adamgordonbell

Thanks for sharing this. One of the authors here.

We built a service that executes arbitrary user-submitted code. An RCE service. It's the thing you're not supposed to build, but we had to do it.

Running arbitrary code means containers weren't a good fit ( container breakouts happen), so we are spinning up and down ec2 instances. This means we have actual infrastructure as code (i.e. not just piles of terraform but go code running in a service that spins up and down VMs based on API calls).

The service spins up and down EC2 instances based on user requests and executes user-submitted build scripts inside them.

It's not the standard web service we were used to building, so we thought we'd write it up and share it with anyone interested.

One cool thing we learned was how quickly you can Hibernate and wake up x86 EC2 instances. That ended up being a game-changer for us.

Corey and Brandon did the building, I'm mainly just the person who wrote things down, but hopefully, people find this interesting.

plicense
I would suggest also looking at https://github.com/bazelbuild/remote-apis. Its essentially a standard API for remote (any binary) execution as a service and there are several reference implementations of it (Buildgrid, BuildBarn, Google's own service etc).

And you can consider using gVisor to minimize container breakouts to a great extent.