How to build a web service with one sandboxed Python (VM) per request

StackOverflow https://stackoverflow.com/questions/21095039

Question

As part of an effort to make the scikit-image examples gallery interactive, I would like to build a web service that receives a Python code snippet, executes it, and provides me with the generated output image.

For safety, the Python instances launched should be sandboxed and resource controlled, so I was thinking of using LXC containers.

Is this a good way to approach the problem? If so, what is the recommended way of launching one Python VM per request?

Was it helpful?

Solution

Stefan, perhaps "Docker" could be of use? I get the impression that you could constrain the VM that the application is run in -- an example web service:

http://docs.docker.io/en/latest/examples/python_web_app/

You could try running the application on Digital Ocean, like so:

https://www.digitalocean.com/community/articles/how-to-install-and-use-docker-getting-started

OTHER TIPS

[disclaimer: I'm an engineer at Continuum working on Wakari]

Wakari Enterprise (http://enterprise.wakari.io) is aiming to do exactly this, and we're hoping to back-port the functionality into Wakari Cloud (http://wakari.io) so "published" IPython Notebooks can have some knobs on them for variable input control, then they can be "invoked" in a sandboxed state, and then the output given back to the user.

However for things that exist now, you should look at Sage Notebook. A few years ago several people worked hard on a Sage Notebook Cell Server that could do exactly what you were asking for: execute small code snippets. I haven't followed it since then, but it seems it is still alive and well from a quick search:

http://sagecell.sagemath.org/?q=ejwwif

http://sagecell.sagemath.org

http://www.sagemath.org/eval.html

For the last URL, check out Graphics->Mandelbrot and you can see that Sage already has some great capabilities for UI widgets that are tied to the "cell execution".

I think docker is the way to go for this. The instances are very light weight, and docker is designed to spawn 100s of instances at a time (Spin up time is fractions of a second vs traditional VMs couple of seconds). Configured correctly I believe it also gives you a complete sandboxed environment. Then it matters not about trying to sandbox python :-D

I'm not sure if you really have to go as far as setting up LXC containers:

There is seccomp-nurse, a Python sandbox that leverages the seccomp feature of the Linux kernel.

Another option would be to use PyPy, which has explicit support for sandboxing out of the box.

In any case, do not use pysandbox, it is broken by design and has severe security risks.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top