CHG fully remove privileged main theia containers from api

api/anubis/ide/initialize.py

@@ -132,7 +132,6 @@ def initialize_ide(
     resources: dict = None,
     # Admin fields
     admin: bool = False,
-    privileged: bool = False,
     credentials: bool = False,
     docker: bool = False,
 ) -> TheiaSession:
@@ -158,7 +157,6 @@ def initialize_ide(
         resources=resources,
         # Admin Options
         admin=admin,
-        privileged=privileged,
         credentials=credentials,
         docker=docker or admin,
     )

api/anubis/k8s/theia.py

@@ -63,7 +63,6 @@ def create_theia_k8s_pod_pvc(
         admin = theia_session.admin
         autosave = theia_session.autosave
         credentials = theia_session.credentials
-        privileged = theia_session.privileged
         persistent_storage = theia_session.persistent_storage
 
     else:
@@ -486,8 +485,8 @@ def create_theia_k8s_pod_pvc(
         # containers should only exist for the management IDEs so that
         # docker can run.
         security_context=k8s.V1SecurityContext(
-            allow_privilege_escalation=theia_session.privileged or webtop,
-            privileged=theia_session.privileged,
+            allow_privilege_escalation=webtop,
+            privileged=False,
             run_as_user=theia_user_id,
         ),
     )

api/anubis/models/__init__.py

@@ -709,7 +709,6 @@ class TheiaSession(db.Model):
     resources = Column(JSON, default=lambda: {})
     network_policy: str = Column(String(length=128), default="os-student")
     network_locked: bool = Column(Boolean, default=True)
-    privileged: bool = Column(Boolean, default=False)
     autosave: bool = Column(Boolean, default=True)
     credentials: bool = Column(Boolean, default=False)
     persistent_storage: bool = Column(Boolean, default=False)
@@ -759,7 +758,6 @@ def settings(self):
             "image":              self.image.data,
             "repo_url":           self.repo_url,
             "autosave":           self.autosave,
-            "privileged":         self.privileged,
             "credentials":        self.credentials,
             "network_locked":     self.network_locked,
             "persistent_storage": self.persistent_storage,

api/anubis/views/admin/ide.py

@@ -125,7 +125,6 @@ def admin_ide_initialize_custom(settings: dict, **_):
         autosave=autosave,
         resources=resources,
         credentials=credentials,
-        privileged=privileged,
         persistent_storage=persistent_storage,
     )
 

api/anubis/views/public/ide.py

@@ -133,7 +133,6 @@ def public_ide_initialize(assignment: Assignment):
         persistent_storage=persistent_storage,
         autosave=autosave,
         resources=resources,
-        privileged=False,
         admin=is_admin,
         credentials=is_admin,
     )

api/anubis/views/public/playgrounds.py

@@ -68,7 +68,6 @@ def public_playgrounds_initialize(theia_image: TheiaImage):
         autosave=False,
         resources=dict(),
         admin=False,
-        privileged=False,
         credentials=False,
         docker=False,
     )

api/migrations/versions/5ea160112b7e_rm_theia_session_privileged.py

@@ -0,0 +1,36 @@
+"""RM theia session privileged
+
+Revision ID: 5ea160112b7e
+Revises: 2faa37dff9d0
+Create Date: 2022-09-19 21:46:31.860537
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import mysql
+
+# revision identifiers, used by Alembic.
+revision = "5ea160112b7e"
+down_revision = "2faa37dff9d0"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column("theia_session", "privileged")
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column(
+        "theia_session",
+        sa.Column(
+            "privileged",
+            mysql.TINYINT(display_width=1),
+            autoincrement=False,
+            nullable=True,
+        ),
+    )
+    # ### end Alembic commands ###