Preventing abuse with interactive Pluto notebooks

I’ve never been a fan of notebooks but Pluto has converted me, I think. And this has led me to think about ways to share notebooks, especially with interactive elements (my first thought was about using it in a teaching setting). This brings up my question:
If I host a notebook on a VPS so that there is a connected julia process, how would I constrain the resources so that someone cannot DOS the vps by calculating the factorial of 10^10 (or some other simple resource intensive function)?

1 Like

My first two thoughts:

  1. Do not host a notebook, give people a setup to host the notebook in their own computers. If you need to show it being used just stream your screen.
  2. You can spawn multiple notebook, one per user, and restrict each of them with the same OS tools you would use to restrict any other process. Or you can spawn just one, and have an watchdog restart it when it dies.
1 Like

If we are working from the assumption that we want to host something, the first suggestion is void. However, the second suggestion is what my first thought was: each notebook access spawning its own julia instance on a thread with some resource constraints.

Another idea might be preventing the creation of new cells but allowing access through the html inputs. Then you can do some sort of input validation. However, this would mean a feature addition to Pluto.jl itself.

Alas, perhaps allowing any kind of arbitrary code execution from users on a VPS is not a good idea. Maybe disposable docker containers so that your entire resource can discard itself if necessary?

Cool that you brought it up! I spent some time thinking about this.

The first attempt was to run Pluto on heroku (demo from some time ago), but this suffers from the DOS problem.

The current idea is to run it on binder (demo), with a one-click deploy button inside the Pluto editor. This works very well, and it does not have the DOS problem, but the launch times are a bit high.

Ideally you want online Pluto notebooks to load as fast as any other page, and be interactive instantly. I’m still not sure how to do it, but I think that it should be a hybrid between the binder approach (docker container for each visitor that hosts its own web server) and serving the static html. If many visitors don’t interact, or only do some small things, then it makes sense to share a Julia process between multiple visitors. Pluto can already run multiple isolated scopes on the same process.

I do think that a container for each visitor (possible shared with others) is the best way. We don’t want to limit what you can do with an online notebook:

  • I think that features like limiting interaction to sliders will give a false sense of security, which might lead to people running it on computers that are not isolated. With false I mean that this feels like the monkey-patch-approach to security, and it’s easy for me to miss something.
  • Being able to modify and run anything is an awesome feature, and we shouldn’t give it up for technical reasons.
5 Likes

Do you have any news on this? Pluto is so nice and appealing to students, having it deployed in a server to run some applications would be really great.

The Pluto Docker images are available here: Docker Hub
In principle it would be possible to deploy a Pluto Docker container (or multiple) on a server (local or cloud, maybe behind reverse proxy) for student usage.

Regarding Binder, @fonsp knows more.