29 Jul 17:02

885c68d

V2.4 release

VPL-JAIL-SYSTEM 2.4

The VPL-Jail-System serves an execution sandbox for the VPL Moodle plugin. This sandbox provides interactive execution, textual by xterm and graphical by VNC, and non-iterative execution for code evaluation purpose.

For more details about VPL, visit the VPL home page or
the VPL plugin page at Moodle.

Requirements

The VPL-Jail-System is an open software execution system and requires a specific environment.

Software requirements

The VPL-Jail-System 2.4 requires a Linux O.S with YUM or APT as package manager and systemd or system V as service manager. The system has been tested on Debian, Ubuntu and CentOS.

O.S.	Version	Arch.	Results
Ubuntu	18.04	32b/64b	Compatible
Ubuntu	16.04	32b/64b	Compatible
Debian	9	32b/64b	Compatible
Debian	10	32b/64b	Compatible
CentOS	7	64b	GUI programs not available. Requires to disable or configure SELinux
CentOS	6		Not functional

Hardware requirements

The system has been developed to offers immediate and interactive execution of student's programs. This means that the system can attend multiple-executions simultaneously.

The hardware required to accomplish this task depends on the number of simultaneous executions at a time, the requisites of the program, and the programming language used. For example, a PHP Web program may require a huge amount of RAM, especially for the Web Browser execution, but a Python program may need one hundred times less of RAM.

Our experience is that a machine with only 2Gb of RAM and 2 cores can support a class with 50 students online using Java (Non-GUI). If you are conducting an exam the hardware required may be tripled. Possibly the critical resource may be the RAM. If the system exhausts the RAM the O.S. will start swapping and the throughput will decrease drastically. Our tests indicate that the 32-bit O.S. uses less memory and CPU than the 64-bit version. Remember that you can add (or remove) VPL-Jail-systems to a VPL installation online.

Installation

Selecting the hardware

The recommended option is using a dedicated machine. If you can not use a dedicated machine try using a Virtual Machine e.g. using VirtualBox. This will aisle and limit the resources used by the service.
If you decide to use other services in the same machine that the use of resources by VPL-Jail-System may decrease the performance of the others service. Although no security breach has been reported, notice that the nature of the service (execute external code) leads to an intrinsic threat.

Preparing the system

Install a Linux O.S. as clean as possible. If you have enough resources you can install a GUI interface. Stop any service that you don't need as web server, ssh server, etc. If the O.S. has a firewall, you must configure it (or stop it) to give access to the only two ports needed by the VPL-Jail-System. If you use automatic updates, you must restart the VPL-Jail-System to take into account the update. You can use cron to automate this process.

Getting VPL-Jail-System

VPL-Jail-System is distributed only as source files. You must get the source package from https://vp.dis.ulpgc.es eg. using

wget https://vpl.dis.ulpgc.es/releases/vpl-jail-system-[version].tar.gz

or from the github repository, generating the package with

make distcheck

Running the installer

After getting the package you must decompress it and run the installer.

tar xvf vpl-jail-system-[version].tar.gz
cd vpl-jail-system-[version]
./install-vpl-sh

The "./install-vpl-sh" must be run as root.

Follow the instructions and wait for the necessary downloads. The installation script will try to install the development software commonly used.

The installer will ask you about:

If you want that the installer creates a self-signed SSL certificate.
(updating) If you want to replace the configuration file with a fresh one.
If you want to install different compilers and interpreters.

Updating VPL-Jail-System

If you want to update VPL-Jail-System follow the same steps that the first installation. The installer will update the current version.

Removing VPL-Jail-System

Run uninstall-sh of the current version.

Configuration

After installing the VPL-Jail-Service, the service will be started with a default configuration. If you want to change the configuration you must edit the file /etc/vpl/vpl-jail-system.conf.

After configuration changes, you must restart (as user root) the service to use the new configuration values.
Using systemd

systemctl restart vpl-jail-system

or using system V

service vpl-jail-system restart

Main configuration parameters

PORT. Socket port number to listen for http and ws connections. The default value is 80
SECURE_PORT. Socket port number to listen for https and wss connections. Default value 443
URLPATH. Act as a password, if no matches with the path of the URL request then it's rejected. The default value is "/".
LOGLEVEL. This value goes from 0 to 8. Use 0 for minimum log and 8 for the maximum log. Level 8 doesn't remove the prisoners' home directory. IMPORTANT: Do not use high loglevel in production servers, you may get low performance. The default value is 3.

Checking

You can check the availability of your execution server using the URL

http://server:PORT/OK and https://server:SECURE_PORT/OK

where "server" is the name of your execution server. The system must return a page with OK

Troubleshooting

You can obtain a detailed log of the execution process by changing the log level at the configuration file. Commonly The logs will be written to "/var/log/syslog".

Adding the VPL-Jail-System to VPL

The URL of the service in the general module configuration or in the local execution server settings of your Moodle server is

http://server:PORT/URLPATH or https://server:SECURE_PORT/URLPATH

:PORT and :SECURE_PORT can be omitted if using the standard ports.

Changes from the 2.3 to 2.4 version

The installer and service control script has been update to support systemd service manager. Versions before 2.4 use only system V service manager. The change allows to install vpl-jail-system on Linux distributions that use YUM or APT and systemd or system V. Other fixes and changes are:

The default log level has been increased to 3.
The size of the SSL key created when installing has been increase to 2048. New versions of OpenSSL lib require this size.
Improves the cleaning of finished tasks

Changes from the 2.2 to 2.3 version

The main new of the 2.3 version is the change of file system used to replicate root directory on jail. This version includes some minor fixes and is compatible and interchangeable with the previous one.

The replication of the root file system is done with overlayfs, allowing to adapt the replica to the needs of the VPL-Jail-System easily and safe. To accelerate the execution and limit the file system changes, the users' home directory has been mounted as a tmpfs. Also the possibility of mounting the replica allowing SETUID has been added.

The use of the tmpfs removes the need of the "vncaccel.sh" script.

The new parameters to control these new features are:

USETMPFS. This switch allows the use of tmpfs for "/home" and the "/dev/shm" directories. Changing this switch to "false" can degrade the performance of the jail system. To deactivate this option use USETMPFS=false. The default value is USETMPFS=true.
HOMESIZE. This option set the size of the "/home" directory. The default value is 30% of the system memory. This option is applicable if using tmpfs file system for the "/home" directory.
SHMSIZE. This option set the size of the "/dev/shm" directory. The default value is 30% of the system memory. This option is applicable if using tmpfs file system for the "/dev/shm" directory.
ALLOWSUID. This switch allows the execution of programs with a suid bit inside the jail. This may be a security threat, use at your own risk. To activate this option, set ALLOWSUID=true.

Assets 2

10 Jun 16:37

jcrodriguez-dis

v2.3

9df6c90

VPL-Jail-System 2.3

VPL-JAIL-SYSTEM 2.3

The VPL-Jail-System serves an execution sandbox for the VPL Moodle plugin. This sandbox provides interactive execution, textual by xterm and graphical by VNC, and non iterative execution for code evaluation purpose.

For more details about VPL, visit the VPL home page or
the VPL plugin page at Moodle.

Requirements

The of VPL-Jail-System is an open software execution system and require a specific environment.

Software requirements

The VPL-Jail-System 2.3 requires a Linux O.S. and has been tested on Debian, Ubuntu and CentOS.

O.S.	Version	Results
Ubuntu	18.04 64b	Compatible
Ubuntu	16.04 32b/64b	Compatible
Debian	9 32b/64b	Compatible
CentOS	7 64b	GUI programs not available

But you may need to modify the installation script or do the installation by hand.

Hardware requirements

The system has been developed to offers immediate and interactive execution of student's programs. This means that the system can attend multiple-executions simultaneously.

The hardware required to accomplish this task depend on: the number of simultaneous executions at a time, the requisites of the program, and the programming language used. For example: a PHP Web program may requiere a huge amount of RAM, especially for the Web Browser execution, but a Python program may need ten times less of RAM.

Our experience is that a machine with only 2Gb of RAM and 2 cores can support a class with 50 students online using Java (Non GUI). If you are conducting a exam the hardware required may be tripled. Possibly the critical resource may be the RAM. If the system exhausts the RAM the O.S. will start doing swap and the throughput will decreases drastically. Our tests indicate that the 32-bit O.S. uses less memory and CPU than the 64-bit version. Remember that you can add (or remove) VPL-Jail-systems to a VPL online.

Installation

Selecting the hardware

The recommended option is using a dedicated machine. If you can not use a dedicated machine try using a Virtual Machine e.g. using VIrtualBox. This will aisle and limit the resources used by the service.
If you decide to use other services in the same machine that the use of resources by VPL-Jail-System may dicrease the performance of the others service. Although no security breach has been reported, notice that the nature of the service (execute external code) leads to an intrinsic threat.

Preparing the system

Install a Linux O.S. as clean as possible. If you have enough resources you can install a GUI interface. Stop any service taht you don't need as a web server, ssh server, etc. If the O.S. has a firewall, you must configure it (or stop it) to give access to the only two ports needed by the VPL-Jail-System. If you use automatic updates the you must restart the VPL-Jail-System to take into account the update. You can use cron to automate this process.

Getting VPL-Jail-System

VPL-Jail-System is distributed only as source files. You must get the source package from https://vp.dis.ulpgc.es eg. using

wget https://vpl.dis.ulpgc.es/releases/vpl-jail-system-[version].tar.gz

or from the github repository, generating the package with

make distcheck

Running the installer

After getting the package you must decompress it and run the installer.

tar xvf vpl-jail-system-[version].tar.gz
cd vpl-jail-system-[version]
./install-vpl-sh

The "./install-vpl-sh" must be run as root.

Follow the instructions and wait for the necessary downloads. The installation script will try to install the development software commonly used, but you may need to install some other by hand.

The installer will ask you about:

If you want that the installer create a self-signed SSL certificate
(updating) If you want to replace the configuration file with a fresh one
If you want to install different compilers and interpreters.

Updating VPL-Jail-System

If you want to update VPL-Jail-System follow the same steps that the first installation. The installer will update the current version.

Removing VPL-Jail-System

Run uninstall-sh of the current version.

Configuration

After installing the VPL-Jail-Service, the service will be started with a default configuration. If you want to change the configuration you must edit the file /etc/vpl/vpl-jail-system.conf.

After configuration changes you must restart (as user root) the service to use the new configuration values.

service vpl-jail-system restart

Main configuration parameters

PORT. Socket port number to listen for http and ws connections . Default value 80
SECURE_PORT. Socket port number to listen for https and wss connections . Default value 443
URLPATH. Act as a password, if no matches with the path of the URL request then it's rejected. default value "/"
LOGLEVEL. This value goes from 0 to 8. Use 0 for minimum log and 8 for maximum log. Level 8 does't removes the prisoners' home directory. IMPORTANT: Do not uses high loglevel in production servers, you may get low performance. Default level 0

Checking

You can check the availability of your execution server using the URL

http://server:PORT/OK and https://server:SECURE_PORT/OK

where server is the name of your execution server

The system must return a page with OK

Troubleshooting

You can obtain a detailed log of the execution process by changing the log level at the configuration file. Commonly The logs will be written to "/var/log/syslog".

Adding the VPL-Jail-System to VPL

The URL of the service in the general module configuration or in the local execution server settings of your Moodle server is

http://server:PORT/URLPATH or https://server:SECURE_PORT/URLPATH

:PORT and :SECURE_PORT can be omitted if using the standard ports.

Changes from the 2.2 to 2.3 version

The main new of the 2.3 version is the change of file system used to replicate root directory on jail. This version include some minor fixes and is compatible and interchangeable with the previous one.

The use of the tmpfs removes the need of the vncaccel.sh script.

The new parameters to control this new features are:

USETMPFS. This switch allow the use of tmpfs for "/home" and the "/dev/shm" directories. Changing this switch to "false" can degrade the performance of the jail system. To deactivate this option use USETMPFS=false. The default value is USETMPFS=true
HOMESIZE. This option set the size of the "/home" directory the default value is 30% of the system memory. This option is applicable if using tmpfs file system for the "/home" directory.
SHMSIZE. This option set the size of the "/dev/shm" directory the default value is 30% of the system memory. This option is applicable if using tmpfs file system for the "/dev/shm" directory .
ALLOWSUID. This switch allow the execution of programs with a suid bit inside the jail. This may be a security threat, use at your own risk. To activate this option, set ALLOWSUID=true.

Assets 2

22 Aug 10:55

jcrodriguez-dis

v2.2.2

2bd9f03

VPL Execution Server 2.2.2

This Execution Server is the companion of VPL for Moodle, the plugin of Moodle that handle computer programming activities.

The new version 2.2.2 came with new features and improve or fix others. The main changes are:

Fixes bug in daemon compilation shown in debian 9.
Fixes problem with empty host name creating SSL certificate in installation
Adds pre_start and post_stop hack points in start stop daemon script
Changes log level setting from command line to the configuration file /etc/vpl/vpl-jail-system.conf.
The new configuration parameter is LOGLEVEL, value goes from 0 to 8.
Value 8 don't remove user home dir allowing the use of vncaccel.sh
Adds acceleration to the start-up of GUI programs in VNC server
Before executing GUI programs in a VNC server the directory /etc/vncaccel is copied to the user's home directory. The directory /etc/vncaccel must content the result of a previous program execution, including fonts, cached files and configuration files. This avoid the slow process of first program start. To populate the /etc/vncaccel directory you can:
- Set the server to LOGLEVEL 8 and restart the service
- In VPL, run a GUI program or debug the file "a.all"
- Run the script vncaccel.sh in the server given the real full path to the user's home directory last used.
- Set the server to LOGLEVEL 0 and restart the service
  The previous process must be replay if you update the used programs. e.g. Java, Firefox, etc.

This version has been tested on Ubuntu 16.04, Ubuntu 17.04, Debian 9.1 and Centos 7.

Known issues

The last versions of Firefox used on Ubuntu has problems running in some VNC server. The workaround is to keep using the version 52 or lower, or use other Linux distribution.
In CentOS, if the ENVPATH is not set in the cnfiguration file, the execution fails.

Assets 2

Releases: jcrodriguez-dis/vpl-jail-system

V2.4 release

VPL-JAIL-SYSTEM 2.4

Requirements

Software requirements

Hardware requirements

Installation

Selecting the hardware

Preparing the system

Getting VPL-Jail-System

Running the installer

Updating VPL-Jail-System

Removing VPL-Jail-System

Configuration

Main configuration parameters

Checking

Troubleshooting

Adding the VPL-Jail-System to VPL

Changes from the 2.3 to 2.4 version

Changes from the 2.2 to 2.3 version

VPL-Jail-System 2.3

VPL-JAIL-SYSTEM 2.3

Requirements

Software requirements

Hardware requirements

Installation

Selecting the hardware

Preparing the system

Getting VPL-Jail-System

Running the installer

Updating VPL-Jail-System

Removing VPL-Jail-System

Configuration

Main configuration parameters

Checking

Troubleshooting

Adding the VPL-Jail-System to VPL

Changes from the 2.2 to 2.3 version

VPL Execution Server 2.2.2

This Execution Server is the companion of VPL for Moodle, the plugin of Moodle that handle computer programming activities.

This version has been tested on Ubuntu 16.04, Ubuntu 17.04, Debian 9.1 and Centos 7.

Known issues