OCaml Forge

Detail: [#593] Create a vserver for ocsigen

Features: Browse | Download .csv | Monitor

[#593] Create a vserver for ocsigen

Date:
2010-05-05 07:55
Priority:
3
State:
Open
Submitted by:
Sylvain Le Gall (gildor-admin)
Assigned to:
Nobody (None)
Summary:
Create a vserver for ocsigen

Detailed description
Set up an ocsigen.ocamlcore.org that should host user's ocsigen applications. The vserver should handle all ocsigen component (maybe not the version of stable, but the one from unstable).

The user base and filesystem should be the same as forge.ocamlcore.org (ssh.ocamlcore.org to be precise)

Followup

Message
Date: 2010-06-07 10:25
Sender: St├ęphane Glondu

> Do you think that if someone launch a task that take too long,
> it will freeze the system for other ?

Not the system, but surely the whole process. And since there is no restriction in extensions, someone could also run unsafe code or make the whole process segfault.

The only way I see would be to embed some kind of interpreter in Ocsigen, and run the code with a very defensive policy... but currently, it's not in the top priorities of Ocsigen's developers. It could be easier to have one process per user, and let the user run whatever he wants in its process (and put limits on the process itself). A frontal server can be used as an administration interface and reverse-proxy for the per-user processes. I would also use a different user per process (and different from the user's regular unix account).

This sounds like an interesting Ocsigen hosting solution, but may require some ressources: 1 additional user + 1 process (maybe more with fork()) per user + whatever resources (disk, database) we allow per user. We can also require user to submit source code and therefore control the environment in which the module is compiled.

All this would also require some time to implement... After all, I'm not so sure it would be that easier than implementing an interpreter within Ocsigen (and interpreting a general-purpose interpreter with some kind of additional controls, even for the OCaml bytecode itself, could be interesting per se). But the first thing to think about would be what service we want to provide exactly...
Date: 2010-06-07 10:03
Sender: Sylvain Le Gall

Do you think that if someone launch a task that take too long, it will freeze the system for other ?

E.g. if you don't use lwt for a long running task.
Date: 2010-06-06 09:55
Sender: St├ęphane Glondu

A few comments...

1) It should be possible to use the last version of ocsigen with debian stable. I've made backports of the whole ocaml stack for lenny at [1] for this purpose. It's probably better than having the whole server running unstable.

2) So far, there is not really a secure way to provide per-user Ocsigen hosting, except running an instance per user. What do you precisely have in mind?

[1] http://ocaml.debian.net/debian/ocaml-3.11.2-backports/

Attached Files:

Changes:

No Changes Have Been Made to This Item