fix: Run codejail with app user; more docs

timmc-edx · timmc-edx · commit 116f122e81e7 · 2025-03-19T14:57:03.000Z
- Use `app` user by default; may need to switch back to `root` at some point for ease of development, but for now let's try to keep it as similar as possible to stage and prod so that we can find issues sooner. - Document the situation, and note how to enter as root (same as for any container, but may be helpful in this uncommon situation). - Correct comment for `FSIZE` - Copy `NPROC` and `PROXY` defaults into settings for reference This depends on edx/edx-arch-experiments#983, otherwise the service will start failing.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -731,6 +731,7 @@ services:
       DJANGO_SETTINGS_MODULE: codejail_service.settings.devstack
     ports:
       - "18030:8080"
+    user: app
     security_opt:
       - apparmor=openedx_codejail_service
 
diff --git a/docs/codejail.rst b/docs/codejail.rst
@@ -42,3 +42,5 @@ Debugging
 To check whether the profile has been applied, run ``sudo aa-status | grep codejail``. This won't tell you if the profile is out of date, but it will tell you if you have *some* version of it installed.
 
 If you need to debug the confinement, either because it is restricting too much or too little, a good strategy is to run ``tail -F /var/log/kern.log | grep codejail`` and watch for ``DENIED`` lines. You should expect to see several appear during service startup, as the service is designed to probe the confinement as part of its initial healthcheck.
+
+Unlike other devstack services, this one runs as the ``app`` user rather than as ``root``. In order to enter the container as root, you can use ``docker compose exec -it --user root codejail bash`` rather than ``make codejail-shell``.
diff --git a/py_configuration_files/codejail.py b/py_configuration_files/codejail.py
@@ -26,7 +26,11 @@
         # Need at least 300 MiB memory for matplotlib alone. 512 MiB should be
         # enough headroom in general.
         'VMEM': 512 * 1024 * 1024,
-        # 1 MB file write limit
+        # 1 MB file size limit
         'FSIZE': 1 * 1024 * 1024,
+        # 15 processes and threads (codejail default)
+        'NPROC': 15,
+        # Match production configuration
+        'PROXY': 0,
     },
 }
