Release notes

V5.0.0

Version 5.0.0 focuses on significant improvements to security and task execution isolation.

Enhanced Features

  • Improved firewall configuration: Firewall settings have been enhanced to allow package updates and installations without stopping the server. Note: After any update, the service must still be restarted.
  • Safer file operations: All file operations (save, delete, update) related to task preparation, delete files after compilation and update are now performed as the prisoner user instead of root. This prevents path traversal attacks and improves overall file system security.
  • Memory limiting with CGroups: Tasks can now use CGroups to limit memory usage, in addition to the existing /proc-based method. Note: Not available in Docker.
  • Pivot root for filesystem isolation: Uses pivot_root instead of chroot to limit access to the host filesystem. If pivot_root fails, the system automatically falls back to chroot. Note: Requires privileged mode in Docker.
  • Namespace-based isolation: Supports Linux namespaces to isolate filesystem, IPC, and processes. Note: Requires privileged mode in Docker.
  • Per-task writable directories isolation: Each task now gets a version of writable directories as /tmp, /dev/shm/, etc. directories. Note: Requires namespaces.
  • Hardened /home/prisoner directory: The /home/prisoner directory is now owned by a vpl system user, preventing tasks from changing access permissions and avoiding unintended external access.
  • Stronger process security: Task processes are hardened using NO_NEW_PRIVS, non-dumpable processes, and disabled ptrace.
  • Uninstall support: Added an uninstall option to the install-vpl-sh script. This removes all packages in the “full” set except those in the “minimal” set, preventing removal of essential packages.
  • Configurable isolation features: Added configuration options USE_CGROUP and USE_NAMESPACE. These features are enabled by default but can now be controlled explicitly. Set to true to enable; any other value disables the feature.

V4.0.4

Version 4.0.4 is a bug-fix release that addresses issues and includes minor improvements to enhance system stability and performance.

Bug Fixes

  • XML Encoder Compatibility: Improved the XML encoder for better compatibility with various systems.
  • UTF-8 Parser Robustness: Enhanced the UTF-8 parser to eliminate invalid code points, improving compatibility.
  • Home Directory Cleanup: Fixed a bug introduced in 4.0.3 that prevented the removal of files and directories with unusual names when eliminating the user home directory.
  • QueryString checking: Fixed bug parsing queryString. This bug was preventing the request of private browsing mode for web apps.
  • YUM Package Manager Support: Restored support for the yum package manager to keep compatibility with Linux distributions that uses it. The installation process will use the same package list as the DNF package manager.
  • Bash Script Newline Handling: Standardized newline characters in Bash scripts by normalizing script code to use \n, improving script execution reliability.
  • Typographical Correction: Corrected a long-standing typo by replacing “seg” with the correct abbreviation for seconds, “sec.”

V4.0.3

The 4.0.3 version includes critical security fixes and important enhancements.

Server Bug Fixes

  • Critical security flaw: If you are currently using the security parameters URLPATH and/or TASK_ONLY_FROM in your VPL Jail Servers’s configuration, you are better protected against an attack. If you are not using these parameters, you may implement them as an immediate protection measure before updating.
  • Fixed JSON encoding of control codes less than 32.
  • Standardized JSONRPC to use three parameters while maintaining backward compatibility for two parameters.
  • Fixed a bug in checking repeated parameters.
  • Fixed a bug in control of log levels.
  • Fixed an important bug that prevented waiting for the retrieval action before cleaning task information.

Docker Support

  • Auto-detection of containerized environments.
  • Capability to run the jail server inside a container, both in privileged and non-privileged modes.
  • Includes three Dockerfiles for various configurations:
    • Dockerfile.no_https: HTTP without HTTPS support.
    • Dockerfile: HTTP and HTTPS support.
    • Dockerfile.letsencrypt: HTTP and HTTPS with Let’s Encrypt certificates.
  • Three Compose files (compose.no_https.yaml, compose.yaml, compose.letsencrypt.yaml) corresponding to the Dockerfiles.
  • Non-privileged mode set as default.

VPL Jail System Images Available on Docker Hub

You can access built images of the VPL Jail System running on different operating systems. The official account that distributes these images is jcrodriguezvpl. There is a repository for each operating system (e.g., jail-fedora-full).

Server Enhancements

  • Added the ability to start the server in foreground mode, suitable for containerized environments.
  • Introduced support for challenge mode for Let’s Encrypt certificate management. Available using the new CERTBOT_WEBROOT_PATH configuration parameter to support certbot.
  • Allow running waiting for certificates.
  • Environment Variable Support: Configuration parameters from environment variables now take precedence over the config file. Environment variables should be prefixed with VPL_JAIL_, followed by the config parameter name.
  • Added an experimental script to automatically update the software by fetching the latest version from GitHub and applying updates if needed.

Installer Updates

  • Introduced new command-line options for the installer:
    • help: Display help information.
    • update: Update the VPL Jail System server software.
    • start: Start the VPL Jail System service post-installation.
    • noninteractive: Enable installation without user interaction.
    • list: Show packages to be installed per installation level.
    • [inst_level]: Set installation level (minimum, basic, standard, full).
  • Added Rust programming language support.
  • Added .NET packages, enabling support for C#, F#, and Visual Basic .NET.
  • Expanded package manager support to APT, DNF, and APK. YUM support has been discontinued (Note: YUM support restored in 4.0.4).
  • Package Customization: Extracted the list of packages to install to separate files located in the package_files directory, allowing for better customization.

Running Tasks Enhancement

  • VNC Launching Enhancements: Fixes and improvements in the VNC launch process.
  • Terminal and Task Execution Changes:
    • Modified running tasks terminal behavior to use only newline as the end-of-line character.
    • Removed local echo in evaluations.

Other Improvements and Fixes

  • Improved testing by performing syntax checks for bash scripts.
  • Fixed a typo in the name of CERTBOT.
  • Enhanced the installer to support command line options in any order.

V4.0.1

This update introduces minor improvements over the previous version, 4.0.0.

Installer Updates

  • Added .NET packages, enabling support for C#, F#, and Visual Basic .NET. C# on Mono remains available.
  • The installer has been enhanced to support command line options in any order.

Other Improvements

  • Improved testing by performing syntax checks for bash scripts.

V4.0.0

This document outlines the key changes introduced in VPL Jail System 4.0.0, since the previous version 3.0.1. The highlight of this release is the introduction of Docker support, among other significant improvements and fixes.

Docker Support

  • Auto-detection of containerized environments.
  • Capability to run the jail server inside a container, both in privileged and non-privileged modes.
  • Includes three Dockerfiles for various configurations: - Dockerfile.no_https: HTTP without HTTPS support. - Dockerfile: HTTP and HTTPS support. - Dockerfile.letsencrypt: HTTP and HTTPS with Let’s Encrypt certificates.
  • Three Compose files (compose.no_https.yaml, compose.yaml, compose.letsencrypt.yaml) corresponding to the Dockerfiles.

Launcher Enhancements

  • Added ability to start the server in foreground mode, suitable for containerized environments.

Server Fixes

  • Fixed JSON encoding of control codes < 32.

Server Enhancements

  • Standardized JSONRPC to use 3 parameters, while maintaining backward compatibility for 2 parameters.
  • Introduced support for challenge mode for Let’s Encrypt certificate management. Available using new CERTBOT_WEBROOT_PATH configuration parameter to support certbot.
  • Allow running waiting for certificates.
  • Environment variable support. Configuration parameters from the environment variables now take precedence over the config file. Environment variables should be prefixed with VPL_JAIL_, followed by the config parameter name.
    • Example: export VPL_JAIL_PORT=8000 to set the PORT parameter.

Installer Updates

  • Introduced new command-line options for the installer:
    • help: Display help information.
    • update: Update the VPL-Jail-System server software.
    • start: Start the VPL-Jail-System service post-installation.
    • noninteractive: Enable installation without user interaction.
    • [inst_level]: Set installation level (minimum, basic, standard, full).
    • list: Show packages to be installed per [inst_level].
    • Examples of installer launch
      • ./install-vpl-sh update: Update server software.
      • ./install-vpl-sh standard noninteractive start: Non-interactive installation of standard packages and start the server.
      • ./install-vpl-sh full: Interactive installation of all development packages.
  • Added Rust programming language support.
  • Expanded package manager support to APT, DNF, APK, and YUM increasing the compatibility with various Linux distributions. YUM support has been discontinued.
  • Package Customization. Extracted the list of packages to install to separate files, allowing for better customization. These files are located in the package_files directory.

Running Tasks enhancement

  • VNC Launching Enhancements:
    • Fixes and improvements in VNC launch process.
    • Confirmed functionality on Fedora, Ubuntu, Debian, and Alpine distributions.
  • Terminal and Task Execution Changes:
    • Modified running tasks terminal behavior to use only newline as the end-of-line character.
    • Removed local echo in evaluations.

V3.0.1

This release brings with it a number of fixes and enhancements.

  • Added support for supplementary planes of UTF-8 in JSON: This update extends the scope of our system’s compatibility by including all corresponding Unicode characters in UTF-8’s supplementary planes for JSON formatting.
  • The installer switches the preferred VHDL Compiler: The installer now employs GHDL as the default VHDL compiler, replacing FreeHDL due to its unavailability in the new Ubuntu releases. Note that GHDL is used from version 4.1.1 of VPL.
  • VNC Server launch improvements: We’ve fixed the vncconfig detection when launching the VNC server.
  • SELinux Status Check: The service launcher now performs a check of the usage and current state of SELinux. It will display a message if SELinux is installed and not in a disabled state. Note that the VPL Jail server is not compatible with SELinux.

V3.0.0

This release includes new features and improvements.

  • Adds a new run mode for web apps. This mode allows accessing web apps from the client browser directly instead of interacting with a browser running on the server. This will drastically reduce the server resources used by this type of app.
  • Adds support for JSON-RPC. The server detects if the request is XML-RPC or JSON-RPC and responds appropriately. This feature allows using the server with older clients (Moodle VPL plugin version < 4.0.0) and new clients that run on PHP 8 or higher without XML-RPC support. Using JSON-RPC also removes the limits of XML-RPC ints.
  • Adds a new RPC call named “update”. This RPC call allows updating files in the execution environment from the client without stopping the executing task. This call is useful for interpreted languages such as PHP in a web app.
  • Adds a new RPC call named “directrun”. This RPC call will allow new future features.
  • The WebSocket protocol is improved to accept larges packets and fragmented packets.
  • Adds SSL_CIPHER_SUITES configuration parameter. This parameter is used to set ciphers for TLSv1.3 if available.
  • Adds HSTS_MAX_AGE configuration parameter. This parameter allows HTTP Strict-Transport-Security by setting the max-age parameter of the Strict-Transport-Security header. This parameter requires the use of PORT = 0.
  • The installer adds Julia programming language to the list of development software installable.

V2.7.2

This is a bug-fix release of version 2.7.1 with small improvements.

  • This release includes a workaround to a problem with the limits of int in the XMLRPC protocol (the protocol uses int32). This problem avoids setting a memory size or file size larger than the maximum int32 value. A full solution to this problem requires modifications in the Moodle plugin side. This temporal workaround switches the size limit to the jail server local size limit when the problem is found.
  • Uses long long int to represent memory a file size.
  • The installer includes the tool bc and new modules when installing python3: mypy, pycodestyle, and pydocstyle.
  • The system checks for a change in the SSL certificate, reloading it if changed. This allows updating certificates without stopping the service.

V2.7.1

This is a bug-fix release of version 2.7.0. This release fixes a problem that affects systems with old versions of g++ that are not compatible with std::regex class. This problem is known to affect CentOS 7.

V2.7.0

This release note describes the changes included in this release from version 2.6.0.

Installation

The new version moves the location of programs and script from the directory “/etc/vpl” to directory “/usr/sbin/vpl” and the location of log files from the directory “/etc/vpl” to directory “/var/log/vpl”. Resolves issue 45.

The installer adds MiniZinc and Groovy to the development software and renames Python to Python2.

Kotlin

The installer asks if you want to install the kotlin command-line compiler. You must introduce a kotlin version number to download and install it. See Kotlin home page for getting the version number.

Note

At this moment VPL-Jail-System does not support Kotlin distributes using Snap

Configuration

Adds a new parameter to control limits of data in request and evaluation result. See REQUEST_MAX_SIZE and RESULT_MAX_SIZE for more details.