summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lua-wshop2013.pin336
1 files changed, 336 insertions, 0 deletions
diff --git a/lua-wshop2013.pin b/lua-wshop2013.pin
new file mode 100644
index 0000000..11cf886
--- /dev/null
+++ b/lua-wshop2013.pin
@@ -0,0 +1,336 @@
+# Lua Workshop Pinpoint talk about Gitano
+
+[backing.png]
+[center]
+[font=Sans 50px]
+[stretch]
+
+-- [backing-cat-flop.png]
+
+-- [backing-cat-flop.png] [no-markup]
+
+Gitano - A Git service written in Lua
+
+Daniel Silverstone <dsilvers@digital-scurf.org>
+
+# Burble like a tard about who you are
+
+-- [backing-cat-eat-you.png]
+
+What is it?
+
+# Git Server
+# Written in Lua
+# Configured in Git where plausible
+# To do this I needed to write a bunch of libs
+
+-- [backing-cat-inelegant.png] [text-align=center]
+
+Technology choices
+(or things was too lazy to write)
+
+# Git - odd to list, but I mean configuration is in git
+# rulesets are in git, etc.etc.etc.
+# Lua - I like Lua, it's easy to prototype and write stuff
+# Luxio
+# libgit2/luagit2 - Way faster than invoking git commands
+# although Gitano *can* operate without them
+# cgit rather than gitweb - much faster, caches, prettier
+
+# 6. Future - explain how background task stuff looks plausible using the
+# nanomsg stuff recently talked about on list. Explain how currently I'm
+# testing Gitano using a testing tool written in Python, but want to write
+# a Lua equivalent of it.
+
+-- [backing-cat-sunbathing.png]
+
+Gall - Git Abstraction Layer (in) Lua
+
+# Git abstraction - obviously necessary. Uses Luxio's
+# subprocess to run git commandline and luagit2/libgit2 via
+# LuaNativeObjects to work in process. Show a simple
+# example
+
+-- [backing-cat-sunbathing.png] [font=Monospace 50px]
+
+r = gall.repository.new("/path/to/gitano-admin.git")
+c = r:get(r.HEAD).content
+t = gall.tree.flatten(c.tree.content)
+b = t['site.conf']
+print(b.obj.content)
+
+-- [backing-cat-sunbathing.png]
+
+Lace - Lua Access Control Engine
+
+# Lace - Access control lists. No syntax I came up with in
+# Lua was neat enough for non-Lua programmers to accept.
+# Turing complete ACLs are also a fairly bad idea. Show
+# example, show that Lace comes with instructions
+
+-- [font=Monospace 50px]
+
+define success equals want_to_pass yes
+allow "Ok" success
+
+# Simple example showing definition, match type, and arguments.
+# list of defined predicates on the allow line must all pass
+
+-- [backing-cat-sunbathing.png]
+
+Clod - Configuration Language Organised (by) Dots
+
+# Designed to keep track of ordering of entries (and spaces)
+# Currently doesn't track comments (because that's super
+# hard) Humans and the library tend to edit files in similar
+# ways meaning diffs are sane
+
+-- [font=Monospace 50px]
+
+project.head "refs/heads/master"
+project.description "Black box testing of Unix programs"
+project.owner "liw"
+
+# Three simple string entries as might be found in a
+# repository configuration in Gitano.
+
+-- [font=Monospace 50px]
+
+description "Gitano Instance Administrators"
+
+members["*"] "dsilvers"
+
+# Clod also supports lists which remain ordered. This is an
+# example group file in a Gitano repository
+
+-- [backing-cat-sunbathing.png]
+
+Supple - Sandbox [(for) Untrusted Procedure Partitioning (in) Lua] Engine
+
+# Supple allows me to run hooks provided by project owners
+# safely without risking them gaining access to the server
+# in any unusual way.
+
+# Hooks are run as Lua code with a limited set of functions
+# and only the data relevant to the event they're hooking
+# (along with a read-only repository object they can use to
+# interrogate other things a bit)
+
+-- [backing-cat-sunbathing.png]
+
+To limit the attack surface...
+
+The "untrusted" code runs in a (limited) Lua sandbox.
+
+That sandbox is soft-limited in terms of VM opcodes and memory.
+
+The sandbox is monitored and IO marshalled externally.
+
+# Your "untrusted" code is run inside a Lua sandbox which
+# has only a limited set of Lua's functionality exposed to
+# it.
+
+# That sandbox is soft-limited (optionally) in terms of VM
+# opcodes and memory allocated by Lua
+
+# The sandbox is run inside a monitoring Lua VM instance
+# which is responsible for carefully marshalling calls etc
+# into and out of the sandbox. All your comms go via this
+# monitor.
+
+-- [backing-cat-sunbathing.png]
+
+Just in case...
+
+The monitor is a Lua VM anyway, and it's all inside a separate process.
+
+The sandbox process is in an ephemeral chroot.
+
+# The monitor is, itself, a Lua VM anyway, inside a process
+# which is separate from the process you're doing untrusted
+# work on behalf of.
+
+# The sandbox process is created using a rootly helper so
+# that it's put into an isolation state consisting of a
+# directory which is owned by root which is set as your root
+# via the chroot call, but which is also rmdir'd so it's
+# ephemeral. Your process drops privileges back to the
+# calling UID so it cannot do anything inside its CWD
+# anyway.
+
+-- [backing-cat-sunbathing.png]
+
+And if that's not enough...
+
+Solid rlimits in terms of memory and open FDs
+
+And on Linux, memory is pre-allocated and we enter seccomp mode 1.
+
+# On top of that, the sandbox has some pretty solid rlimits
+# set in terms of max CPU usage, max VM size, max FDs open,
+# and max size of any file it writes. As such, it can't
+# create > 0 byte files in the directory it doesn't have
+# access to, and could only do that if it closed the FD to
+# the host process which is its only communications avenue.
+
+# Then, if you're on Linux, we go one step further and
+# pre-allocate enough memory for the interpreter to not hit
+# the rlimit and then enter seccomp mode 1 which limits the
+# syscalls permissible to read, write, _exit and sigreturn
+# so even if you could have circumvented any/all of the
+# limits above, you now can't make syscalls to take
+# advantage of them.
+
+# If that's not sandbox enough, please tell me how to
+# improve matters further.
+
+-- [backing-cat-sunbathing.png]
+
+Objects here, objects there, we send objects everywhere.
+
+Proxying values (incl. functions and tables)
+
+# Talk about how Supple proxies values across the link so
+# that the sandboxed code can have do whatever it likes and
+# it looks and feels like it's running in the host.
+
+# e.g. next() works, calling things works etc.
+
+-- [font=Monospace 50px]
+
+local repo, ref, oldsha, newsha = ...
+
+local branch = ref:match("^refs/heads/(.+)$")
+if branch then
+ log.state("Looking at commit history on: " .. branch)
+
+ local commit = repo:get(newsha)
+
+ while commit.sha ~= oldsha do
+ commit = commit.content
+ local parents = commit.parents
+ if #parents &#60; 2 then
+ error("Detected non-merge-commit during parent walk, at " .. commit.sha)
+ end
+ commit = parents[1]
+ end
+
+ log.state("Commits between old and new sha seem to all be merge commits")
+else
+ log.state("Skipping commit history check on: " .. ref)
+end
+
+-- [font=Monospace 50px]
+
+local <span foreground="green" font_weight="heavy">repo, ref, oldsha, newsha = ...</span>
+
+local branch = ref:match("^refs/heads/(.+)$")
+if branch then
+ <span foreground="red" font_weight="heavy">log</span>.state("Looking at commit history on: " .. branch)
+
+ local commit = repo:get(newsha)
+
+ while commit.sha ~= oldsha do
+ commit = commit.content
+ local parents = commit.parents
+ if #parents &#60; 2 then
+ error("Detected non-merge-commit during parent walk, at " .. commit.sha)
+ end
+ commit = parents[1]
+ end
+
+ <span foreground="red" font_weight="heavy">log</span>.state("Commits between old and new sha seem to all be merge commits")
+else
+ <span foreground="red" font_weight="heavy">log</span>.state("Skipping commit history check on: " .. ref)
+end
+
+-- [font=Monospace 50px]
+
+local repo, ref, oldsha, newsha = ...
+
+local branch = ref:match("^refs/heads/(.+)$")
+if branch then
+ <span foreground="yellow" font_weight="heavy">log.state(</span>"Looking at commit history on: " .. branch)
+
+ local commit = <span foreground="yellow" font_weight="heavy">repo:get(</span>newsha)
+
+ while <span foreground="red" font_weight="heavy">commit.sha</span> ~= oldsha do
+ commit = <span foreground="red" font_weight="heavy">commit.content</span>
+ local parents = <span foreground="red" font_weight="heavy">commit.parents</span>
+ if #parents &#60; 2 then
+ error("Detected non-merge-commit during parent walk, at " .. <span foreground="red" font_weight="heavy">commit.sha</span>)
+ end
+ commit = <span foreground="red" font_weight="heavy">parents[1]</span>
+ end
+
+ <span foreground="yellow" font_weight="heavy">log.state(</span>"Commits between old and new sha seem to all be merge commits")
+else
+ <span foreground="yellow" font_weight="heavy">log.state(</span>"Skipping commit history check on: " .. ref)
+end
+
+-- [font=Monospace 50px]
+
+local repo, ref, oldsha, newsha = ...
+
+local branch = ref:match("^refs/heads/(.+)$")
+if branch then
+ log.state("Looking at commit history on: " .. branch)
+
+ local commit = repo:get(newsha)
+
+ while commit.sha ~= oldsha do
+ commit = commit.content
+ local parents = commit.parents
+ if #parents &#60; 2 then
+ <span foreground="purple" font_weight="heavy">error(</span>"Detected non-merge-commit during parent walk, at " .. commit.sha)
+ end
+ commit = parents[1]
+ end
+
+ log.state("Commits between old and new sha seem to all be merge commits")
+else
+ log.state("Skipping commit history check on: " .. ref)
+end
+
+-- [backing-cat-shocked.png]
+
+Real users of Gitano
+
+ - git.gitano.org.uk, git.liw.fi
+ - git.netsurf-browser.org, richard.maw.name/git
+ - Codethink and Baserock
+
+# Equally horrifyingly, people use this crap what I wrote.
+
+# But, it's not enough (sound stern)
+
+-- [backing-cat-stern.png]
+
+Future plans
+
+Lots of ideas for future content, see the Trello
+
+ - https://trello.com/b/l4Id6iiC/gitanow
+ - (Link is on www.gitano.org.uk)
+
+# I would welcome contributions to Gitano or the libraries
+# behind it. I would especially welcome contributions which
+# increase the scenario test suite coverage.
+
+-- [backing-cat-sat.png]
+
+Mailing list: <span font="Monospace 50px">gitano-dev@gitano.org.uk</span>
+IRC Channel: <span font="Monospace 50px">#gitano</span> on Freenode
+Website: <span font="Monospace 50px">http://www.gitano.org.uk/</span>
+
+Any questions?
+
+# Intrusive cat says "Enough with the talkings"
+
+-- [backing-cat-sat.png]
+
+Mailing list: <span font="Monospace 50px">gitano-dev@gitano.org.uk</span>
+IRC Channel: <span font="Monospace 50px">#gitano</span> on Freenode
+Website: <span font="Monospace 50px">http://www.gitano.org.uk/</span>
+
+Thank you for listening