Hi fellow devs, I posted an APE for adding Sandboxed UDF execution. This improvement would also change the current localhost restricted API to instead use a domain socket. The isolation would be through gVisor. The UDF would run within a gVisor container, and have a read-only mount for accessing the UDF code. It would have a shared domain socket with the host for moving the UDF parameters and return values as well as invocation calls. No network access would be allowed inside the container, at least by default.
The current patch set for the API change is here: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/20492 and the APE document is here: https://cwiki.apache.org/confluence/display/ASTERIXDB/APE+30%3A+Sandboxed+UDFs I'd appreciate any thoughts or suggestions. - Ian
