This allows outbound network access, allows program execution (within the container) and more.
You might want to restrict some of these things before Amazon shuts your account down for abuse requests.
You're basically handing everyone on the internet an EC2 instance to do literally anything with -- it'll be minutes to hours before this gets abused.
`uname` output from the container for example:
Linux a976bf3f5ff7 4.14.193-113.317.amzn1.x86_64 #1 SMP Thu Sep 3 19:08:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
We do something similar for our Interactive projects at datawars.io. It took less than a week until we found out that someone was mining bitcoin in our project notebooks :)
My editor https://webide.se/ use operational transform for undo/redo, collaboration, and code replay for macro and tutorials.
I think Heroku also started out as an editor, but pivoted to "code-execution as a service".
Just to add to the other voices: executing untrusted code can be extremely dangerous. There’s so many ways to shoot yourself in the foot. I’m not sure if container boundaries are sufficient but each repl shouldn’t share a namespace with the others at the very least.
That said it’s pretty smooth and actually usable on mobile. Pretty polished too.
I'm curious if anyone would like to use the code-execution as a service.
It's basically a websocket based API where you send a blob of code and get execution result as response.
In case of REPL, you send STDIN to websocket and get STDOUT as response.
All code execution happens in separate Docker containers.
At replit every repl is indeed a docker container, but that is absolutely not the primarily isolation mechanism. Here’s a comment from CEO @amasad to that effect in 2019 (so, even more secure now I am certain) https://news.ycombinator.com/item?id=19215175
This would be interesting to me. There are a few options now, like Judge0, but the language versions are pretty out of date. Self-hosting is not a good time investment at the moment.
Email me at hn at vikas.sh if you have a service. I'd need an SLA for sure, and multi-file support would be nice to have.
We serve production code execution use cases (mainly Python) with Jamsocket: https://jamsocket.com/
We've been running it for over a year and would be willing to talk about an SLA. Each instance gets its own gvisor-sandboxed runtime and we do some network isolation on top of that. (We also have some crypto miner mitigation, because if you provide free compute to strangers they will manage to find you.)
I'm interested to know whether you evaluated alternatives such as Monaco by Microsoft/VSCode? From my research it seems to be the one that's "ahead" by whatever metrics you'd go off other than age.
I'm interested to know what challenges you faced if any as well? Thanks!
You might want to restrict some of these things before Amazon shuts your account down for abuse requests.
You're basically handing everyone on the internet an EC2 instance to do literally anything with -- it'll be minutes to hours before this gets abused.
`uname` output from the container for example: Linux a976bf3f5ff7 4.14.193-113.317.amzn1.x86_64 #1 SMP Thu Sep 3 19:08:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
We've restricted all outbound traffic since then.
I just ran a couple of Python scripts that grabbed the ec2 instance metadata and the HN front page.
That said it’s pretty smooth and actually usable on mobile. Pretty polished too.
In case of REPL, you send STDIN to websocket and get STDOUT as response. All code execution happens in separate Docker containers.
Email me at hn at vikas.sh if you have a service. I'd need an SLA for sure, and multi-file support would be nice to have.
We've been running it for over a year and would be willing to talk about an SLA. Each instance gets its own gvisor-sandboxed runtime and we do some network isolation on top of that. (We also have some crypto miner mitigation, because if you provide free compute to strangers they will manage to find you.)
I am sure there are many whom would. Some may use it ethically, but many will not.
All will place liability on the service.
I wonder if repl.it ever did this, or if they've always used WebAssembly? (They definitely use wasm now.)
I believe the very first version of replit was all in-browser, but no longer
Wow, that's a change. I remember using replit with Python compiled to wasm. It was neat for a few seconds.
I'm interested to know whether you evaluated alternatives such as Monaco by Microsoft/VSCode? From my research it seems to be the one that's "ahead" by whatever metrics you'd go off other than age.
I'm interested to know what challenges you faced if any as well? Thanks!
Not responsive? Bad touch controls?
Codemirror is different?