Rework the implementation of sandboxes.

Includes allowing each cmsWorker to use up to 1000 isolate boxes, and
removing a few insecure or surprising special cases.
Also updates the box range to reflect the new default in isolate.

Author: veluca93

Dockerfile

@@ -63,7 +63,8 @@ RUN <<EOF
 #!/bin/bash -ex
     # Need to set user ID manually: otherwise it'd be 1000 on debian
     # and 1001 on ubuntu.
-    useradd -ms /bin/bash -u 1001 cmsuser
+    # 1001 is taken by `isolate`.
+    useradd -ms /bin/bash -u 2000 cmsuser
     usermod -aG sudo cmsuser
     usermod -aG isolate cmsuser
     # Disable sudo password
@@ -79,12 +80,12 @@ COPY --chown=cmsuser:cmsuser install.py constraints.txt /home/cmsuser/src/
 
 WORKDIR /home/cmsuser/src
 
-RUN --mount=type=cache,target=/home/cmsuser/.cache/pip,uid=1001 ./install.py venv
+RUN --mount=type=cache,target=/home/cmsuser/.cache/pip,uid=1002 ./install.py venv
 ENV PATH="/home/cmsuser/cms/bin:$PATH"
 
 COPY --chown=cmsuser:cmsuser . /home/cmsuser/src
 
-RUN --mount=type=cache,target=/home/cmsuser/.cache/pip,uid=1001 ./install.py cms --devel
+RUN --mount=type=cache,target=/home/cmsuser/.cache/pip,uid=1002 ./install.py cms --devel
 
 RUN <<EOF
 #!/bin/bash -ex

cms/conf.py

@@ -184,6 +184,12 @@ class Config:
     services: dict[ServiceCoord, Address] = dataclasses.field(init=False)
 
     def __post_init__(self):
+        if self.sandbox.sandbox_implementation != "isolate":
+            logger.warning("The 'sandbox_implementation' configuration option "
+                           "is deprecated and only 'isolate' is supported. "
+                           "Ignoring provided value '%s'.",
+                           self.sandbox.sandbox_implementation)
+
         self.services = {}
         for service_name, instances in self.services_.items():
             for shard_number, shard in enumerate(instances):