From 9a11838c6eab98a707eeed89d9b394a1771cf1da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mois=C3=A9s=20Gonz=C3=A1lez?= <moises.gonzalez@edunext.co>
Date: Thu, 19 Dec 2024 14:24:52 -0400
Subject: [PATCH] feat: use an "init service" to load the apparmor profile

This follows the same logic as the "permissions" service used by tutor
core. The `codejail-apparmor-loader` service runs the command used
previously by the init job.

It makes more sense to handling loading of the apparmor profile with an
init service:

- The profile is ephemeral, rebooting the host will require to load it
  again.
- The profile is a dependency for the container to start. Things like
  database migrations, which are the main use case for init jobs, don't
  block the start of the main service container.
---
 tutorcodejail/patches/k8s-jobs                | 21 -------------------
 .../local-docker-compose-jobs-services        |  9 --------
 .../patches/local-docker-compose-services     | 15 +++++++++++++
 tutorcodejail/plugin.py                       | 20 ------------------
 .../templates/codejail/tasks/.gitignore       |  0
 .../codejail/tasks/codejail-apparmor/init     |  5 -----
 6 files changed, 15 insertions(+), 55 deletions(-)
 delete mode 100644 tutorcodejail/patches/k8s-jobs
 delete mode 100644 tutorcodejail/patches/local-docker-compose-jobs-services
 delete mode 100644 tutorcodejail/templates/codejail/tasks/.gitignore
 delete mode 100644 tutorcodejail/templates/codejail/tasks/codejail-apparmor/init

diff --git a/tutorcodejail/patches/k8s-jobs b/tutorcodejail/patches/k8s-jobs
deleted file mode 100644
index c82261b..0000000
--- a/tutorcodejail/patches/k8s-jobs
+++ /dev/null
@@ -1,21 +0,0 @@
----
-# Dummy job that doesn't actually load the profile.
-# To enforce apparmor we need to load the profile
-# on each node, for that reason we use a DaemonSet
-# defined in the k8s-deployments patch.
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: codejail-apparmor-job
-  labels:
-    app.kubernetes.io/component: job
-spec:
-  template:
-    spec:
-      restartPolicy: Never
-      containers:
-      - name: codejail-apparmor-loader
-        image: busybox:1.28
-        env:
-          - name: SKIP_INIT
-            value: "True"
diff --git a/tutorcodejail/patches/local-docker-compose-jobs-services b/tutorcodejail/patches/local-docker-compose-jobs-services
deleted file mode 100644
index db84a33..0000000
--- a/tutorcodejail/patches/local-docker-compose-jobs-services
+++ /dev/null
@@ -1,9 +0,0 @@
-codejail-apparmor-job:
-  image: {{ CODEJAIL_APPARMOR_DOCKER_IMAGE }}
-  privileged: true
-  environment:
-    SKIP_INIT: "{{ CODEJAIL_SKIP_INIT }}"
-  volumes:
-    - ../plugins/codejail/apps/profiles/docker-edx-sandbox:/profiles/docker-edx-sandbox:ro
-    - /sys:/sys
-    - /etc/apparmor.d:/etc/apparmor.d
diff --git a/tutorcodejail/patches/local-docker-compose-services b/tutorcodejail/patches/local-docker-compose-services
index 1ef2446..dccd85b 100644
--- a/tutorcodejail/patches/local-docker-compose-services
+++ b/tutorcodejail/patches/local-docker-compose-services
@@ -11,3 +11,18 @@ codejailservice:
     - ../plugins/codejail/apps/config/tutor.py:/openedx/codejailservice/codejailservice/tutor.py:ro
     - ../../data/codejail:/openedx/data
   restart: unless-stopped
+  depends_on:
+    - codejail-apparmor-loader
+
+codejail-apparmor-loader:
+  image: {{ CODEJAIL_APPARMOR_DOCKER_IMAGE }}
+  privileged: true
+  command:
+    - /usr/bin/loader
+    - -logtostderr
+    - -v=2
+    - /profiles
+  volumes:
+    - ../plugins/codejail/apps/profiles/docker-edx-sandbox:/profiles/docker-edx-sandbox:ro
+    - /sys:/sys
+    - /etc/apparmor.d:/etc/apparmor.d
diff --git a/tutorcodejail/plugin.py b/tutorcodejail/plugin.py
index 5865781..fc7ed55 100644
--- a/tutorcodejail/plugin.py
+++ b/tutorcodejail/plugin.py
@@ -68,26 +68,6 @@ def get_apparmor_abi():
     ]
 )
 
-# To add a custom initialization task, create a bash script template under:
-# tutorcodejail/templates/codejail/tasks/
-# and then add it to the MY_INIT_TASKS list. Each task is in the format:
-# ("<service>", ("<path>", "<to>", "<script>", "<template>"))
-MY_INIT_TASKS: list[tuple[str, tuple[str, ...], int]] = [
-    ("codejail-apparmor", ("codejail", "tasks", "codejail-apparmor", "init"), hooks.priorities.HIGH),
-]
-
-
-# For each task added to MY_INIT_TASKS, we load the task template
-# and add it to the CLI_DO_INIT_TASKS filter, which tells Tutor to
-# run it as part of the `init` job.
-for service, template_path, priority in MY_INIT_TASKS:
-    full_path: str = str(
-        importlib_resources.files("tutorcodejail") / os.path.join("templates", *template_path)
-    )
-    with open(full_path, encoding="utf-8") as init_task_file:
-        init_task: str = init_task_file.read()
-    hooks.Filters.CLI_DO_INIT_TASKS.add_item((service, init_task), priority=priority)
-
 
 hooks.Filters.IMAGES_BUILD.add_item((
     "codejail",
diff --git a/tutorcodejail/templates/codejail/tasks/.gitignore b/tutorcodejail/templates/codejail/tasks/.gitignore
deleted file mode 100644
index e69de29..0000000
diff --git a/tutorcodejail/templates/codejail/tasks/codejail-apparmor/init b/tutorcodejail/templates/codejail/tasks/codejail-apparmor/init
deleted file mode 100644
index abf135a..0000000
--- a/tutorcodejail/templates/codejail/tasks/codejail-apparmor/init
+++ /dev/null
@@ -1,5 +0,0 @@
-if [  "$SKIP_INIT" == "True" ]; then
-    echo "Skipped AppArmor initialization"
-else
-    /usr/bin/loader -logtostderr -v=2 /profiles
-fi