feat: Build and test with Python 3.8 and 3.11 for codejail. #167
Conversation
feanil
force-pushed
the
feanil/build_multiple_images
branch
from
36e50ed to
cf66b1e
Compare
feanil
force-pushed
the
feanil/build_multiple_images
branch
from
c8f45d9 to
5cf6d5f
Compare
Before we can test on the newer versions of python we need to build the new images. This PR updates the Dockerfile to Ubuntu 22.04 instead of 20.04 and uses deadksnakes to be able to install any relevant python versions we might need. We need to update the Dockerfile to be able to build containers for both Python 3.8 and 3.11. Along the way we also needed to make the following changes: Makefile Changes: * Add `make` as an explicit package to install since we call it and previously it was coming in implicitly with `git` and `sudo` * Install pip and virtualenv differently. * Add build-essentials so we can compile numpy in python 3.11 Other Changes: * Create multiple apparmor profiles and load the correct one based on the python version. * Create multiple sudoers files and load the right one based on the python version. * Update the publish workflow to publish images for both python versions.
Update CI to run tests on both 3.8 and 3.11
The traceback has more details in the newer version of python including the full filepath for the jailed_code file which includes the generated temp path. That path is random each time so we use a regex to deal with it instead of hardcoding the test message.
Needed to fix Pylint errors in 3.11 but also it looked like a bunch of other packages hadn't been updated in a while.
feanil
force-pushed
the
feanil/build_multiple_images
branch
from
32970fb to
d1df5cb
Compare
There was a problem hiding this comment.
I left a few comments.
In addition: I tried running the tests manually (in a docker container, with the same commands as the workflow) and found some weird behavior.
The suite passes the first couple of times but after the third or so attempt it begins to fail. Deleting and creating the container again seems to fix it. It seems like there's a few lingering processes that accumulate between runs, but I didn't went too deep.
I guess revisiting those tests is outside the scope of this PR right?
|
|
||
| profile apparmor_profile /home/sandbox/codejail_sandbox-python3.11/bin/python { | ||
| #include <abstractions/base> | ||
| #include <abstractions/python> |
There was a problem hiding this comment.
IIRC this inherited from the host, if the CI runner is on ubuntu-20.04 it might be missing some rules from python3.11.
I think deadsnakes doesn't update any of the base rules.
There was a problem hiding this comment.
@MoisesGSalas good thought, looking at the 20.04 profiles, it does look like they are not going to set the rules correctly for Python 3.11
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
/usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
/usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
# Site-wide configuration
/etc/python{2.[4-7],3.[0-9]}/** r,
# shared python paths
/usr/share/{pyshared,pycentral,python-support}/** r,
/{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
/usr/lib/{pyshared,pycentral,python-support}/**.so mr,
/var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
/usr/lib/python3/dist-packages/**.so mr,
# wx paths
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
/usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
Newer versions of this profile are more up-to-date and can handle older and newer versions of python, do you think it makes sense to drop the abstraction and just explicitly set the rules similar to what are in 22.04?
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so,so.*[0-9]} mr,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.VERSION r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
/usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr,
# Site-wide configuration
/etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
# shared python paths
/usr/share/{pyshared,pycentral,python-support}/** r,
/{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
/usr/lib/{pyshared,pycentral,python-support}/**.so mr,
/var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
/usr/lib/python3/dist-packages/**.so mr,
# wx paths
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
/usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
# Include additions to the abstraction
include if exists <abstractions/python.d>
There was a problem hiding this comment.
We do something similar in the profile we use in the tutor-contrib-codejail plugin.
I'm in favor of in-lining those rules and also take the opportunity to update the runner and some of the actions that are throwing a few warnings about a deprecated node version.
There was a problem hiding this comment.
@MoisesGSalas I simplified the apparmor profiles into a single profile that will work with python 3.0 -> 3.99, I continued to include the local abstraction if it exists, in case things significantly change and we miss something, we'll have that at least.
I did not put the runner updates in this PR because I don't want to conflate the two things but that can be a quick follow-up PR or you can make it and I can review/approve. Please take a look at these changes and if they look good to you, I can organize the commits and update the description before merging and releasing this code.
Adding Python 3.11 testing and support for testing/running on multiple python versions.
feanil
changed the title
This change uses deadksnakes to be able to install any
relevant python versions we might need. We also update the Dockerfile to
be able to build containers for both Python 3.8 and 3.11. Along the way
we also needed to make the following changes:
Makefile Changes:
Add
makeas an explicit package to install since we call it andpreviously it was coming in implicitly with
gitandsudoInstall pip and virtualenv differently.
Add build-essentials so we can compile numpy in python 3.11
Other Changes:
Create a new apparmor profiles that will work with multiple versions
of Python and pulls in the latest content of python/abstractions
in case they differ for different combinations of python/ubuntu.
Create multiple sudoers files and load the right one based on the
python version.
Update the publish workflow to publish images for both python
versions.
See individual commit messages for more details.