Hacker News new | past | comments | ask | show | jobs | submit login

Great question! There isn't a way to run Docker directly in the browser. But, there are tools (like Play with Docker at play-with-docker.com) that lets you interact with a CLI in the browser to run commands against a remote cloud instance. I personally use this a lot for demos and workshops!

But... certainly a neat idea to think about what Wasm-based applications could possibly look like/run in the browser!




Hey! Peter from Snaplet here. This is really exciting stuff. We created the OSS postgres-wasm (https://github.com/snaplet/postgres-wasm) example a few weeks ago. An idea I'm playing around with is something like:

  1. Visit https://postgresql.com/try?version=14.x
  2. Visit https://nodejs.com/try?version=16.15.1
  3. Visit https://edit.com
Edit.com opens a text-editor and terminal where I have access to the NodeJS binary and a connection string to PostgresQL. Want Redis? Open a new tab at https://redis.com/try, where the connection string will appear in the edit.com tab.


I used https://wasm.supabase.com/ to make sure some SQL commands I was writing for a blog were correct. It was super useful and faster than starting docker desktop, looking for the postgres image name, starting it etc..

I miss a feature where I can share a link with some data/schema pre-seeded (maybe from a gist?)


We're working on it. We'll allow you to export (via SQLite) and import (via SQLite), and even promote to a preview database: https://docs.snaplet.dev/references/preview-databases

Snaplet.dev is a tool that copies, minimizes and transforms your production database into a shareable file.


All three links that you posted appears to be either broken or malicious. Are you just trying to explain a concept using example domain names? Consider ".example" or ".example.com" (see RFC 2606) instead of potentially malicious domains.


He's saying that the sites could provide ready-to-try binaries of their products that run in a tab immediately.


Is it possible to sandbox the host system from the guests in WASM?

Are there namespaces and cgroups and SECCOMP and blocking for concurrent hardware access in WASM, or would those kernel protections be effective within a WASM runtime? Do WASM runtimes have subprocess isolation?


/? subprocess isolation https://www.google.com/search?q=subprocess+isolation on a PC:

- TIL about teh Endokernel: "The Endokernel: Fast, Secure, and Programmable Subprocess Virtualization" (2021) https://arxiv.org/abs/2108.03705#

> The Endokernel introduces a new virtual machine abstraction for representing subprocess authority, which is enforced by an efficient self-isolating monitor that maps the abstraction to system level objects (processes, threads, files, and signals). We show how the Endokernel can be used to develop specialized separation abstractions using an exokernel-like organization to provide virtual privilege rings, which we use to reorganize and secure NGINX. Our prototype, includes a new syscall monitor, the nexpoline, and explores the tradeoffs of implementing it with diverse mechanisms, including Intel Control Enhancement Technology. Overall, we believe sub-process isolation is a must and that the Endokernel exposes an essential set of abstractions for realizing this in a simple and feasible way.


Sandbox (computer security) > Implementations https://en.wikipedia.org/wiki/Sandbox_(computer_security)

- [x] Linux containers

- [ ] WASM with or without WASI

eWASM has costed opcodes; basically like dynamic tracing in CPython.

Are there side channels for many or most of these sandboxing methods; even at the CPU level?


google/gvisor could be useful for this? https://github.com/google/gvisor :

> gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: