Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running untrusted WASM plugin #77

Open
ElvinEfendi opened this issue Dec 24, 2021 · 6 comments
Open

Running untrusted WASM plugin #77

ElvinEfendi opened this issue Dec 24, 2021 · 6 comments

Comments

@ElvinEfendi
Copy link

Will this WASM support provide better isolation and resource limit enforcement than running Lua code? i.e will we be able to limit CPU/memory usage per plugin or reduce API access?

Exciting project btw, thanks for working on this!

@membphis
Copy link

It sounds cool feature ^_^

@spacewander
Copy link
Contributor

spacewander commented Dec 26, 2021

provide better isolation

Yes. Wasm is expected to be a sandbox environment.

limit CPU/memory usage per plugin

The CPU is managed at the process level, and Wasm is embedded inside Nginx, so there is no way to limit CPU per plugin.

Some Wasm runtimes support limiting memory per plugin. Unfortunately, wasmtime only supports limiting memory at VM level yet.

reduce API access

The API is registered per plugin, so we can register fewer APIs for some untrusted plugins.

@spacewander
Copy link
Contributor

We can switch to a VM per plugin model if the memory limit per plugin is critical.

@ElvinEfendi
Copy link
Author

Thanks for the replies, it'd be great to have a page explaining benefits of writing a plugin in this framework than in Lua.

@hanf2x
Copy link

hanf2x commented Feb 20, 2023

According to bytecodealliance/wasmtime-go#101, I think the sys resource limit development is still in progress ?

@LukasForst
Copy link

LukasForst commented Feb 20, 2023

With Wasmtime, you should be able to use ResourceLimitter to limit CPU (with fuel) & Memory (once this PR is released).

This require modification of this nginx plugin, it's not supported out of the box yet. But the Wasmtime C SDK is ready.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants