Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BFDA9E430 for ; Tue, 5 Feb 2013 07:26:40 +0000 (UTC) Received: (qmail 78866 invoked by uid 500); 5 Feb 2013 07:26:39 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 78817 invoked by uid 500); 5 Feb 2013 07:26:39 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 78789 invoked by uid 99); 5 Feb 2013 07:26:38 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Feb 2013 07:26:38 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of bchesneau@gmail.com designates 209.85.210.169 as permitted sender) Received: from [209.85.210.169] (HELO mail-ia0-f169.google.com) (209.85.210.169) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Feb 2013 07:26:31 +0000 Received: by mail-ia0-f169.google.com with SMTP id j5so9267010iaf.28 for ; Mon, 04 Feb 2013 23:26:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=S2efmpdUZBXTicpVo+xsB5mv0/caaNVWyl+LSRl4y2A=; b=iDN7W9uQ+HnvDGVQY7to6WzihMDaA6RzKsRjwdSF7TOZx8Ag++dv45EpvZqk4HwCD8 iMZ8QHyt3ryumhFxmCKereofqhTE4V5Zv4obLA+8SpY2W0QdaSyWkI0TzSBKF9yQ66Un sbndiJ0zcc7tOe8uad88cSEEgEIZD3dKTq3VUXQdM+UQm+/OigoxoGy3h/y+UoK2p+1F hsOlBasGVhSj3oNSPvpX4IYa30jS5hgEY1UgXm1Zj+BWH3iHcnMRzumr/JfaaY0rfiJZ mZo6UvGAtRhosMWGAb1BpzzA4IY27ko7B0MrT8XMtgYYhc1DgcV9/zjraehgZmMMc6Qu ElpQ== MIME-Version: 1.0 X-Received: by 10.43.114.135 with SMTP id fa7mr20372464icc.21.1360049170628; Mon, 04 Feb 2013 23:26:10 -0800 (PST) Received: by 10.64.29.13 with HTTP; Mon, 4 Feb 2013 23:26:10 -0800 (PST) In-Reply-To: <0377F01C-5F5D-48C5-8FDA-F9269B480324@apache.org> References: <5102B439.10500@lymegreen.co.uk> <91019D9B-A6AE-4311-9C11-E6001D57293A@apache.org> <5DD875C7-7E61-4FB8-A79C-779363AE5659@apache.org> <0377F01C-5F5D-48C5-8FDA-F9269B480324@apache.org> Date: Tue, 5 Feb 2013 08:26:10 +0100 Message-ID: Subject: Re: Branch to switch from SpiderMonkey to Node.js From: Benoit Chesneau To: "dev@couchdb.apache.org" Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Mon, Feb 4, 2013 at 6:58 PM, Jan Lehnardt wrote: > > On Feb 4, 2013, at 18:47 , Benoit Chesneau wrote: > >> On Mon, Feb 4, 2013 at 12:10 PM, Jan Lehnardt wrote: >>> >>> On Feb 4, 2013, at 11:53 , Benoit Chesneau wrote: >>> >>>> On Thu, Jan 31, 2013 at 5:54 PM, Jason Smith wrote= : >>>>> >>>>> On Thu, Jan 31, 2013 at 4:34 PM, Benoit Chesneau wrote: >>>>> >>>>>> >>>>>> A javascript engine doesn't expose any IO par default. The **framewo= rk** >>>>>> nodejs is, this is all the point. I'm quite interested by the existi= ng >>>>>> solutions to sandbox nodejs, do you know some projects that does it? >>>>>> >>>>> >>>>> Correct. I am attempting to build something which satisfies your >>>>> description: no i/o; i/o is not even possible. >>>>> >>>>> *How* is it implemented? Well, it doesn't matter whether we use Node.= js or >>>>> couchjs/SM or couchjs/v8. What matters is we feel confident about sec= urity. >>>>> And of course, I agree, if we cannot achieve good security, then that= is a >>>>> show stopper. >>>>> >>>>> Here is my current plan for sandboxing CouchJS. (Thanks to Isaac for = his >>>>> tips.) >>>>> >>>>> When it is time to evaluate some code: >>>>> >>>>> 1. Set up an object with safe variable bindings: safe_context >>>>> 2. fork() >>>>> 3. Child process runs vm.runInNewContext(safe_context) >>>>> 4. Child process communicates to the parent over stdio, through the >>>>> approved safe_context functions >>>>> >>>>> The subprocess can also give extra sandboxing, such as chroot() if >>>>> available. >>>>> >>>>> Yes, this causes two processes per instantiation; however I think the >>>>> parent might only be short-lived, setting up the security, then exiti= ng. >>>>> The grandchild can talk to Erlang over stdio. >>>>> >>>>> That is my plan. No idea how well it will work. >>>>> >>>>> -- >>>>> Iris Couch >>>> >>>> >>>> >>>> Too much kool-aid imo :) >>>> >>>> This is not that it can't work. But are you seriously considering to >>>> have a main couchjs process maintaining the STDIO channel and spawn a >>>> new OS Process for a view (which what does `vm.runInNewContext`)? The >>>> memory and latency cost can became very important, and i don't count >>>> the chrooting cost especially if run this context on each indexation >>>> batch or shows, lists and views requests. + the extra fds created by >>>> each child contexts. >>> >>> Alternatively, if the above works and is necessary (modulo Klaus=92s >>> research), we live with the hit until we get to rewrite the view protoc= ol >>> at which point we can make it 1 Erlang process -> 1 node process for >>> dispatching -> N Node processes for indexing. >> >> I don't think it is necessary at all to use so many *OS* process at >> all for our purpose. And I am really worried by such solution.There is >> a reason why people don't try to launch too much OS processes on the >> system, There is a reason why we are using systems like Erlang. >> >> I guess runInContext would work, with a custom `require` function to >> include modules (to specifically forbid IO) . According to the doc the >> context doesn't share anything, which is what we want. Also if we are >> going for node i would prefer to start with a straight forward >> solution and not introduce any new behaviours. > > I suggested 1 extra node process in total, if at all, as an alternative, > if the thing Klaus and you outline doesn=92t work. > Why doesn't it work? runInNewContext would imply to launch one new context / view if you want to really run it sandboxed. "vm.runInNewContext compiles code, then runs it in sandbox and returns the result.". I don't see any other way since you can't recycle a context in this case. Having another I/O for this context wil be even uglier. In that case you would have STDIO -> CHILD -> STDIO -> CHILD . Without counting the memory usage it will add more latency than we have right now. The more I think about that the more I'm reluctant to support such solution. - beno=EEt