Is your feature request related to a problem? Please describe.
The problem is that the current documentation for the CodeJail plugin within Tutor does not provide any guidance on how to add additional Python packages or Conda virtual environments (venvs) to the CodeJail sandbox. This lack of information makes it challenging for users to incorporate custom packages or tools like SageMath, which may have unique dependencies, into the CodeJail environment.

Describe the solution you'd like
I would like to have the ability to add custom Python packages and Conda venvs to the CodeJail sandbox directly from the Tutor-CodeJail project. This means introducing new configuration options in the Tutor-CodeJail settings that allow users to specify the additional Python packages and Conda venvs they want to include. These packages and venvs should be isolated from the host system, ensuring security and preventing conflicts.

Describe alternatives you've considered
One alternative could be manually modifying the apparmor filterfile to include additional packages, but this approach lacks user-friendliness and may not provide the desired isolation. Another alternative could be running CodeJail inside an existing Conda venv, but this may not be feasible for all use cases and could still lead to dependency conflicts.

Additional context
This feature request aims to enhance the usability and flexibility of Tutor-CodeJail by addressing the need for custom Python packages and Conda venvs within the CodeJail sandbox. It would make Tutor-CodeJail a more versatile tool for educational and research purposes and help users work with specialized packages like SageMath effectively while maintaining isolation from the host system.

Describe the bug
This plugins defines a tutor.py file that allows you to override the default configuration of the service, this pattern is also used in other Tutor plugins (e.g. tutor-notes). Even though the tutor.py file is mounted in the container (local-docker-compose-services) it's not actually being used by the service. In order to make use of the file we would need to set the environment variable FLASK_APP_SETTINGS to use the tutor.py module in the container definition.

Additionally we would need to use a new patch similar to notes-settings that allows us to override the default settings of the service..

To Reproduce
Steps to reproduce the behavior:

1. Manually edit the tutor.py file and alter the default configuration (see description message)
2. Inside the container run flask shell
3. Check the values by running app.config['CODE_JAIL'] in the shell.
4. None of the values were overriden.

Expected behavior
Is possible to modify the default values of the codejail service.

Hi
Installing
pip install --force-reinstall git+https://github.com/edunext/tutor-contrib-codejail
in tutor 13.1.0 replaces tutor to version 12.2.0 and elasticsearch hangs.

Adding a Custom Python-Evaluated Input problem results in an error:

Can you help me?

Best wishes
Christoph

Is your feature request related to a problem? Please describe.
Yes. Right now, If we update the release of this plugin, we will need the edxops/codejailservice:release-tag docker image in the docker hub.

Describe the solution you'd like
Improve the templates to use the last image available of codejailservice with the same major release minor or equal to this plugin.
This could work because the codejailservice stays mostly the same.

Additional context
Right now, this could happen:

And having this kind of report:
https://discuss.openedx.org/t/edunext-tutor-contrib-codejail-installation-error/12711/3

Tried running
tutor local init --limit=codejail

But I got
Error: No such command 'init'.

tutor v15.2.0

Describe the bug
The bug described here seems to be back on Nutmeg (Tutor 14.0.4) with the latest plugin (ce71496)

To Reproduce
Steps to reproduce the behavior:

1. Install tutor, tutor-contrib-codejail, codejailservice from source
2. Move to nutmeg branches: nutmeg -for tutor-, 14.0.0 -for codejailservice-, MJG/nutmeg -for tutor-contrib-codejail-
3. Install plugin
4. Build images: tutor config save && tutor images build all
5. Init services: tutor dev init
6. Follow test instructions here. The error will appear in the course component.
   Further testing:
7. Enter container: tutor dev dc run codejailservice bash
8. Activate environment: source /sandbox/venv/bin/activate
9. Run python, the same error will appear

Upgrading to Nutmeg fails, because the patches https://github.com/eduNEXT/tutor-contrib-codejail/blob/main/tutorcodejail/patches/cms-env and https://github.com/eduNEXT/tutor-contrib-codejail/blob/main/tutorcodejail/patches/lms-env haven't been changed from json format to yml format (removing the "," at the end of each line).

Is your feature request related to a problem? Please describe.
The release cut is in April, and we want to have a Redwood version of this plugin so the BTR can test the release correctly.

Describe the solution you'd like
Having a release or at least a branch with Redwood support.

Describe alternatives you've considered
N/A

Additional context
Release schedule: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3613392957/Open+edX+Release+Schedule

Problem

I have installed a stack of OpexEDX platform using Tutor and installed OpexEdx "Codejail" plugin using below link

pip install git+https://github.com/edunext/tutor-contrib-codejail

https://github.com/eduNEXT/tutor-contrib-codejail

I am facing a problem during working on the code jail while importing python matplotlib library.

importing the same library inside codejail container is working fine. the only problem is import through OpnexEdx code block. > advance black > problem.
I have already installed the Codejail and Matplotlib on docker.

I have to run this code. which gives error

<problem>
<script type="loncapa/python">
import matplotlib
</script>
</problem>

import os works fine
but getting error while
import matplotlib

detail of current stack:

• open edx version : openedx-mfe:14.0.1
• code jail version : codejailservice:14.1.0
• please see the error message below

cannot create LoncapaProblem block-v1:VUP+Math101+2022+type@problem+block@3319c4e42da64a74b0e40f048e3f2599: Error while executing script code: Couldn't execute jailed code: stdout: b'', stderr: b'Traceback (most recent call last):\n File &#34;jailed_code&#34;, line 19, in <module>\n exec(code, g_dict)\n File &#34;<string>&#34;, line 66, in <module>\n File &#34;/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py&#34;, line 921, in <module>\n dict.update(rcParams, rc_params_in_file(matplotlib_fname()))\n File &#34;/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py&#34;, line 602, in matplotlib_fname\n for fname in gen_candidates():\n File &#34;/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py&#34;, line 599, in gen_candidates\n yield os.path.join(get_configdir(), \'matplotlibrc\')\n File &#34;/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py&#34;, line 239, in wrapper\n ret = func(**kwargs)\n File &#34;/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py&#34;, line 502, in get_configdir\n return get_config_or_cache_dir(_get_xdg_config_dir())\n File &#34;/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py&#34;, line 474, in get_config_or_cache_dir\n tempfile.mkdtemp(prefix=&#34;matplotlib-&#34;)\n File &#34;/opt/pyenv/versions/3.8.6_sandbox/lib/python3.8/tempfile.py&#34;, line 347, in mkdtemp\n prefix, suffix, dir, output_type = sanitize_params(prefix, suffix, dir)\n File &#34;/opt/pyenv/versions/3.8.6_sandbox/lib/python3.8/tempfile.py&#34;, line 117, in sanitize_params\n dir = gettempdir()\n File &#34;/opt/pyenv/versions/3.8.6_sandbox/lib/python3.8/tempfile.py&#34;, line 286, in gettempdir\n tempdir = get_default_tempdir()\n File &#34;/opt/pyenv/versions/3.8.6_sandbox/lib/python3.8/tempfile.py&#34;, line 218, in _get_default_tempdir\n raise FileNotFoundError(_errno.ENOENT,\nFileNotFoundError: [Errno 2] No usable temporary directory found in [\'/tmp\', \'/var/tmp\', \'/usr/tmp\', \'/tmp/codejail-lbfd69da\']\n' with status code: 1. For more information check Codejail Service logs.

Codejail service logs are as follows:

{"log":"[pid: 6|app: 0|req: 20/39] 172.18.0.10 () {36 vars in 483 bytes} [Tue Nov 22 11:24:59 2022] POST /api/v0/code-exec =\u003e generated 1978 bytes in 742 msecs (HTTP/1.1 200) 2 headers in 73 bytes (1 switches on core 0)\n","stream":"stderr","time":"2022-11-22T11:25:00.151315626Z"} {"log":"2022-11-22 11:26:23,304 INFO 9 [codejailservice.app] code_exec_service.py:52 - Running problem_id:53fbaa04859f41989ab967c15a12c013 jailed code for course_id:course-v1:VUP+Math101+2022 ...\n","stream":"stderr","time":"2022-11-22T11:26:23.30489438Z"} {"log":"2022-11-22 11:26:23,343 INFO 9 [codejailservice.app] code_exec_service.py:73 - Jailed code was executed in 0.03849988000001758 seconds.\n","stream":"stderr","time":"2022-11-22T11:26:23.343618965Z"} {"log":"[pid: 9|app: 0|req: 20/40] 172.18.0.10 () {36 vars in 483 bytes} [Tue Nov 22 11:26:23 2022] POST /api/v0/code-exec =\u003e generated 73 bytes in 40 msecs (HTTP/1.1 200) 2 headers in 71 bytes (1 switches on core 0)\n","stream":"stderr","time":"2022-11-22T11:26:23.344178308Z"} {"log":"2022-11-23 04:15:24,786 INFO 6 [codejailservice.app] code_exec_service.py:52 - Running problem_id:3319c4e42da64a74b0e40f048e3f2599 jailed code for course_id:course-v1:VUP+Math101+2022 ...\n","stream":"stderr","time":"2022-11-23T04:15:24.786287416Z"} {"log":"2022-11-23 04:15:25,582 ERROR 6 [codejailservice.app] code_exec_service.py:70 - Error found while executing jailed code.\n","stream":"stderr","time":"2022-11-23T04:15:25.582527974Z"} {"log":"[pid: 6|app: 0|req: 21/41] 172.18.0.10 () {36 vars in 483 bytes} [Wed Nov 23 04:15:24 2022] POST /api/v0/code-exec =\u003e generated 1978 bytes in 798 msecs (HTTP/1.1 200) 2 headers in 73 bytes (1 switches on core 0)\n","stream":"stderr","time":"2022-11-23T04:15:25.583132326Z"} {"log":"2022-11-23 06:00:15,150 INFO 9 [codejailservice.app] code_exec_service.py:52 - Running problem_id:3319c4e42da64a74b0e40f048e3f2599 jailed code for course_id:course-v1:VUP+Math101+2022 ...\n","stream":"stderr","time":"2022-11-23T06:00:15.15073834Z"} {"log":"2022-11-23 06:00:15,891 ERROR 9 [codejailservice.app] code_exec_service.py:70 - Error found while executing jailed code.\n","stream":"stderr","time":"2022-11-23T06:00:15.8916806Z"} {"log":"[pid: 9|app: 0|req: 21/42] 172.18.0.10 () {36 vars in 483 bytes} [Wed Nov 23 06:00:15 2022] POST /api/v0/code-exec =\u003e generated 1978 bytes in 742 msecs (HTTP/1.1 200) 2 headers in 73 bytes (1 switches on core 0)\n","stream":"stderr","time":"2022-11-23T06:00:15.892225441Z"}

WorkAround (Temporary)

After diagnosing, I have found that this is because of AppArmor loaded profile. AppArmor was denying to write temp files which were produced during import matplotlib .

get_configdir\n return get_config_or_cache_dir(_get_xdg_config_dir())\n File "/sandbox/venv/lib/python3.8/site-packages/matplotlib/init.py", line 474, in get_config_or_cache_dir\n tempfile.mkdtemp(prefix="matplotlib-")\n File "/opt/pyenv/versions/3.8.6_sandbox/lib/python3.8/tempfile.py", line 347, in mkdtemp\n prefix, suffix, dir, output_type = sanitize_params(prefix, suffix, dir)\n File "/opt/pyenv/versions/3.8.6_sandbox/lib/python3.8/tempfile.py", line 117, in sanitize_params\n dir = gettempdir()\n File "/opt/pyenv/versions/3.8.6_sandbox/lib/python3.8/tempfile.py", line 286, in gettempdir\n tempdir = get_default_tempdir()\n File "/opt/pyenv/versions/3.8.6_sandbox/lib/python3.8/tempfile.py", line 218, in _get_default_tempdir\n raise FileNotFoundError(_errno.ENOENT,\nFileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/tmp/codejail-lbfd69da']\n' with status code: 1. For more information check Codejail Service logs.

AppArmor loaded ' docker-edx-sandbox ' which in my case was stored in /etc/apparmor.d/docker-edx-sandbox directory. docker container of Sandbox service was using that profile.

to view this I used dmesg command with root privileges to view the logs produced by AppArmor . whcih shows the current profile used by Sandbox container service => 'docker-edx-sandbox'. Logs of dmesg show Mkdir command: access denied by AppArmor.

Temporarily Workaround of this issue I have Removed the loaded AppArmor profile from memory by the below command.

sudo apparmor_parser -R /etc/apparmor.d/docker-edx-sandbox

Important Note : Don't use in production .it will bypass AppArmor security by removing the profile from the kernel.

We Need to update https://github.com/eduNEXT/tutor-contrib-codejail/blob/main/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox template for allowing creating temp files in sandbox environment

TEST

The nutmeg version can't find codejailservice with tag 14.0.0 in the docker registry:

Pulling codejailservice (docker.io/ednxops/codejailservice:14.0.0)...
ERROR: manifest for ednxops/codejailservice:14.0.0 not found: manifest unknown: manifest unknown
Error: Command failed with status 1: docker-compose -f /srv/tutor/env/local/docker-compose.yml -f /srv/tutor/env/local/docker-compose.prod.yml -f /srv/tutor/env/local/docker-compose.tmp.yml --project-name tutor_local up --remove-orphans --build -d

Is your feature request related to a problem? Please describe.
Add workflow for bump version to make it easy to generate release when some change is merged.

Describe the solution you'd like
Something like this works: https://github.com/eduNEXT/eox-tenant/blob/master/.github/workflows/bump_version.yml.

TEST

Is your feature request related to a problem? Please describe.

To use the codejail service is necessary to load an AppArmor profile in the host machine. To do so, the plugin uses an initialization job that runs on a privileged container and must be run as part of the initialization of the service (i.e. tutor do init -l codejail). There are several ways in which the AppArmor Profile can be unloaded: apparmor_parser -R ... or by rebooting the host machine, which requires you to run the initialization job again.

Describe the solution you'd like

Refactoring the init job into an initialization container similar to the openedx-permissions might be a more appropriate approach ensuring that the profile is loaded before starting the codejailservice container.

Describe the bug
It looks like the custom response OLX with Python code problem breaks upon submission when codejail service is enabled. I’m posting it here to bring it into the notice of the community and see what they think about this.

To Reproduce

• Create a custom response problem with a script like

<problem>
  <script type="text/python" system_path="python_lib">
# Python code here e.g. 

def hint_fn(answer_ids, student_answers, new_cmap, old_cmap):

</script>
  <customresponse>
    <drag_and_drop_input>
    </drag_and_drop_input>
    <hintgroup hintfn="hint_fn"/>
  </customresponse>
</problem>

• Publish changes, And try to test the submissions with any user(admin, staff, or any), NOTE: Make sure that you have enabled codejail service to run the custom Python code.
• You can check the error stacktrace at the end of the post

Expected behavior
Submit my problem without a problem.

Additional context
Discuss post

Hi, does the 14.1.0 image needs to be pushed to dockerhub? I couldn't find it over on this site:
https://hub.docker.com/r/overhangio/openedx/tags
(by the way I don't have a ton of docker experience)

Describe the bug
Installing tutor-contrib-codejail failed

To Reproduce
Steps to reproduce the behavior:

1. follow install directions for tutor
2. follow install directions for tutor-contrib-codejail

Expected behavior
tutor-contrib-codejail should install :)

Additional context

After tutor-contrib-codefail failed to install, I manually edited this Dockerfile

~/.local/share/tutor/env/plugins/codejail/build/codejail/Dockerfile

Line 31:

RUN git clone https://github.com/eduNEXT/codejailservice.git --branch 14.1.0 --depth 1 /openedx/codejailservice

Then decremented the version number to 14.0.0

RUN git clone https://github.com/eduNEXT/codejailservice.git --branch 14.0.0 --depth 1 /openedx/codejailservice

then the install worked as expected.

System

$ uname -a
Linux sneaker 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 GNU/Linux

$ tutor --version
tutor, version 14.0.5

I got this working for me, so please close this issue if it makes sense to do so, I thought it might help someone, thanks!

Description

The codejailservice fails to execute code when using Python 3.8 in the secure sandbox.

To Reproduce

Steps to reproduce the behavior:

1. Install tutor, tutor-contrib-codejail, codejailservice from source
2. Move to nutmeg branches: nutmeg -for tutor-, 14.0.0 -for codejailservice-, MJG/nutmeg -for tutor-contrib-codejail-
3. Install plugin
4. Build images: tutor config save && tutor images build all
5. Init services: tutor dev init
6. Follow test instructions here. The error will appear in the course component.
   Further testing:
7. Enter container: tutor dev dc run codejailservice bash
8. Activate environment: source /sandbox/venv/bin/activate
9. Run python, the same error will appear

Expected behavior

A clear and concise description of what you expected to happen.

Additional context

We encountered this error while giving nutmeg support to the plugin. First, trying to use a Python Evaluated component in a course:

After entering the codejailservice container to inspect contents, we found that running python using the sandbox virtualenv failed:

With the same error as the course component. Then, we ran the same command but without the docker-compose files:

And it worked. So it must be something in the docker-compose configurations. After removing this line, the command worked with the docker-compose files. So what's going on with the apparmor profile & python3.8? 🤔
For reference, here is the appamor profile defined by this plugin.

Describe the bug
I encountered the following run-time tutor configuration error.

Configuration saved to /home/runner/.local/share/tutor/config.yml
Error rendering template codejail/build/codejail/Dockerfile
Error: Missing configuration value: 'is_buildkit_enabled' is undefined

Reviewing the tutor 17 release notes -- https://github.com/overhangio/tutor/releases -- i noticed this:

💥[Deprecation] The template variable is_buildkit_enabled, which now always returns True, is deprecated. Plugin authors should assume BuildKit is enabled and remove the variable from their templates (by @kdmccormick).

so, apparently there was no grace period for the removal of the tutor template variable is_buildkit_enabled

To Reproduce
Steps to reproduce the behavior:

          tutor config save --set CODEJAIL_DOCKER_IMAGE=${CODEJAIL_DOCKER_IMAGE} \
                            --set CODEJAIL_ENFORCE_APPARMOR=false \
                            --set CODEJAIL_ENABLE_K8S_DAEMONSET=true \
                            --set CODEJAIL_EXTRA_PIP_REQUIREMENTS='["git+https://github.com/StepwiseMath/stepwise-edx-plugin","git+https://${{ env.GITHUB_USER }}:${{ secrets.PAT }}@github.com/QueriumCorp/swxblock","git+https://${{ env.GITHUB_USER }}:${{ secrets.PAT }}@github.com/QueriumCorp/swpwrxblock","git+https://${{ env.GITHUB_USER }}:${{ secrets.PAT }}@github.com/QueriumCorp/geogebra_xblock"]' \

I've thus far isolated the problem to the CODEJAIL_EXTRA_PIP_REQUIREMENTS and furthermore will note that three of the four repositories in the list are private repos. i'm still researching whether this bears on the problem.

I experimented with provided a list of PyPi packages to the CODEJAIL_EXTRA_PIP_REQUIREMENTS and got the same error:

          tutor config save --set CODEJAIL_DOCKER_IMAGE=${CODEJAIL_DOCKER_IMAGE} \
                            --set CODEJAIL_ENFORCE_APPARMOR=false \
                            --set CODEJAIL_ENABLE_K8S_DAEMONSET=true \
                            --set CODEJAIL_EXTRA_PIP_REQUIREMENTS='["python-dotenv","pydantic","langchain","openai"]' \

Expected behavior
tutor configuration should saved.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Environment variables:

    AWS_REGION: us-east-2
    ORGANIZATION: stepwisemath
    NAMESPACE: swm-openedx-us-prod
    EKS_CLUSTER_NAME: apps-hosting-service
    AWS_ECR_REPOSITORY: stepwisemath/codejail
    AWS_DEFAULT_REGION: us-east-2
    TUTOR_VERSION: 17.0.0
    TUTOR_RUN_CADDY: false
    TUTOR_RUN_NGINX: false
    TUTOR_ID: tutor-swm-openedx-us-prod
    TUTOR_K8S_NAMESPACE: swm-openedx-us-prod
    AWS_ECR_REGISTRY_CODEJAIL: 090511222473.dkr.ecr.us-east-2.amazonaws.com
    AWS_ECR_REPOSITORY_CODEJAIL: stepwisemath/codejail
    REPOSITORY_TAG_CODEJAIL: 17.0.0-202401021551
    CODEJAIL_DOCKER_IMAGE: 090511222473.dkr.ecr.us-east-2.amazonaws.com/stepwisemath/codejail:17.0.0-202401021551

Description

The plugin at the moment does not support kubernetes in any way or form.

In the Docker deployment we use AppArmor to restrict the container's access to certain resources. To enforce the rules of the AppArmor profile on the container we have to make sure that the profile is loaded on the host machine. We accomplish this task by running a job on a privileged container that loads the profile onto the host.

In the case of Kubernetes we face the challenge of loading the AppArmor profile onto all the nodes of the kubernetes cluster (due to the pod that hosts the codejail container possibly being assigned to any node).
Once that is done it is possible to deploy the codejail service using a secured container.

Loading the profile is not even the first blocker, the Amazon Linux images used by default on EKS do not have AppArmor enabled (I don't know what OSes are used on the other providers). One option is to use Ubuntu AMIs for EKS
which already have AppArmor enabled. Once that is taken care of, is possible to load the profile using several strategies. Each one with their own limitations.

I have deployed an EKS cluster using the ami-0a9aad2548662426 AMI from Canonical and tried both, SSHing into the nodes and loading the profile manually and using the DaemonSet, in both cases I was able to successfully load the profile onto the node and ran the codejail service using a deployment that looked like this.

The discussion I want to start is how the Kubernetes support should look from now onwards. The CodeJail service has a series of requirements that make it inherently difficult to run in k8s securely. Ensuring that the plugin setups correctly all these requirements in multiple environments (at least most common ones) seems like a tall order for the time being. What I'm feeling inclined at the moment is to offer the templates for the service/deployment but leave the initialization to the operator and even allow the service to run without the profile enforcement on the container if the user decides to. Maybe I'm not being ingenious enough and if someone has a nicer approach I would love to hear it.

A little summary of the problems we currently have:

• We need to ensure that the nodes have AppArmor enabled.
• We need to load the AppArmor profile onto each node. Using a daemon set seems like the most sensible solution, but running the privileged container appears to be a little out of bounds for the plugin.
  • In addition the DaemonSet can't update or delete profiles. We may avoid this issue if we version the profiles (although I don't see them changing too often)
• Defining the k8s-job for the init task will not work even if it was a noop due to incompatible naming. @angonz made a few fixes here.