation of the code-exec API set ``USE_SERVICE_V2``
+to ``True`` and re-deploy your environment. If you are using a a custom image
+for the codejail service you will need to rebuild it with ``USE_SERVICE_V2``
+set to ``True`.
 
 Custom Image
 ~~~~~~~~~~~~

setup.py

@@ -43,17 +43,15 @@ def load_about():
     long_description=load_readme(),
     packages=find_packages(exclude=["tests*"]),
     include_package_data=True,
-    python_requires=">=3.8",
-    install_requires=["tutor>=20.0.0,<21"],
+    python_requires=">=3.10",
+    install_requires=["tutor~=21.0"],
     entry_points={"tutor.plugin.v1": ["codejail = tutorcodejail.plugin"]},
     classifiers=[
         "Development Status :: 3 - Alpha",
         "Intended Audience :: Developers",
         "License :: OSI Approved :: GNU Affero General Public License v3",
         "Operating System :: OS Independent",
         "Programming Language :: Python",
-        "Programming Language :: Python :: 3.8",
-        "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",
         "Programming Language :: Python :: 3.12",

tutorcodejail/__about__.py

@@ -1,2 +1,2 @@
 """Helps you keep your cool when creating dozens of open edX and eduNEXT environments."""
-__version__ = "20.1.0"
+__version__ = "21.0.0"

tutorcodejail/patches/k8s-deployments

@@ -1,4 +1,5 @@
 ---
+{% if CODEJAIL_USE_SERVICE_V2 %}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -13,11 +14,49 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: codejailservice
-      annotations:
-        {% if CODEJAIL_ENFORCE_APPARMOR %}
-        container.apparmor.security.beta.kubernetes.io/codejailservice: "localhost/docker-edx-sandbox"
-        {% endif %}
     spec:
+      securityContext:
+        appArmorProfile: 
+          type: Localhost
+          localhostProfile: openedx_codejail_service
+      containers:
+        - name: codejailservice
+          image: {{ CODEJAIL_DOCKER_IMAGE_V2 }}
+          ports:
+            - containerPort: 8550
+          env:
+            - name: DJANGO_SETTINGS_MODULE
+              value: codejail_service.settings.tutor
+          volumeMounts:
+            - mountPath: /app/codejail_service/settings/tutor.py
+              name: settings-codejail
+              subPath: tutor.py
+      volumes:
+        - name: settings-codejail
+          configMap:
+            name: settings-codejail
+{% else %}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: codejailservice
+  labels:
+    app.kubernetes.io/name: codejailservice
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: codejailservice
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: codejailservice
+    spec:
+      {% if CODEJAIL_ENFORCE_APPARMOR %}
+      securityContext:
+        appArmorProfile: 
+          type: Localhost
+          localhostProfile: docker-edx-sandbox
+      {% endif %}
       containers:
         - name: codejailservice
           image: {{ CODEJAIL_DOCKER_IMAGE }}
@@ -34,6 +73,7 @@ spec:
         - name: settings-codejail
           configMap:
             name: settings-codejail
+{% endif %}
 {% if CODEJAIL_ENABLE_K8S_DAEMONSET %}
 ---
 apiVersion: apps/v1

tutorcodejail/patches/k8s-services

@@ -3,6 +3,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: codejailservice
+  labels:
+    app.kubernetes.io/name: codejailservice
 spec:
   type: ClusterIP
   ports:

tutorcodejail/patches/kustomization-configmapgenerator

@@ -1,12 +1,17 @@
 - name: codejail-profile
   files:
-  - plugins/codejail/apps/profiles/docker-edx-sandbox
+  - plugins/codejail/apps/profiles/docker-edx-sandbox.profile
+  - plugins/codejail/apps/profiles/openedx-codejail-service.profile
   options:
     labels:
         app.kubernetes.io/name: codejail-aa-loader
 - name: settings-codejail
   files:
-  - plugins/codejail/apps/config/tutor.py
+  {% if CODEJAIL_USE_SERVICE_V2 %}
+  - plugins/codejail/apps/codejail-service-v2/tutor.py
+  {% else %}
+  - plugins/codejail/apps/codejail/tutor.py
+  {% endif %}
   options:
     labels:
         app.kubernetes.io/name: codejailservice

tutorcodejail/patches/local-docker-compose-jobs-services

@@ -0,0 +1,9 @@
+codejail-apparmor-job:
+  image: {{ CODEJAIL_APPARMOR_DOCKER_IMAGE }}
+  privileged: true
+  environment:
+    SKIP_INIT: "{{ CODEJAIL_SKIP_INIT }}"
+  volumes:
+    - ../plugins/codejail/apps/profiles/:/profiles/:ro
+    - /sys:/sys
+    - /etc/apparmor.d:/etc/apparmor.d

tutorcodejail/patches/local-docker-compose-services

@@ -1,4 +1,19 @@
 #############Codejail service
+{% if CODEJAIL_USE_SERVICE_V2 %}
+codejailservice:
+  image: {{ CODEJAIL_DOCKER_IMAGE_V2 }}
+  ports:
+    - 8550:8550
+  environment:
+    DJANGO_SETTINGS_MODULE: codejail_service.settings.tutor
+  security_opt:
+    - apparmor:openedx_codejail_service
+  volumes:
+    - ../plugins/codejail/apps/codejail-service-v2/tutor.py:/app/codejail_service/settings/tutor.py:ro
+  restart: unless-stopped
+  depends_on:
+    - codejail-apparmor-loader
+{% else %}
 codejailservice:
   image: {{ CODEJAIL_DOCKER_IMAGE }}
   environment:
@@ -8,11 +23,11 @@ codejailservice:
     - apparmor:docker-edx-sandbox
   {% endif %}
   volumes:
-    - ../plugins/codejail/apps/config/tutor.py:/openedx/codejailservice/codejailservice/tutor.py:ro
-    - ../../data/codejail:/openedx/data
+    - ../plugins/codejail/apps/codejail/tutor.py:/openedx/codejailservice/codejailservice/tutor.py:ro
   restart: unless-stopped
   depends_on:
     - codejail-apparmor-loader
+{% endif %}
 
 codejail-apparmor-loader:
   image: {{ CODEJAIL_APPARMOR_DOCKER_IMAGE }}
@@ -23,6 +38,6 @@ codejail-apparmor-loader:
     - -v=2
     - /profiles
   volumes:
-    - ../plugins/codejail/apps/profiles/docker-edx-sandbox:/profiles/docker-edx-sandbox:ro
+    - ../plugins/codejail/apps/profiles/:/profiles/:ro
     - /sys:/sys
     - /etc/apparmor.d:/etc/apparmor.d