Shared python area: documentation build

ISISComputingGroup / IBEX

Shared python area: documentation build #3082

Open Tom-Willemsen opened 6 years ago

Tom-Willemsen commented 6 years ago

As a user of the shared python area, I would like a set of webpages containing the documentation from my code.

We currently do this for genie_python using Sphinx - something similar should work here.

Tom-Willemsen commented 6 years ago

Talk to @FreddieAkeroyd about how sphinx is set up for genie_python. I believe it runs on the linux build server but the password for it doesn't seem to be on the passwords page.

AdrianPotter commented 6 years ago

Moving back into ready because I may not get time to look at this for a few days

AdrianPotter commented 6 years ago

I've created the necessary scripting to provide this functionality. However, owing to the way Sphinx works, implementing it would allow users to run arbitrary Python on the build server. This has potential to corrupt the file system or deny service on the server. Even ignoring the potential for a malicious attack, the probability is moderate given the coding skills of the contributors.

Having discussed with @FreddieAkeroyd, we are going to run the build script with a modified root to prevent access to restricted areas of the file system. The build command will be run with a command to limit the system resources it can use. The build script itself will need moving to a private repo to avoid any unverified modifications.

I have disabled the build on Jenkins for now.

Setting to impeded whilst the necessary infrastructure is set up on the server.

AdrianPotter commented 6 years ago

The PR is here:

https://github.com/ISISNeutronMuon/InstrumentScripts/pull/3

Here are a few notes since I probably won't be around when this is next worked on.

At the moment, the generate_template_rst.py runs to create an RST file telling Sphinx what to build. I couldn't find a way to just run across all modules in a directory.
Otherwise the build system is the same as genie_python
The Jenkinsfile currently points at the ticket branch, rather than master. So does the build configuration on Jenkins. This allows testing of the PR with the build
The test.py file can be removed from the PR once the issue with arbitrary code execution has been fixed. As it stands, if you run the build (currently disabled) then you'll see from the build logs that the print statement at the top of the file is executed.

FreddieAkeroyd commented 6 years ago

This needs work on setting up a suitably secured Linux environment