
Glot.io: Open Source pastebin with runnable snippets and API - phantom_oracle
https://glot.io/
======
pseudobry
This is really cool to see, but also somewhat depressing because it reminds me
that I spent about 500 hours of my free time building the same thing, and even
had it deployed at codetrain.io for a while, but then lost interest and now my
code's wasting away in a private bitbucket repo.

Before I shut mine down it could run 13 or so different languages, spin up
collaborative REPLs for Node.js/Python/Ruby, and organize snippets into
tutorials/lessions, etc. It was awesome, but now sits in my side project
graveyard. It's a shame really.

Glad to see glot.io getting more attention.

~~~
jdc0589
you should open source it

------
tyingq
This is very cool. I'd really love to see a "how it works" blog post,
particularly for the runnable snippets, and what your approach to protecting
it from abuse and hacking is.

~~~
oolongCat
It's opensource.
[https://github.com/prasmussen/glot](https://github.com/prasmussen/glot)

~~~
tyingq
The code is, but I assume there's some configuration that's not code that
might be interesting in the "avoid abuse and hacking" space.

~~~
daveguy
_All_ of the code is open source. This is a beautiful thing:

website: [https://github.com/prasmussen/glot-
www](https://github.com/prasmussen/glot-www)

snippets: [https://github.com/prasmussen/glot-
snippets](https://github.com/prasmussen/glot-snippets)

runner-web: [https://github.com/prasmussen/glot-
run](https://github.com/prasmussen/glot-run)

runner-onserver: [https://github.com/prasmussen/glot-code-
runner](https://github.com/prasmussen/glot-code-runner)

containers: [https://github.com/prasmussen/glot-
containers](https://github.com/prasmussen/glot-containers)

EDIT: And this is directly from the main github source repository --
[https://github.com/prasmussen/glot](https://github.com/prasmussen/glot)

~~~
TAForObvReasons
Is there a guide for setting this up internally (within a local network)?

------
b3b0p
I couldn't help but notice they use Haskell and Yesod for the web portion
[https://github.com/prasmussen/glot-www](https://github.com/prasmussen/glot-
www)

------
namtrac
Great, would be nice to have and updated clang (seems to be using 3.5.1) and
python3 (using 3.4.3). Generally its nice to point out the version of the
compiler it's using somewhere as a note.

------
dafuq2
Hopefully you are ready for
[https://conference.hitb.org/hitbsecconf2016ams/sessions/esca...](https://conference.hitb.org/hitbsecconf2016ams/sessions/escape-
from-the-docker-kvm-qemu-machine/)

~~~
alch-
This. Awesome service, but pleasefortheloveofgod don't let people run
arbitrary code inside Docker, unless you don't mind them getting out into the
parent OS and messing around. You want VMs for that. (Yeah, that's much more
resource intensive. Safely running arbitrary code is hard.)

~~~
wyldfire
seccomp provides a really good jail, probably all that's needed here.

------
stephenr
This looks like a very interesting project, but I think choices made for data
storage (PostgreSQL + CouchDB) is quite odd.

To me the obvious choice for this would be to use a DVCS repo for each "glot",
and create files inside it, just like Gist does. I personally would prefer
this be mercurial repos' but I'd probably just make it support git too.

I'd probably also use libvirt rather than Docker specifically, to allow for
more flexible setups.

------
0x54MUR41
This is like IdeOne [1]. But, this is very cool because open source. IdeOne is
not open source project.

[1]: [http://www.ideone.com](http://www.ideone.com)

------
karl42
There's also [http://www.gistrun.com](http://www.gistrun.com) , which executes
all code on the client.

------
furier
FYI - This is the work of one guy only not multiple, just thought i mention it
as people refer to the dev in plural.

And my guess as to different parts of the application has been developed in
different languages and to the use of two db's are for educational purposes.

~~~
calebegg
Could also be singular 'they' \-- that's how I read it.

------
zx2c4
There are a lot more problems than you think with letting users have arbitrary
code execution. And no, Docker is not an acceptable security solution for
this, since it's most certainly possible to break out of containers. Even if
you're using a dedicated VM, this is not a good idea. And from a brief look at
glot-code-runner, it doesn't seem like there's even that much built in to
protect against various forms of use.

A more sane design would be to use something like emscripten to enable all
these different languages to run in the browser.

~~~
dhaivatpandya
"Docker is not an acceptable security solution for this, since it's most
certainly possible to break out of containers."

Could you point to some resources that show that it is possible to break out
of Docker containers? I understand that there have been bugs in the past that
have caused this (using that to conclude that glot.io shouldn't use Docker is
a bit like saying OpenSSL is now useless because of heartbleed) but it seems
unlikely that breaking out of containers is possible due to the way Docker is
designed.

~~~
seanp2k2
[http://www.cvedetails.com/product/28125/Docker-
Docker.html?v...](http://www.cvedetails.com/product/28125/Docker-
Docker.html?vendor_id=13534)

[https://github.com/docker/docker/issues/12317](https://github.com/docker/docker/issues/12317)
[https://github.com/gabrtv/shocker](https://github.com/gabrtv/shocker)

[https://www.oreilly.com/ideas/docker-
security](https://www.oreilly.com/ideas/docker-security)

I'm sure there will be more

Edit: yup, as cited below:
[https://conference.hitb.org/hitbsecconf2016ams/sessions/esca...](https://conference.hitb.org/hitbsecconf2016ams/sessions/escape-
from-the-docker-kvm-qemu-machine/)

~~~
cyphar
Most of the vulnerabilities you mention are actually kernel vulnerabilities.
While they affect Docker, they more accurately affect everything that uses
"Linux containers". Although, Docker did have a bad history of security bugs
with symlinks.

But given the fact that Linux doesn't have real containers, I feel very
conflicted about opening that up to the internet.

------
arturadib
This is incredible. The key is in its simplicity, speed, and variety of
languages.

Kudos!

------
daveguy
Some metadata:

MIT license

Haskell infrastructure

Containered

Open source everything -- runners, site, etc

Very nice!

~~~
hookshot
It looks like only glot-www is Haskell.

glot-snippets and glot-run are both erlang APIs, and glot-code-runner is a go
application.

------
kahuna4637
Please make R a language here. That would be amazing to be able to run
snippets. I could see a lot of uses!

~~~
sean_the_geek
+1 for R. I was pleasantly surprised to see Julia there

------
rocketcity
Thank you for this! Going to share it with the rest of my team right now. I
always need a tool like this and had been using
[http://codepad.org/](http://codepad.org/) until now. This interface is much
slicker.

------
kevindeasis
This is very fascinating.

How does the rocket science work here? Like how do you run different
programming languages in the client side.

Do they pass the code to the server and run it in there then pass it to the
client?

~~~
Rotten194
Yeah, if you check the repo it's running the code in a specialized docker
container with no network access.

~~~
kevindeasis
Thanks I see it: [https://github.com/prasmussen/glot-
containers](https://github.com/prasmussen/glot-containers)

Guess I better start learning about docker/containers soon

------
aioprisan
This is excellent! Reminds me of a tool I wrote a few years back that only
supported 4 languages that we used at my past company. Great to see this open
sourced!

------
sosedoff
Check another similar tool BitRun - [https://bit.run/](https://bit.run/) Very
good for rapid prototyping.

------
mahmoudimus
I am interested to know what other ways of allowing untrusted user code
execution securely. How does one enforce resource quotas (timeouts, etc)?

~~~
mahmoudimus
In particular, anything that can run on the JVM? I know Lua is reall great for
this type of stuff, but it's JVM support is abysmal.

------
mattdgroves
I think this is pretty cool. Might be nice to be able to embed them (i.e. like
you can with Github gists).

------
indatawetrust
The idea of using docker excellent.

------
netcraft
nice, you can even require other files in JS - although it would be nice to be
able to customize the file names - but still very useful for the kind of thing
I would normally use a gist for.

Edit: I do wish it had a more recent version of node though (currently
v0.12.7)

------
s4chin
This is good! Though, some sort of captcha will be useful to avoid people
spamming this.

------
smaili
Feature request - be able to make the editor's height taller.

Other than that, awesome job!

~~~
seanp2k2
Would be cool to integrate with
[https://ace.c9.io/#nav=about](https://ace.c9.io/#nav=about)

~~~
epidemian
It is using Ace as the code editor:
[https://glot.io/about](https://glot.io/about)

> Ace is used as the code editor. Make sure to check out the leftmost and
> rightmost tabs, where you can select language version, set a custom run
> command and change the editor keybindings.

------
alexkavon
This is interesting, but I'm not sure why they use CouchDB and PostgreSQL.

~~~
mattdgroves
Can you elaborate?

~~~
47
Probably refering to the diagram from their github page[1]

[1] [https://github.com/prasmussen/glot](https://github.com/prasmussen/glot)

Pet Peeve: There is no way to post ASCII diagrams on HN

~~~
eatsfoobars

          snippets.glot.io                  glot.io                     run.glot.io
        ┌──────────────────┐   http   ┌──────────────────┐   http   ┌──────────────────┐
        │  glot-snippets   │◀─────────│     glot-www     │─────────▶│     glot-run     │
        └──────────────────┘          └──────────────────┘          └──────────────────┘
                  │                             │                             │
             http │                             │                        http │
                  ▼                             ▼                             ▼
        ┌──────────────────┐          ┌──────────────────┐          ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─
        │     couchdb      │          │    postgresql    │                 docker      │
        └──────────────────┘          └──────────────────┘          └ ─ ─ ─ ─ ─ ─ ─ ─ ─
    

Almost works. I just pasted it as code.

~~~
dublinben
I'd say it works quite well. That looks perfect.

------
beyondcompute
Can I install packages/modules for my scripts (e.g. using _npm_ )?

~~~
tokenizerrr
Doesn't look like it. The containers don't have network access, either so
putting something like `npm install left-pad && node main.js` as the run
command won't work.

------
baldfat
I hope they add R soon.

~~~
Ultimatt
I wrote up the Perl 6 entry. It's relatively trivial to add languages to the
project you just need to have a link to a docker registry with the version of
R you want. The rest is basically just bits of boiler plate in the other
repositories for the project.

------
asadlionpk
This is awesome. I wonder how you make it secure. Btw, I am the dev behind
[https://codepad.remoteinterview.io](https://codepad.remoteinterview.io)

------
markbnj
Nice work on this!

