Create codejail test procedure

[robrap]

Acceptance Criteria:

• Create draft of the Codejail service test procedure

Notes:

• Cover functional testing
• Cover security testing
• Should be useful across all environments (e.g. devstack to Prod), but could have details specific to certain environments (e.g. checking that containers in Prod do not have access to any LMS DB, cache, etc.).
• Is there anything useful to take from https://2u-internal.atlassian.net/wiki/spaces/AT/pages/16385128/Code-jail+Upgrade+and+Testing?
• See codejail repo README for some instructions.
• See edxapp pipeline for a smoke test of codejail.

Things to test

Just building up some local notes.

Should succeed

• Basics
  • Define a function, call it
  • Read globals that were passed in
  • Return data via globals
• Disk:
  • Working directory read and write (allow this one)
  • Attached files
• Import modules
  • numpy or anything else that's in the standard codejail package list

Should fail

• Network:
  • Public internet
  • Other servers in deployment (may be difficult to configure this in a meaningful way)
  • Localhost
  • TCP (HTTP call to 1.1.1.1), UDP (DNS resolution of example.com)
• Disk:
  • Read, write, and list:
    • Parent directory, which contains other people's codejail
    • /etc/passwd (as stand-in for more sensitive files)
    • /proc/1/cmdline (as a stand-in for more sensitive process values)
• Long-running task
• Processes
  • Child process
  • Fork
• Memory
  • Allocate huge objects

Other

• Abuse of python_path
• Read environment variables
• Confirm Python version
• /proc/*/mounts