From 1dce6c59ab0ab0df3a5b3df42c421fd64ed19a53 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Mon, 8 Nov 2021 22:28:59 +0100
Subject: [PATCH] Add note about default ACL for Docker mount dir

---
 README.md                                              | 4 +++-
 config/docker.yml.erb.ci                               | 5 ++++-
 config/docker.yml.erb.example                          | 5 ++++-
 docs/provision_server.sh                               | 8 ++++----
 lib/runner/strategy/docker_container_pool.rb           | 4 ++--
 provision/provision.vagrant.sh                         | 6 +++++-
 spec/lib/runner/strategy/docker_container_pool_spec.rb | 4 ++--
 7 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index a6f09d2f..e6bda9f4 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,9 @@ Please refer to the [Local Setup Guide](docs/LOCAL_SETUP.md) for more details.
 
 Exemplary configuration files are available in the *config* directory.
 
-In order to execute code submissions using Docker, source code files are written to the file system and are provided to a dedicated Docker container. These files are temporarily written to *Rails.root/tmp/files/*. Please make sure that *workspace_root* in *config/docker.yml.erb* corresponds to that directory or to a linked directory if using a remote Docker server.
+In order to execute code submissions using the [DockerContainerPool](https://github.com/openHPI/dockercontainerpool), source code files are written to the file system and are provided to a dedicated Docker container. These files are temporarily written to *Rails.root/tmp/files/*. Please make sure that *workspace_root* in *config/docker.yml.erb*
+- corresponds to that directory or to a linked directory if using a remote Docker server.
+- is always writeable by the user executing the web server (in this case the `codeocean` user): `setfacl -Rdm user:codeocean:rwx /var/www/app/current/tmp/files`.
 
 ### Optional Steps
 
diff --git a/config/docker.yml.erb.ci b/config/docker.yml.erb.ci
index aaeceb14..4ea13165 100644
--- a/config/docker.yml.erb.ci
+++ b/config/docker.yml.erb.ci
@@ -9,6 +9,7 @@ development:
   <<: *default
   host: tcp://127.0.0.1:2376
   ws_host: ws://127.0.0.1:2376 #url to connect rails server to docker host
+  # Be sure to change the default ACL when modifying the workspace_root: `setfacl -Rdm user:<username>:rwx <workspace_root>`
   workspace_root: <%= Rails.root.join('tmp', 'files', Rails.env) %>
   pool:
     active: true
@@ -17,7 +18,6 @@ development:
       batch_size: 8
       interval: 15
       timeout: 60
-  #workspace_root: <%= File.join('/', 'shared', Rails.env) %>
 
 production:
   <<: *default
@@ -29,6 +29,7 @@ production:
       batch_size: 8
       interval: 15
       timeout: 60
+  # Be sure to change the default ACL when modifying the workspace_root: `setfacl -Rdm user:<username>:rwx <workspace_root>`
   workspace_root: <%= Rails.root.join('tmp', 'files', Rails.env) %>
   ws_host: ws://localhost:4243 #url to connect rails server to docker host
 
@@ -42,10 +43,12 @@ staging:
       batch_size: 8
       interval: 15
       timeout: 60
+  # Be sure to change the default ACL when modifying the workspace_root: `setfacl -Rdm user:<username>:rwx <workspace_root>`
   workspace_root: <%= Rails.root.join('tmp', 'files', Rails.env) %>
   ws_host: ws://localhost:4243 #url to connect rails server to docker host
 
 test:
   <<: *default
   host: tcp://127.0.0.1:2376
+  # Be sure to change the default ACL when modifying the workspace_root: `setfacl -Rdm user:<username>:rwx <workspace_root>`
   workspace_root: <%= Rails.root.join('tmp', 'files', Rails.env) %>
diff --git a/config/docker.yml.erb.example b/config/docker.yml.erb.example
index aaeceb14..4ea13165 100644
--- a/config/docker.yml.erb.example
+++ b/config/docker.yml.erb.example
@@ -9,6 +9,7 @@ development:
   <<: *default
   host: tcp://127.0.0.1:2376
   ws_host: ws://127.0.0.1:2376 #url to connect rails server to docker host
+  # Be sure to change the default ACL when modifying the workspace_root: `setfacl -Rdm user:<username>:rwx <workspace_root>`
   workspace_root: <%= Rails.root.join('tmp', 'files', Rails.env) %>
   pool:
     active: true
@@ -17,7 +18,6 @@ development:
       batch_size: 8
       interval: 15
       timeout: 60
-  #workspace_root: <%= File.join('/', 'shared', Rails.env) %>
 
 production:
   <<: *default
@@ -29,6 +29,7 @@ production:
       batch_size: 8
       interval: 15
       timeout: 60
+  # Be sure to change the default ACL when modifying the workspace_root: `setfacl -Rdm user:<username>:rwx <workspace_root>`
   workspace_root: <%= Rails.root.join('tmp', 'files', Rails.env) %>
   ws_host: ws://localhost:4243 #url to connect rails server to docker host
 
@@ -42,10 +43,12 @@ staging:
       batch_size: 8
       interval: 15
       timeout: 60
+  # Be sure to change the default ACL when modifying the workspace_root: `setfacl -Rdm user:<username>:rwx <workspace_root>`
   workspace_root: <%= Rails.root.join('tmp', 'files', Rails.env) %>
   ws_host: ws://localhost:4243 #url to connect rails server to docker host
 
 test:
   <<: *default
   host: tcp://127.0.0.1:2376
+  # Be sure to change the default ACL when modifying the workspace_root: `setfacl -Rdm user:<username>:rwx <workspace_root>`
   workspace_root: <%= Rails.root.join('tmp', 'files', Rails.env) %>
diff --git a/docs/provision_server.sh b/docs/provision_server.sh
index 69df28d2..55acce53 100644
--- a/docs/provision_server.sh
+++ b/docs/provision_server.sh
@@ -41,7 +41,7 @@ curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
 # Install packages
 apt-get -qq update
 apt-get -qq -y install postgresql-client postgresql-$postgres_version postgresql-server-dev-$postgres_version postgresql-$postgres_version-cron
-apt-get -qq -y install yarn nodejs nginx libpq-dev certbot
+apt-get -qq -y install yarn nodejs nginx libpq-dev certbot acl
 
 # RVM
 gpg --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
@@ -244,9 +244,9 @@ chmod -R 775 /var/www
 certbot certonly --webroot -w /var/www/acme-challenges/ --email email@example.org --rsa-key-size 4096 --agree-tos -d codeocean.openhpi.de
 systemctl daemon-reload
 
-# Deploy via Capistrano (both, CodeOcean and DockerContainerPool) and symlink Docker files, depending on the environment:
-# ln -s /var/www/app/current/tmp/files/staging /var/www/dockercontainerpool/current/tmp/files/staging
-# ln -s /var/www/app/current/tmp/files/production /var/www/dockercontainerpool/current/tmp/files/production
+# Deploy via Capistrano (both, CodeOcean and DockerContainerPool)
+# Ensure that the `codeocean` user always has access to the files (especially when Docker remap is active):
+# cd /var/www/app/current/tmp/files && setfacl -Rdm user:codeocean:rwx . && setfacl -Rm user:codeocean:rwx . && cd -
 
 # Find more files in codeocean-deploy/config/backup
 
diff --git a/lib/runner/strategy/docker_container_pool.rb b/lib/runner/strategy/docker_container_pool.rb
index 491fa701..f8c587f5 100644
--- a/lib/runner/strategy/docker_container_pool.rb
+++ b/lib/runner/strategy/docker_container_pool.rb
@@ -179,10 +179,10 @@ class Runner::Strategy::DockerContainerPool < Runner::Strategy
   end
 
   def clean_workspace
-    FileUtils.rm_r(local_workspace_path.children, secure: true)
+    FileUtils.rm_r(local_workspace_path.children, force: true)
   rescue Errno::ENOENT => e
     raise Runner::Error::WorkspaceError.new("The workspace directory does not exist and cannot be deleted: #{e.inspect}")
-  rescue Errno::EACCES => e
+  rescue Errno::EACCES, Errno::EPERM => e
     raise Runner::Error::WorkspaceError.new("Not allowed to clean workspace #{local_workspace_path}: #{e.inspect}")
   end
 
diff --git a/provision/provision.vagrant.sh b/provision/provision.vagrant.sh
index ea125385..031f7460 100644
--- a/provision/provision.vagrant.sh
+++ b/provision/provision.vagrant.sh
@@ -18,7 +18,7 @@ echo all | sudo tee /etc/gcrypt/hwf.deny
 
 # Prerequisites
 sudo apt -qq update
-sudo apt -qq -y install apt-transport-https ca-certificates curl gnupg-agent software-properties-common firefox firefox-geckodriver libpq-dev libicu-dev
+sudo apt -qq -y install apt-transport-https ca-certificates curl gnupg-agent software-properties-common firefox firefox-geckodriver libpq-dev libicu-dev acl
 sudo apt -qq -y upgrade
 
 # PostgreSQL
@@ -114,5 +114,9 @@ rake db:seed
 # Always set language to English
 sudo locale-gen en_US en_US.UTF-8
 
+# Set ACL to ensure access to files created by Docker
+mkdir -p tmp/files
+setfacl -Rdm user:codeocean:rwx tmp/files
+
 #### DOCKERCONTAINERPOOL INSTALL ####
 ../dockercontainerpool/provision.sh
diff --git a/spec/lib/runner/strategy/docker_container_pool_spec.rb b/spec/lib/runner/strategy/docker_container_pool_spec.rb
index 2c4b4719..6cec57dd 100644
--- a/spec/lib/runner/strategy/docker_container_pool_spec.rb
+++ b/spec/lib/runner/strategy/docker_container_pool_spec.rb
@@ -219,7 +219,7 @@ describe Runner::Strategy::DockerContainerPool do
     it 'removes all children of the workspace recursively' do
       children = %w[test.py exercise.rb subfolder].map {|child| Pathname.new(child) }
       allow(local_workspace).to receive(:children).and_return(children)
-      expect(FileUtils).to receive(:rm_r).with(children, secure: true)
+      expect(FileUtils).to receive(:rm_r).with(children, force: true)
       container_pool.send(:clean_workspace)
     end
 
@@ -230,7 +230,7 @@ describe Runner::Strategy::DockerContainerPool do
 
     it 'raises an error if it lacks permission for deleting an entry' do
       allow(local_workspace).to receive(:children).and_return(['test.py'])
-      allow(FileUtils).to receive(:remove_entry_secure).and_raise(Errno::EACCES)
+      allow(FileUtils).to receive(:remove_entry).and_raise(Errno::EPERM)
       expect { container_pool.send(:clean_workspace) }.to raise_error(Runner::Error::WorkspaceError, /Not allowed/)
     end
   end