Running untrusted, user provided code on Render

I was wondering recently how you would handle running user-provided code on Render, for example if you’re providing something like a Node.js playground to untrusted users. Since you’re already in a Docker container, running something like Firecracker or otherwise using a container/jail for running user code wouldn’t be possible. It’s possible that this is just out of scope of what Render provides, but was wondering if anyone had any ideas?


You can definitely run untrusted code/containers using our API because Render takes care of the isolation for you.

Would that work?


For my code sandbox example, what would be the best way to do that while getting timely responses to end users? Background workers?

What I’m leaning towards is having pools of “untrusted code runner” type services in a separate Team with hardened Docker images, which would isolate the network of the main web service in case one of the code runners were compromised.

Realistically, you would indeed run some sort of Dockerized web service with multiple instances in an auto-scaling. Each instance would run untrusted code sent to it from your frontend. Background workers don’t have open ports, and I suspect you want to send serialized code to the backend for execution.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.