Forums

Use Docker containers

Hi,

I'm trying to figure out how to run untrusted code in a Web app : I would like the user to write some code in Python in the front-end, so that he tests his algorithm live. However it is difficult to run any kind of Python sandbox, because we need to import big libraries such as Networkx and NumPy. Thus I was considering running Docker containers for each user, executing the untrusted code inside a container and destroy it after.

So, two questions arise :

  • can this be a good option ? (I read that you guys are doing something similar for PythonAnywhere ?)

  • can this be done for a Web App on Pythonanywhere ? (eg it would require to install docker)

Thanks a lot for your help !

Hi temigo,

That's exactly the reason that we are experimenting with docker, which is essentially just a convenient wrapper around the kinds of tools (chroot, namespaces, cgroups) that we use anyway to let people run their code on pythonanywhere. So I'd say you're on the right track.

but it's not something you would be able to actually host on pythonanywhere I'm afraid.

Hello, Im wondering if this is still the case, or if docker is now available? Im dealing with the exact qustion above of where to host my app using docker containers to run usercode. Thanks /Jakob

We use Docker internally, but there's no way on PythonAnywhere for you to run your own Docker containers.

even compose?

Even composeeeee

Why can't we run our own docker containers?

It's not the way the system is designed, and the last time we checked the Docker team said that running arbitrary Docker containers was a security risk.

I switched to Digital Ocean to be able to run multiple docker containers in one 'droplet' for the same price as the hacker price of pythonanywhere. I shall probably take out a paid plan with pythonanywhere again as I appreciate the service offered which is less hassle for me than using my own builds.

I guess it's a case of swings and roundabouts :-) Because we don't offer root access to our systems or docker, the stuff we host is more manageable for us so we can offer more features and ease-of-use. It's much easier for us to -- for example -- provide auto-renewing HTTPS certificates when we control all of the front-end of the web-serving code than it would be for a VPS provider to do something like that.

Agree completely, hence my point about pythonanywhere being less hassle for me. (If I were able to use the Jupyter notebooks from the corporate environment I work in then I'd still be a subscriber, but alas the additional ports Jupyter used are blocked).

Still no docker containers?

Always-on tasks do use Docker (more specifically, Kubernetes) under the hood, but that's with a specific Docker image -- we're unlikely to support custom docker images even in the future.