Add GitHub Actions workflow to build run-mooc-grader images

Author: ihalaij1

.github/workflows/build.yml

@@ -0,0 +1,94 @@
+name: Build and push Docker image
+
+on:
+  push:
+    tags:
+      - 'v[0-9]*'
+
+jobs:
+  build:
+    name: Build (${{ matrix.platform }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Build and push platform-specific digest (no manifest tag yet)
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: ${{ matrix.platform }}
+          push: true
+          outputs: type=image,name=apluslms/run-mooc-grader,push-by-digest=true,name-canonical=true
+
+      # Save the digest so the merge job can find it
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: digest-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}
+          path: /tmp/digests/*
+          retention-days: 1
+
+  merge:
+    name: Merge manifests
+    runs-on: ubuntu-24.04
+    needs: build
+
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digest-*
+          merge-multiple: true
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Determine tags
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: apluslms/run-mooc-grader
+          tags: |
+            type=raw,value=latest
+            type=match,pattern=v(\d+\.\d+)\.\d+$,group=1
+
+      - name: Create and push multi-arch manifest
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create \
+            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'apluslms/run-mooc-grader@sha256:%s ' *)

docker/Dockerfile

@@ -0,0 +1,71 @@
+FROM apluslms/service-base:django-1.19
+
+# Set container related configuration via environment variables
+ENV CONTAINER_TYPE="grader" \
+    GRADER_LOCAL_SETTINGS="/srv/grader-cont-settings.py" \
+    GRADER_SECRET_KEY_FILE="/local/grader/secret_key.py" \
+    GRADER_AJAX_KEY_FILE="/local/grader/ajax_key.py" \
+    grader_NO_DATABASE="true"
+
+ARG TARGETPLATFORM
+
+RUN : \
+ && apt_install \
+      apt-transport-https \
+      jq \
+      # temp
+      gnupg curl \
+      libmagic1 \
+\
+  # install docker-ce
+ && if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then ARCH=amd64 ; elif [ "$TARGETPLATFORM" = "linux/arm64" ] ; then ARCH=arm64 ; else exit 1 ; fi \
+ && curl -LSs https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg >/dev/null 2>&1 \
+ && echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian trixie stable" > /etc/apt/sources.list.d/docker.list \
+ && apt_install docker-ce \
+\
+  # create user
+ && adduser --system --no-create-home --disabled-password --gecos "MOOC-Grader webapp server,,," --home /srv/grader --ingroup nogroup grader \
+ && mkdir /srv/grader && chown grader.nogroup /srv/grader \
+ && git config --global --add safe.directory /srv/grader \
+ && :
+
+COPY docker/rootfs /
+COPY . /srv/grader
+
+RUN cd /srv/grader \
+  # patch and prebuild .pyc files
+ && patch -p1 < /srv/cors.patch \
+ && python3 -m compileall -q . \
+\
+  # install requirements, remove the file, remove unrequired locales and tests
+ && pip_install -r requirements.txt \
+ && rm requirements.txt \
+ && find /usr/local/lib/python* -type d -regex '.*/locale/[a-z_A-Z]+' -not -regex '.*/\(en\|fi\|sv\)' -print0 | xargs -0 rm -rf \
+ && find /usr/local/lib/python* -type d -name 'tests' -print0 | xargs -0 rm -rf \
+\
+ && export \
+    GRADER_SECRET_KEY="-" \
+    GRADER_AJAX_KEY="-" \
+ && python3 manage.py compilemessages 2>&1 \
+\
+  # default course link
+ && mkdir -p /srv/grader/courses/ \
+ && mkdir -p /srv/courses/default \
+ && ln -s -T /srv/courses/default /srv/grader/courses/default \
+ && chown -R grader.nogroup \
+    /srv/courses \
+    /srv/course_store \
+    /srv/grader \
+\
+  # clean
+ && rm -rf $GRADER_SECRET_KEY_FILE $GRADER_AJAX_KEY_FILE \
+ && rm -rf /etc/init.d/ /tmp/* \
+ && apt_purge \
+      gnupg curl \
+ && :
+
+
+VOLUME /srv/courses/default
+WORKDIR /srv/grader/
+EXPOSE 8080
+CMD [ "manage", "runserver", "0.0.0.0:8080" ]

docker/README.md

@@ -0,0 +1,51 @@
+# run-mooc-grader
+
+A Docker container that runs the MOOC-grader for A+ exposed to port 8080.
+
+Note that the MOOC-grader only provides hosting of interactive
+course material. The [A-plus front](https://hub.docker.com/r/apluslms/run-aplus-front/)
+is required to display the user interface and to store records in the database.
+
+See the [A-plus manual course](https://github.com/apluslms/aplus-manual)
+that includes a Docker Compose configuration file to develop and test course content.
+
+## Usage
+
+MOOC-grader is installed in `/srv/grader`.
+You can mount a development version of the MOOC-Grader source code to `/src/grader`.
+The container will then copy it to `/srv/grader` and compile
+the translation file (django.po). If you mount directly to
+`/srv/grader`, you need to manually compile the translation file beforehand,
+but on the other hand, Django can reload the code and restart the server
+without restarting the whole container when you edit the source code files.
+
+Location `/data` is a volume and contains exercise data, database and secret key.
+It is world-writable, thus you can run this container as a normal user.
+
+The course (git) directory should be mounted to `/srv/courses/default`.
+The course directory name `default` is hardcoded in the scripts
+inside the container.
+
+Partial example of `docker-compose.yml` (volumes are optional of course):
+
+```yaml
+services:
+  grader:
+    image: apluslms/run-mooc-grader
+    volumes:
+    # required
+    - /var/run/docker.sock:/var/run/docker.sock
+    - /tmp/aplus:/tmp/aplus
+    # mount a course directory (current dir presumed to be a course repo)
+    - .:/srv/courses/default:ro
+    # named persistent volume (until removed)
+    # - data:/data
+    # development mounts
+    # - /home/user/mooc-grader/:/src/grader/:ro
+    # or...
+    # - /home/user/mooc-grader/:/srv/grader/
+    ports:
+      - "8080:8080"
+volumes:
+  data:
+```

docker/rootfs/etc/cont-finish.d/grader

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+rm -rf /tmp/aplus/*

docker/rootfs/etc/cont-init.d/grader

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+. /usr/local/lib/cont-init-functions.sh
+ENSURE_DIR_MODE=2755
+ENSURE_DIR_USER=grader
+ENSURE_DIR_GROUP=nogroup
+
+ensure_dir /run/grader
+ensure_dir /local/grader
+ensure_dir /local/grader/static
+ensure_dir /local/grader/media
+ensure_dir /local/grader/uploads
+ensure_dir /local/grader/ex-meta
+
+# Ensure group permissions
+sock=/var/run/docker.sock
+gid=$(stat -c '%g' $sock)
+gname=$(getent group "$gid")
+[ "$gname" ] || groupadd -g "$gid" docker_socket
+usermod -G "$gid" grader
+
+# Ensure grader access to /tmp/aplus
+chmod 1777 /tmp/aplus

docker/rootfs/etc/services.d/epmd/down

@@ -0,0 +1,38 @@
+diff --git a/grader/settings.py b/grader/settings.py
+index 9cfc947..eaab224 100644
+--- a/grader/settings.py
++++ b/grader/settings.py
+@@ -55,6 +55,7 @@ INSTALLED_APPS = (
+     # 'django.contrib.contenttypes',
+     # 'django.contrib.sessions',
+     # 'django.contrib.messages',
++    'corsheaders',
+     'staticfileserver', # override for runserver command, thus this needs to be before django contrib one
+     'django.contrib.staticfiles',
+     'access',
+@@ -65,6 +66,7 @@ MIDDLEWARE = [
+     # 'django.middleware.security.SecurityMiddleware',
+     # 'django.contrib.sessions.middleware.SessionMiddleware',
+     # 'django.middleware.csrf.CsrfViewMiddleware',
++    'corsheaders.middleware.CorsMiddleware',
+     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+     # 'django.contrib.auth.middleware.AuthenticationMiddleware',
+     # 'django.middleware.locale.LocaleMiddleware',
+@@ -72,6 +74,8 @@ MIDDLEWARE = [
+     'aplus_auth.auth.django.AuthenticationMiddleware',
+ ]
+
++CORS_ALLOW_ALL_ORIGINS = True
++
+ CACHED_LOADERS = [
+     (
+         'django.template.loaders.filesystem.Loader',
+diff --git a/requirements.txt b/requirements.txt
+index 4243873..5886328 100644
+--- a/requirements.txt
++++ b/requirements.txt
+@@ -6,3 +6,4 @@ docutils ~= 0.17.1
+ python-magic ~= 0.4.27
+ aplus-auth ~= 0.2.2
+ docker ~= 7.1.0
++django-cors-headers ~= 3.13.0

docker/rootfs/etc/services.d/postgresql/down

@@ -0,0 +1,89 @@
+# This module is adapted from mooc-grader/scripts/docker-run.py.
+# This module copies the directories, which should be mounted to
+# the grading container, to the path /tmp/aplus. This is required because
+# Docker does not support bind mounts from a container into another container.
+# The bind mount directory must be located in the host (outside containers).
+# The path /tmp/aplus must be mounted from the host into the run-mooc-grader
+# container (in docker-compose.yml).
+
+import logging
+from typing import Any, Dict, Tuple
+import os
+import os.path
+import shutil
+
+import docker
+docker_client = docker.from_env()
+
+from access.config import ConfigError
+
+
+logger = logging.getLogger("runner.docker")
+
+
+def get_host_path_and_copy(mounts: Dict[str, str], path: str, submission_id: str):
+    path = os.path.realpath(path)
+    for k,v in mounts.items():
+        if path.startswith(k):
+            host_path = path.replace(k, v, 1)
+            # host_path is under /tmp/aplus
+            # submission_id is inserted into the host_path so that the path
+            # does not collide with other submissions in case their grading
+            # is running simultaneously.
+            host_path = os.path.join(v, submission_id, os.path.relpath(host_path, v))
+            if os.path.isfile(path):
+                os.makedirs(os.path.dirname(host_path), mode=0o777, exist_ok=True)
+                shutil.copy2(path, host_path)
+            else:
+                shutil.rmtree(host_path, ignore_errors=True)
+                shutil.copytree(path, host_path, dirs_exist_ok=True)
+            return host_path
+
+    raise ConfigError(f"Could not find where {path} is mounted")
+
+
+def run(
+        submission_id: str,
+        host_url: str,
+        readwrite_mounts: Dict[str, str],
+        readonly_mounts: Dict[str, str],
+        image: str,
+        cmd: str,
+        settings: Dict[str, Any],
+        **kwargs,
+        ) -> Tuple[int, str, str]:
+    """
+    Grades the submission asynchronously and returns (return_code, out, err).
+    out and err as in stdout and stderr output of a program.
+    """
+    network = settings.get("network")
+    if "mounts" not in settings:
+        return 1, "", 'Missing "mounts" in settings!'
+
+    volumes = {
+        get_host_path_and_copy(settings["mounts"], k, submission_id): {"bind": v, "mode": "rw"}
+        for k,v in readwrite_mounts.items()
+    }
+    volumes.update({
+        get_host_path_and_copy(settings["mounts"], k, submission_id): {"bind": v, "mode": "ro"}
+        for k,v in readonly_mounts.items()
+    })
+
+    try:
+        container = docker_client.containers.run(
+            image,
+            cmd,
+            network = network if network else "bridge",
+            remove = True,
+            detach = True,
+            environment = {
+                "SID": submission_id,
+                "REC": host_url,
+            },
+            volumes = volumes,
+        )
+
+        return 0, f"{', '.join(container.image.tags)} - {container.name} - {container.short_id}", ""
+    except Exception as e:
+        logger.exception("An exception while trying to run grading container")
+        return 1, "", str(e)