Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A6881ED93 for ; Mon, 4 Feb 2013 17:48:18 +0000 (UTC) Received: (qmail 3639 invoked by uid 500); 4 Feb 2013 17:48:18 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 3571 invoked by uid 500); 4 Feb 2013 17:48:17 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 3561 invoked by uid 99); 4 Feb 2013 17:48:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Feb 2013 17:48:17 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bchesneau@gmail.com designates 209.85.210.175 as permitted sender) Received: from [209.85.210.175] (HELO mail-ia0-f175.google.com) (209.85.210.175) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Feb 2013 17:48:12 +0000 Received: by mail-ia0-f175.google.com with SMTP id r4so8217918iaj.20 for ; Mon, 04 Feb 2013 09:47:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=Jj1Qe7gRHZVOAL/J1AJpgOlh93k+JPR5Utpb61Sc0+U=; b=raxK3gsbMAQSGrQ62mQd23h/3pMyc8/mSjEwtWYMeJq7cZTc8I8mSqqfuUIab9EdjM dc3qLa5iQtDYfazJCl6udBFbtIdv+6gwbdTS4BBcS9GmtFeKB98E32dkR106JUTN4UyK AqlkyL938QmxM7G1FdCoznyvf+hxJzHbZ1Gecj/5VZlrZ/mldNBzlrkI9soy2E7+I9QV EisMb/wBiUCE8mVJhZiZewzNPBjGweEvCcs2g9MrIAD74QtyAUeej+5BQGLluqvGo7NW yRD9zndi2Sm6XWRvQeZeN+eiA5JAuRJaU+pOd5ZVLDwkN0Hn4TneLckQsY4Pzv9hwsjv 5PRw== MIME-Version: 1.0 X-Received: by 10.50.187.134 with SMTP id fs6mr7866438igc.79.1360000071549; Mon, 04 Feb 2013 09:47:51 -0800 (PST) Received: by 10.64.29.13 with HTTP; Mon, 4 Feb 2013 09:47:51 -0800 (PST) In-Reply-To: <5DD875C7-7E61-4FB8-A79C-779363AE5659@apache.org> References: <5102B439.10500@lymegreen.co.uk> <91019D9B-A6AE-4311-9C11-E6001D57293A@apache.org> <5DD875C7-7E61-4FB8-A79C-779363AE5659@apache.org> Date: Mon, 4 Feb 2013 18:47:51 +0100 Message-ID: Subject: Re: Branch to switch from SpiderMonkey to Node.js From: Benoit Chesneau To: "dev@couchdb.apache.org" Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Mon, Feb 4, 2013 at 12:10 PM, Jan Lehnardt wrote: > > On Feb 4, 2013, at 11:53 , Benoit Chesneau wrote: > >> On Thu, Jan 31, 2013 at 5:54 PM, Jason Smith wrote: >>> >>> On Thu, Jan 31, 2013 at 4:34 PM, Benoit Chesneau w= rote: >>> >>>> >>>> A javascript engine doesn't expose any IO par default. The **framework= ** >>>> nodejs is, this is all the point. I'm quite interested by the existing >>>> solutions to sandbox nodejs, do you know some projects that does it? >>>> >>> >>> Correct. I am attempting to build something which satisfies your >>> description: no i/o; i/o is not even possible. >>> >>> *How* is it implemented? Well, it doesn't matter whether we use Node.js= or >>> couchjs/SM or couchjs/v8. What matters is we feel confident about secur= ity. >>> And of course, I agree, if we cannot achieve good security, then that i= s a >>> show stopper. >>> >>> Here is my current plan for sandboxing CouchJS. (Thanks to Isaac for hi= s >>> tips.) >>> >>> When it is time to evaluate some code: >>> >>> 1. Set up an object with safe variable bindings: safe_context >>> 2. fork() >>> 3. Child process runs vm.runInNewContext(safe_context) >>> 4. Child process communicates to the parent over stdio, through the >>> approved safe_context functions >>> >>> The subprocess can also give extra sandboxing, such as chroot() if >>> available. >>> >>> Yes, this causes two processes per instantiation; however I think the >>> parent might only be short-lived, setting up the security, then exiting= . >>> The grandchild can talk to Erlang over stdio. >>> >>> That is my plan. No idea how well it will work. >>> >>> -- >>> Iris Couch >> >> >> >> Too much kool-aid imo :) >> >> This is not that it can't work. But are you seriously considering to >> have a main couchjs process maintaining the STDIO channel and spawn a >> new OS Process for a view (which what does `vm.runInNewContext`)? The >> memory and latency cost can became very important, and i don't count >> the chrooting cost especially if run this context on each indexation >> batch or shows, lists and views requests. + the extra fds created by >> each child contexts. > > Alternatively, if the above works and is necessary (modulo Klaus=92s > research), we live with the hit until we get to rewrite the view protocol > at which point we can make it 1 Erlang process -> 1 node process for > dispatching -> N Node processes for indexing. I don't think it is necessary at all to use so many *OS* process at all for our purpose. And I am really worried by such solution.There is a reason why people don't try to launch too much OS processes on the system, There is a reason why we are using systems like Erlang. I guess runInContext would work, with a custom `require` function to include modules (to specifically forbid IO) . According to the doc the context doesn't share anything, which is what we want. Also if we are going for node i would prefer to start with a straight forward solution and not introduce any new behaviours. > > > >> Anyway, I looked over the week-end and didn't find so may other >> solutions when it's about nodejs. I read that and maybe ` >> vm.runInContext` [1] with `vm.CreateContext` could work or like Klaus >> says maybe `vm.CreateScript` though the doc[1] don't say if it s in >> the same process or not [2]. I guess it is. I'm interested by the >> solution of providing a secure "require" like suggest Klaus. How would >> it work? > > Yeah, I=92d love to see that too. > > >> I intend to write a straight-forward port of couchjs to use v8 to see >> how much things it gave us, but it will be just a temporary hac, just >> good for 1.4 imo. > > It=92d be great to have this as a fallback solution! If we eventually can > do away with all the C code, the better :) I will work on it this week. I will probably need a second look, my C++ is rusty. > > >> I also would like to find a solution for the mobile >> worl and i'm not sure v8 is OK for that yet. > > It works fine for Chrome on mobile :) Until recently it wasn't working on IOS, the support is really new (chrome on IOS is using webkit). But I think now that we could let this part to another topic. This is not like the current couchdb can run on such platforms without deep changes :) >