Update [Admin] JOJ server setup

2026-03-17 20:48:07 +08:00 · 2026-03-17 20:48:07 +08:00 · 428e63f969
commit 428e63f969
parent 158d127c0a
2 changed files with 87 additions and 15 deletions
--- a/%5BAdmin%5D-Course-container-setup-%5BWIP%5D.md
+++ b/%5BAdmin%5D-Course-container-setup-%5BWIP%5D.md
@ -1,15 +0,0 @@
 # Course container setup
 ## Container deployment
 1. Create a new `bot-${REPO_OWNER_LOWER}` user on Gitea
 2. Generate a new token for `bot-${REPO_OWNER_LOWER}` with permissions:
    - issue `rw`
    - repository `rw`
    - organizaion `r`
 3. On `${REPO_OWNER_LOWER}-joj` repo settings, add the gitea token of `bot-${REPO_OWNER_LOWER}` as value to `Settings->Actions->Secrets->Add Secret`, with name `TEAPOT_GITEA_TOKEN`
 4.  Edit `root/deploy.conf` based on needed software/tools
 5.  Deploy a new container for the course
    - create a zfs volume
    - setup permissions
    - deploy
--- a/%5BAdmin%5D-JOJ-server-setup.md
+++ b/%5BAdmin%5D-JOJ-server-setup.md
@ -0,0 +1,87 @@
 # JOJ server setup guide
 ## Host setup
 Prepare unprivileged lxc containers
 - `apt install sudo zfs-dkms zfsutils-linux jq lxc uidmap`
 - ssh setup:
    - generate a new ssh key `ssh-keygen -t ed25519`
    - add to bot-joj
 - clone joj3-hs `git clone ssh://git@focs.ji.sjtu.edu.cn:2222/JOJ/JOJ3-hs.git`
 - copy joj3-hs/admin/config
    - `/etc/sudoers.d/joj-deploy`
    - `/etc/subuid`
    - `/etc/subgid`
    - `/etc/lxc/lxc-usernet`
    - `/home/ja/.config/lxc/default.conf`
 - as `ja` user 
    - `mkdir -p ~/.local/share/lxc`
    - `chmod o+x ~/.local/share/lxc`
 ## Guest setup
 Before setting up a JOJ container for COURSE, ensure the following exist and are properly setup:
 - bot-COURSE user
 - COURSE organisation
 - COURSE-joj repo
 All actions are performed as `ja`.
 - Clone the course-joj repo
 - Edit etc/joj-container-config.conf based on needed software/tools
 - Run `joj-container-deploy COURSE` 
 *Note.* the ssh key, act_runner token, and teapot token are backed up in `~/courses/COURSE`
 ### Advanced go-judge setup
 Network access: 
 - add `-net-share` to service file 
 - add `/etc/ssl` to `/etc/go-judge/mount.yaml`
 *Note.* used in sfocs-joj
 Mount directories:
 - edit `/etc/go-judge/mount.yaml`
 - permissions might need to adjusted, eg. group `nogroup` with write access if mounting a directory from `$HOME`
 *Note.* used in `sfocs-joj` (elm-packages) and `ece477-joj` (latex font setup)
 ## Trouble shooting
 ### Containers stop automatically
 Fixed using `loginctl enable-linger frown`
 ### Mounting `sysfs` fails
 - check umask from `/proc/xxx/status` where `xxx` is the `pid` of systemd --user
 - adjust `/etc/pam.d/common-session-noninteractive` with content
 ```
 session optional                        pam_umask.so umask=0002
 ```
 ### lxc-copy fails
 Reason: `apparmor` bug in some debian versions
 Edit `/etc/apparmor.d/usr.bin.lxc-copy`
 ```
  mount options=(rw,move) -> /home/ja/.local/share/lxc/{,**},
 ```
 ### lxc fails to assign CPUs
 On the host run:
 ```
 echo "+cpuset" > /sys/fs/cgroup/user.slice/cgroup.subtree_control
 echo "+cpuset" > /sys/fs/cgroup/user.slice/user-1000.slice/cgroup.subtree_control
 echo "+cpuset" > /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/cgroup.subtree_control` 
 echo "+cpuset" >  /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/cgroup.subtree_control
 ```