Consider merging in-process-node branch
#17
Labels
Comments
|
This will be merged in soon. I'd like to first setup a good way to run benchmarks before we start exposing optimization options. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, all Node.js services are spawned in a new process using the
micro-nodebinary, which is called viamicrocule.spawn. This ensures process level isolation of the untrusted source code.Inside
micro-nodewe are using the run-service module, which provides Node.js in-processvmbased isolation of the untrusted source code.Technically ( and previously )
run-servicecould be executed in-process wheremicrocule.spawnis called ( instead of spawning a newmicro-nodeprocess ). This could be dangerous as a memory leak or CPU leak in the untrusted source code could affect other running services. It could also be advantageous because it would significantly reduce the amount of resources needed to run Node services, as well as reduce response times by 150+ milliseconds.We should consider merging the
in-process-nodebranch as a configurable option. Depending on the server environment and intended use-case, being able to spawn in-process Node scripts may be better than enforcing process isolation per Node service.The text was updated successfully, but these errors were encountered: