try-haxe using Docker

[Justo Delgado]

Hello community,

I've been working as a weekend project in adding Docker support to try-haxe so we can run neko and macros without compromising the server integrity (I'm not a security expert but I hope that holds true ^^; )

It uses this image https://hub.docker.com/r/nitrobin/haxe-minimal/ to build the project (and run the neko file if you are targeting neko) and it runs the container in read-only mode (sans a few folders that need write access) like you can see here https://github.com/mrcdk/try-haxe/blob/docker/src/api/Compiler.hx#L372-L425

I'm planning to give the option to change the haxe version but I'd need to create docker images for each one and it takes time.

Here is the temporal server I've setup http://try-haxe.mrcdk.com and a silly example http://try-haxe.mrcdk.com/#BE17A

Setting up a server isn't specially difficult but it's a bit tedious, I'll write how to set everything later.

[Marcelo de Moraes Serpa]

Nice! Maybe add Ansible to the mix to orchestrate everything?

--
To post to this group haxe...@googlegroups.com
http://groups.google.com/group/haxelang?hl=en
---
You received this message because you are subscribed to the Google Groups "Haxe" group.
For more options, visit https://groups.google.com/d/optout.

[Jeff Ward]

Fantastic, Justo, this will accelerate macro prototyping and community sharing.

My first macro example works right out of the box: http://try-haxe.mrcdk.com/#2e3e3

And here's an old build of the above that just keeps aging :) http://try-haxe.mrcdk.com/program/2e3e3/run?r=0.9810673952840485

It'd be nice to get the compile step STDOUT somewhere to see those macro trace and $type statements. Maybe further down the page.

On the security topic, how often is the docker image / machine recycled? Presuming I can call out sys and run any binary, I might be more worried about network traffic than file access.

Best,

-Jeff

[Jeff Ward]

Alternatively maybe you should disable Sys.command and Sys.io.Process in the neko libs in the docker images? I imagine one could call external programs to spam network traffic and hang so the haxe compiler never exits.

[Justo Delgado]

$type()output goes to STDERR (same as --times) and it's under the output. I'll see about  trace

The docker image runs fresh each time you invoke the haxe compiler (when autocomplete and when compiling) and each command (compilation and execution if needed) has a timeout of 1 second which is more than enough for the compiler to compile most things and not enough for any process to break anything (hopefully)

[Jeff Ward]

Ah, that sounds pretty reasonable.

I'm not sure how you invoke the compiler, but with bash you can combine both STDOUT and STDERR and output to either STDOUT or STDERR like this:

>(haxe) 2>&1   # Both to STDOUT

>(haxe) 1>&2   # Both to STDERR

[underscorediscovery]

For what it's worth docker isn't really a sandbox:

https://docs.docker.com/engine/security/security/

You can search docker security and find countless pages of privilege escalation, 

so be sure you research it (especially with process access).

[Jeff Ward]

I had done a little research this past weekend myself. A security friend recommended seccomp, though it seems incredibly complex, and it's default mode is to kill the process as soon as it makes any system call outside a few basic ones. It would be very hard to setup, but likely the right thing to do.

Alternately, lxc containers looked promising, they have a hardened unprivileged container so you can guarantee attackers can't get real root access on the host machine.

Even with any level of security, I still might kill a couple APIs -- macro learning shouldn't depend on creating native processes or using using sockets.

Justo, is the code in a public place, or do you want to work on this privately for a bit? (I don't really have time to do much, bit I'd be interested in how it works / watch the progress.)

[Cauê Waneck]

I've made such a sandbox in the past - exactly so Haxe can be used as a service: https://github.com/waneck/openjail . It uses seccomp, linux containers, linux user groups, and more. It doesn't need root permissions to work, and allows some extra features like timeouts, and setting a maximum MB * s which represents memory and time - so smaller programs can run for more time, while bigger programs are killed quickly

--

[Justo Delgado]

I understand the security related concerns but this was a weekend project and I don't really have much time to be messing around with it for too long.

If I understand correctly, Docker and LXC are two ways of doing the same thing. I chose Docker for no specific reason.

Docker comes with a seccomp profile enabled by default https://github.com/docker/docker/blob/master/docs/security/seccomp.md I'm not a security expert (as you may have noticed) so I'm not a 100% sure the default seccomp profile is enough but I guess it's better than nothing.

There is no much code apart from setting up the server. The try-haxe code is here https://github.com/mrcdk/try-haxe/tree/docker And the docker part here https://github.com/mrcdk/try-haxe/blob/docker/src/api/Compiler.hx#L376-L388 I have yet to write down how to setup the server but I want to add more haxe versions before.

[Justin L Mills]

Justo

That's really great I tried the twitter link you posted, then I felt a bit naughty... am I really allowed to do this!

http://try-haxe.mrcdk.com/#b6BF1

There is no 'format' library, I wanted to try drawing a png to a file :(

I was wandering about having it setup with haxe --next so that I could select both frontend and backend code.

It would create two mains with 

#if neko  and  #if javascript  around each one within the code window. This would allow me to create a png and save it in neko, and then display in webgl perhaps, then let the user edit the png in javascript canvas and save it back to the server via Haxe remoting the data to neko and then to disk, or something fun and pointless like this.

The option tab would need to have Backend then Frontend columns.  I think that it's not just nice to have this ability, it's kind of essential to helping new users really understand the power of using Haxe and how there is not really a firm boundary between frontend and backend code it's all Haxe - all the way, especially if you get java, php etc... all working, that would be amazing to demo.  But quite keen on being allowed to compile two targets with --next but it may need some thought to get the interface and interactions right.

Best

Justin

[Jeff Ward]

I thought it felt a bit weird to be able to do all this: http://try-haxe.mrcdk.com/#aAac8 (click the Compiler Output tab)

I'm root on a linux node in London operated by Digital Ocean. Apparently the computer only lasts 1 second, and indeed, every time I run the compiler my hostname changes and filesystem changes I make are gone. Still... I can't help but imagine I could do something malicious (well, I'm pretty sure I could ping flood for a second, but I have more class than that.) I wonder if I could spawn a sub-process that's not under the 1-second timeout - how long would it last?

I wonder if there's a docker / seccomp profile to disable any network traffic.

Cauê, your project does seem to have some nice security features. I may have to play around with it, Haxe-related or otherwise. Thanks! :)

[Justo Delgado]

No, you are root inside an isolated container running on a node in Lodon operated by digitalocean (the IP is the public server IP). Everything else you see there is the container information.

I've disabled the network inside the container and will build and upload stripped docker images with only haxe and neko soon.

[Justo Delgado]

Okay, the site is now using this image https://hub.docker.com/r/thecodec/haxe-3.3.0.slim/ I've created it from this image https://hub.docker.com/r/nitrobin/haxe-minimal/ but using haxe 3.3.0-rc.1 and neko 2.1.0 Then I've used https://github.com/cloudimmunity/docker-slim to remove everything from it by executing the haxe 3.3.0 unit and sys tests (only failing the sys/ExitCode tests because it needs gcc) and leaving everything it touches (which is mostly nothing) and then running the same tests on that image to make sure everything was working (at least everything the tests test)

If anyone has more ideas to secure it let me know

[Jeff Ward]

Justo, that's look really great! How exciting to be able to use macros in the online Haxe editor.

My only nit now is that the extra tabs format weird even on a 1280 monitor. If this gets adopted, we'll need some design updates. (Ideas Mark? Move the run standalone button? Move some of those tabs into a drop-down?) Justo, I like how you hid the tabs if they were empty.

Justin - yes, it's interesting to ideate about how it could grow now that it has more capabilities. Though as a basic "try me" it works pretty darn well!

Now, who's going to just whip up that Haxe compiler in Haxe so we don't have to leave the browser? :D

Best,

-Jeff

[Justo Delgado]

I've updated the page adding another tab for another source file so we don't need to be #if macro #else #end in the same file all the time which is a pain. There may be some error somewhere, it wasn't easy.

I've tried to keep the old format around but I'm not a 100% sure if it will work. The few ones I've tried were working but still.

[Justo Delgado]

Added an option to select the haxe version

[Justo Delgado]

Oh yeah, libraries don't work right now because I haven't installed any in the server, which libraries do you guys want to be added to the site?

[azrafe7]

Well... all of them! :p

It would be AWESOME to have the possibility to add any lib from github/bitbucket/haxelib (imagine trying out a lib without needing to setting it up locally, just in the browser).

Not really feasible I'd guess - or at least not trivial at all - considering all the security problems it brings with it and the different toolchains.

This being not possible - yet? - I'd really like to play online with some of the most popular/useful libs (off the top of my head: tink, thx, luxe/nme/openfl/kha/heaps, polygonal, unifill, format, ...). Can probably summarize it as "libs that provide: stdlib extensions, ad-hoc data structures, game (mmedia) frameworks, unit testing, macro-related, ...".

Thanks for your work! 

[Justo Delgado]

Yeah... anything that needs its own build system won't be added and I can't let random libraries from github/bitbucket because security. There are a lot of tink and thx libraries in haxelib (+30), I won't be able to be updating each library each time it gets updated. I'll need a shorter curated list.

[JLM]

Could you not have a script to call this every night  haxelib upgrade

It's important that libraries stay relatively current.

Ideally rather than ask here add an option on the panel so user can request a new Haxelib since people will only request if it's something they specifically want to use. 

It would be nice to allow users to actually call haxelib install on a library themselves but I guess we really need a vetting process, I suspect it would be fine now, but in the future I guess it could be an issue, perhaps insist on only libraries with unit tests and are passing travis, I don't know with code if it's viable to automagically check the travis status from the relevant github - and even allow use of the current git version.

[Justo Delgado]

Guys, the site is called try-haxe for a reason. It would be awesome to have all haxelib, git and terminal access to install libraries or do whatever you want but at that point what you would end with is with a cloud IDE setup for haxe development not try-haxe. Try-haxe is just a platform to give a taste of what haxe has to offer. I lack the resources to implement more than what try.haxe.org offers, that is, a fixed number of libraries per target. I'll check which libraries to install this weekend.

[Mark Knol]

I think these will be nice to have and work well on try.haxe; hscript, format, nape, minject, msignal, compiletime, polygonal-ds, haxeparser, hxtemplo. And thx and the tink libs.

[Justo Delgado]

I've added a bunch of non-tested libraries:

actuate, format, hscript, nape, minject, msignal, polygonal-ds, hxparse, hxtemplo, promhx, dots, slambda, thx.core, thx.color, thx.promise, thx.stream, thx.culture, thx.stream.dom, thx.benchmark, thx.csv, thx.text, tink_core, tink_macro, tink_priority, tink_lang, tink_xml, tink_template, tink_concurrent, tink_streams, tink_io, tink_runloop, tink_tcp, tink_http, tink_url, tink_parse, tink_json, tink_clone, tink_await, tink_web, futurize

[Juraj Kirchheim]

Very cool. Do you have any policy regarding updates?

On Mon, Jun 27, 2016 at 6:56 PM, Justo Delgado <codecd...@gmail.com> wrote:

I've added a bunch of non-tested libraries:

actuate, format, hscript, nape, minject, msignal, polygonal-ds, hxparse, hxtemplo, promhx, dots, slambda, thx.core, thx.color, thx.promise, thx.stream, thx.culture, thx.stream.dom, thx.benchmark, thx.csv, thx.text, tink_core, tink_macro, tink_priority, tink_lang, tink_xml, tink_template, tink_concurrent, tink_streams, tink_io, tink_runloop, tink_tcp, tink_http, tink_url, tink_parse, tink_json, tink_clone, tink_await, tink_web, futurize

--

[Justo Delgado]

I've setup a cron job to run haxelib --always update each day.

If you mean a policy to update the list of libraries, I have none, I guess you can write them here and I'll add them.

[Mark Knol]

I hope we can make these features oficial and can/will be merged into try.haxe soon too! Very nice, these are all great additions.