Create codejail functionality and security test script

[robrap]

Acceptance Criteria:

• Create a script that performs automated testing
• Create Codejail service test procedure
  • Includes running the automated script
  • Includes manual testing of infrastructure (ability to connect to other infra from codejail service; ability to reach codejail service from internet)
• Validated against devstack: Secure codejail code-exec #927 (work in parallel)

Notes:

• Cover functional testing
• Cover security testing
• Should be useful across all environments (e.g. devstack to Prod), but could have details specific to certain environments (e.g. checking that containers in Prod do not have access to any LMS DB, cache, etc.).
• Is there anything useful to take from https://2u-internal.atlassian.net/wiki/spaces/AT/pages/16385128/Code-jail+Upgrade+and+Testing?
• See codejail repo README for some instructions.
• See edxapp pipeline for a smoke test of codejail.

Things to test

Just building up some local notes.

Should succeed

• Basics
  • Define a function, call it
  • Read globals that were passed in
  • Return data via globals
• Disk:
  • Working directory read and write (allow this one)
  • Attached files
• Import modules
  • numpy or anything else that's in the standard codejail package list

Should fail

• Network:
  • Public internet
  • Other servers in deployment (may be difficult to configure this in a meaningful way)
  • Localhost
  • TCP (HTTP call to 1.1.1.1), UDP (DNS resolution of example.com)
• Disk:
  • Read, write, and list:
    • Parent directory, which contains other people's codejail
    • /etc/passwd (as stand-in for more sensitive files)
    • /proc/1/cmdline (as a stand-in for more sensitive process values)
• Long-running task
• Processes
  • Child process
  • Fork
• Memory
  • Allocate huge objects

Other

• Abuse of python_path
• Read environment variables
• Confirm Python version
• /proc/*/mounts