8 comments

  • nacs 395 days ago
    This allows outbound network access, allows program execution (within the container) and more.

    You might want to restrict some of these things before Amazon shuts your account down for abuse requests.

    You're basically handing everyone on the internet an EC2 instance to do literally anything with -- it'll be minutes to hours before this gets abused.

    `uname` output from the container for example: Linux a976bf3f5ff7 4.14.193-113.317.amzn1.x86_64 #1 SMP Thu Sep 3 19:08:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

    • santiagobasulto 394 days ago
      We do something similar for our Interactive projects at datawars.io. It took less than a week until we found out that someone was mining bitcoin in our project notebooks :)

      We've restricted all outbound traffic since then.

  • andrewstuart 395 days ago
    As nacs said, this is a really bad idea - you should take it offline or prevent network access ASAP.

    I just ran a couple of Python scripts that grabbed the ec2 instance metadata and the HN front page.

  • z3t4 394 days ago
    My editor https://webide.se/ use operational transform for undo/redo, collaboration, and code replay for macro and tutorials. I think Heroku also started out as an editor, but pivoted to "code-execution as a service".
  • brazzledazzle 395 days ago
    Just to add to the other voices: executing untrusted code can be extremely dangerous. There’s so many ways to shoot yourself in the foot. I’m not sure if container boundaries are sufficient but each repl shouldn’t share a namespace with the others at the very least.

    That said it’s pretty smooth and actually usable on mobile. Pretty polished too.

  • ceepee 395 days ago
    I'm curious if anyone would like to use the code-execution as a service. It's basically a websocket based API where you send a blob of code and get execution result as response.

    In case of REPL, you send STDIN to websocket and get STDOUT as response. All code execution happens in separate Docker containers.

    • camdenreslink 395 days ago
      Docker containers probably aren’t enough isolation. But throw some firecrackervm in the pot and you’ve got a stew going.
      • rohitpaulk 395 days ago
        Repl.it uses Docker containers too, only recently started work on moving to better isolation mechanisms like VMs
    • vikp 395 days ago
      This would be interesting to me. There are a few options now, like Judge0, but the language versions are pretty out of date. Self-hosting is not a good time investment at the moment.

      Email me at hn at vikas.sh if you have a service. I'd need an SLA for sure, and multi-file support would be nice to have.

      • paulgb 395 days ago
        We serve production code execution use cases (mainly Python) with Jamsocket: https://jamsocket.com/

        We've been running it for over a year and would be willing to talk about an SLA. Each instance gets its own gvisor-sandboxed runtime and we do some network isolation on top of that. (We also have some crypto miner mitigation, because if you provide free compute to strangers they will manage to find you.)

    • AdieuToLogic 395 days ago
      > I'm curious if anyone would like to use the code-execution as a service.

      I am sure there are many whom would. Some may use it ethically, but many will not.

      All will place liability on the service.

    • LoganDark 395 days ago
      > In case of REPL, you send STDIN to websocket and get STDOUT as response.

      I wonder if repl.it ever did this, or if they've always used WebAssembly? (They definitely use wasm now.)

      • rmorey 395 days ago
        Nope, every repl is running in a docker container on a GCP vm, with various other security measures. See: https://news.ycombinator.com/item?id=19215175

        I believe the very first version of replit was all in-browser, but no longer

        • LoganDark 394 days ago
          > Nope, every repl is running in a docker container on a GCP vm, with various other security measures.

          Wow, that's a change. I remember using replit with Python compiled to wasm. It was neat for a few seconds.

  • Takennickname 395 days ago
    Where is the code being executed?
    • arjvik 395 days ago
      Appears to be an EC2 instance
    • logicboard 395 days ago
      It's executed in a Docker container inside an EC2 Instance.
  • pcthrowaway 395 days ago
    Nice use of phoenix liveview (I'm assuming). The app is really smooth, and executes rust faster than the official rust playground
    • logicboard 395 days ago
      Thanks! It doesn't use Liveview but the execution backend is Phoenix + Erlang.
  • andrewstuart 395 days ago
    Is that code mirror?
    • logicboard 395 days ago
      Yep, Codemirror + Firepad
      • no_butterscotch 395 days ago
        I'm creating a product with an editor.

        I'm interested to know whether you evaluated alternatives such as Monaco by Microsoft/VSCode? From my research it seems to be the one that's "ahead" by whatever metrics you'd go off other than age.

        I'm interested to know what challenges you faced if any as well? Thanks!