Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
skybison
A fork of Instagram's experimental performance oriented greenfield implementation of Python. It features small objects; a moving GC; hidden classes; bytecode inline caching; type-specialized bytecode; an experimental template JIT. (by tekknolagi)
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
windmill
Open-source developer platform to turn scripts into workflows and UIs. Fastest workflow engine (5x vs Airflow). Open-source alternative to Airplane and Retool.
Some options already listed in replies to this comment, but you might consider gVisor as well: https://gvisor.dev/
gVisor is kind of Linux running in Linux. More insolation than containers; less overhead than VMs (but less isolation, of course).
There's the source code for such a site, if that would help: https://github.com/radian-software/riju
Docker + heavily restricted user + firewalls.. seems to get you much of the way there. I am aware that some work was done back in the pre-Docker day with Ruby's online sandbox to neuter Ruby's ability to make certain syscalls, but I imagine Docker, eBPF, or even using WebAssembly makes it a lot easier now.
I've been meaning to take a look at Bottlerocket[^1] as an alternative to a custom spin of Kubernetes but we haven't really had a chance to dig into it. The folks over at Fly[^2] have built an awesome edge platform out of Firecracker, and ultimately, where I want to take the next generation of our internal compute offering. I am eagerly looking forward to any and all presentations they do on their work.
[^1]: https://github.com/bottlerocket-os/bottlerocket
Here are some more ports of LLVM and clang to the browser:
* https://github.com/kripken/llvm-js
* https://github.com/tbfleming/cib
* https://github.com/jprendes/emception
LLVM just does pure computation, really, so it's not hard to port to wasm - much simple than say Python (which has also been ported several times). The only challenges with LLVM are the build system (which has self-execution), working around some issues like clang wanting to open a subprocess, and adding some ifdefs.
Here are some more ports of LLVM and clang to the browser:
* https://github.com/kripken/llvm-js
* https://github.com/tbfleming/cib
* https://github.com/jprendes/emception
LLVM just does pure computation, really, so it's not hard to port to wasm - much simple than say Python (which has also been ported several times). The only challenges with LLVM are the build system (which has self-execution), working around some issues like clang wanting to open a subprocess, and adding some ifdefs.
Here are some more ports of LLVM and clang to the browser:
* https://github.com/kripken/llvm-js
* https://github.com/tbfleming/cib
* https://github.com/jprendes/emception
LLVM just does pure computation, really, so it's not hard to port to wasm - much simple than say Python (which has also been ported several times). The only challenges with LLVM are the build system (which has self-execution), working around some issues like clang wanting to open a subprocess, and adding some ifdefs.
If you take a look at the Skybison Python runtime, I would be happy to chat and help you poke around integrating it: https://github.com/tekknolagi/skybison
For the open-source windmill project, we need to support sandboxing of typescript (deno) and python. For deno we could have just relied on v8 isolate and deno layer of isolation. But for Python we could not anyway so we had to come up with a common solution. We chose nsjail in the end and it works really well. All the config files are here: https://github.com/windmill-labs/windmill/tree/main/nsjail and this is how it is spawned from within the Rust worker: https://github.com/windmill-labs/windmill/blob/main/backend/...
Happy to expand more of my experience of making this work at scale.