doc: vm, run http server in vm by requiring

[eljefedelrodeodeljefe]

As user in order to run node code in a vm, you would need to apply some objects to it. This is not quite well documented and may or may not have been reason for a series of issues and SO questions.

This PR would add an example to explain this. It is to some extent controversial and was discussed in a code PR #4955. Issue would have been nodejs/node-v0.x-archive#9211 and this link to SO.

An easier solution would be to use eval(), which I regard as an anti-pattern.
Also it uses require('module').wrap(code), which I believe to be a "private" API. I have taken and modified this example from the referenced issues.

/cc @nodejs/documentation

[vkurchatkin]

module is private

[eljefedelrodeodeljefe]

Please make valuable comments that bring the discussion forth not back. Any other way then than this and eval?

[vkurchatkin]

vm.runInThisContext(`(function(require){ require('http')})`)(require)

[eljefedelrodeodeljefe]

Force pushed this. Doesn't look pretty but solves the problem.

[Knighton910]

👍 @eljefedelrodeodeljefe

[jasnell]

minor nit... having the let code = on a separate line with no indenting on the next line makes it a bit confusing.

[eljefedelrodeodeljefe]

agree. fixed and force pushed. Thx.

[jasnell]

LGTM

[silverwind]

I think this should either not be a heading, or a 3rd level heading.

[eljefedelrodeodeljefe]

I think we are using the heading style when it is an example, outside of a method, but rather a guide or such. E.g. here https://github.com/nodejs/node/blob/master/doc/api/readline.markdown#example-tiny-cli . If you'd rather want it belonging to .runInThisContext(), I can do it w/o pounds.

Having a look at for example streams, it would be 3rd level, but because it's having 2nd level topics like Writable etc. We are a little inconsistent about this I fear. :(

No strong opinions though.

[eljefedelrodeodeljefe]

@jasnell agree. Changed it to what you provided.

Also added this issue, for potential harmonization of pronouns nodejs/docs#87

[Qard]

Not sure how I feel about documenting this in this way. Normally the vm functions are meant to provide a sandboxed context and this is doing the opposite. The problem I see here is that it's not immediately clear that require is not just a stateless function. Using require will stuff modules into the cache globally, and you could do some nefarious things, like mess with the contents of require.cache. If we do want to document this, I think we need to be very clear about the risks involved.

As a side note: I'd only really consider eval() to be an anti-pattern when used on user-supplied code. In a controlled environment, I'd consider it at worst to be a possible deoptimization trigger. It's not actually that bad, if you are careful.

[eljefedelrodeodeljefe]

I'd wish for the API to be a little less confusing, but it is what is and at least it allows for some configuration. Also I wouldn't use eval() because you can't directly return from it. The use case I found for it is in a child_process - possibly - on a remote system. The layer of security then would be to share explicitly share resources between parent and child or not.

Documenting dangers would be fine of course. Maybe also hinting to the use case above.

[jasnell]

@Qard@eljefedelrodeodeljefe ... any further thoughts on this one?

[Qard]

It worries me a little, but I think I'm 👍 overall. LGTM.

Might be worth discussing more in a docs meeting, but I think we can add to it later rather than blocking.

[MylesBorins]

@eljefedelrodeodeljefe I was just about to land this but noticed the commit message is not so informative. Would you be able to update that? LGTM otherwise

[eljefedelrodeodeljefe]

I have updated the commit message to reflect intention. Also I have added @Qard's remarks concerning the statefulness of require in this case in a note-section below the example.

Also happy in case we need broader discussion

[jasnell]

LGTM

[thefourtheye]

Minot nit. I think it is V8.

[eljefedelrodeodeljefe]

Addressed latest comments and force pushed. @thefourtheye now with semi-colons, thx.

[jasnell]

ping @thefourtheye

[eljefedelrodeodeljefe]

rebased. Also tried to contact @thefourtheye concerning sign-off on slack. But I think he is just incredibly busy.

[thefourtheye]

Really sorry about the delay. LGTM.

[jasnell]

Awesome, ok, one final ping to @nodejs/documentation as a last call for comments.

[benjamingr]

LGTM

[Qard]

LGTM

[jasnell]

Landed in 6815a3b. Fixed up the commit log a bit

[MylesBorins]

@jasnell / @eljefedelrodeodeljefe is this something we want for lts?

[MylesBorins]

ping @eljefedelrodeodeljefe@jasnell