Re: [rust-dev] Sandboxed compilation (browser playground)
On Fri, Mar 28, 2014 at 1:59 AM, Daniel Micay wrote: > I wrote playpen specifically for this use case to replace lxc or > systemd-nspawn, and it performs this duty better than anything else that > I'm aware of. > > https://github.com/thestinger/playpen (Serves me right for not looking at the code before commenting. This looks very nice; I might pilfer it for something.) ___ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
Re: [rust-dev] Sandboxed compilation (browser playground)
On 28/03/14 01:28 AM, Jared Forsyth wrote: > Depending on your server setup, this might be a great place for a cheap > docker container. You get fairly safe sandboxing for cheap. I don't consider Docker to be a safe enough sandbox for this, and I don't see any benefits it would provide for this even compared to using chroot + unshare from util-linux. I wrote playpen specifically for this use case to replace lxc or systemd-nspawn, and it performs this duty better than anything else that I'm aware of. https://github.com/thestinger/playpen It can reuse a single read-only root for any number of concurrent requests, which is important for this and why I abandoned LXC in the first place. It also implements a sane timeout, makes good use of seccomp, only uses MS_PRIVATE mount points and unshares all possible namespaces (CLONE_NEWUSER doesn't mix with a chroot at the moment). Since I'm avoiding a bulky third party solution focused on hosting operating systems, I'll be able to follow along much more quickly with namespace improvements and migrating to the new control group API. signature.asc Description: OpenPGP digital signature ___ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
Re: [rust-dev] Sandboxed compilation (browser playground)
On Fri, Mar 28, 2014 at 1:28 AM, Jared Forsyth wrote: > Depending on your server setup, this might be a great place for a cheap > docker container. You get fairly safe sandboxing for cheap. "Fairly safe" is not really all that safe. I'm not sure it really matters, but I'd go for something like libseccomp myself. ___ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
Re: [rust-dev] Sandboxed compilation (browser playground)
Depending on your server setup, this might be a great place for a cheap docker container. You get fairly safe sandboxing for cheap. On Thu, Mar 27, 2014 at 11:21 PM, Daniel Micay wrote: > On 28/03/14 01:15 AM, Corey Richardson wrote: > > Daniel Micay (strcat) already has a sandbox. It drives the rusti bot > > in IRC, and has a web frontend sometimes available at > > http://strcat.zapto.org:8000/. The source is at > > https://github.com/thestinger/rust-playpen. There are plans to have a > > VM run a similar thing on rust-lang.org > > I'm not running hosting the web version at the moment, because updating > the domain name to point at my dynamic IP address is too painful... it > would be great to have it (and the IRC bots!) hosted on a VM for > rust-lang.org to use though. > > > ___ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
Re: [rust-dev] Sandboxed compilation (browser playground)
On 28/03/14 01:15 AM, Corey Richardson wrote: > Daniel Micay (strcat) already has a sandbox. It drives the rusti bot > in IRC, and has a web frontend sometimes available at > http://strcat.zapto.org:8000/. The source is at > https://github.com/thestinger/rust-playpen. There are plans to have a > VM run a similar thing on rust-lang.org I'm not running hosting the web version at the moment, because updating the domain name to point at my dynamic IP address is too painful... it would be great to have it (and the IRC bots!) hosted on a VM for rust-lang.org to use though. signature.asc Description: OpenPGP digital signature ___ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
Re: [rust-dev] Sandboxed compilation (browser playground)
Daniel Micay (strcat) already has a sandbox. It drives the rusti bot in IRC, and has a web frontend sometimes available at http://strcat.zapto.org:8000/. The source is at https://github.com/thestinger/rust-playpen. There are plans to have a VM run a similar thing on rust-lang.org On Fri, Mar 28, 2014 at 1:09 AM, Jared Forsyth wrote: > I'm thinking about putting together a server that acts similar to > play.golang.org - it allows you to learn rust from the comfort of your own > browser. > Of course, there are some restrictions that must be placed on compilation. > Is there a good way to blacklist some standard libraries? > > ___ > Rust-dev mailing list > Rust-dev@mozilla.org > https://mail.mozilla.org/listinfo/rust-dev > -- http://octayn.net/ ___ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
[rust-dev] Sandboxed compilation (browser playground)
I'm thinking about putting together a server that acts similar to play.golang.org - it allows you to learn rust from the comfort of your own browser. Of course, there are some restrictions that must be placed on compilation. Is there a good way to blacklist some standard libraries? ___ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev