I just started haiku-http, an experiment to create a node.js-based, multi-tenant runtime for hosting HTTP APIs within a single node.js process. The key objective of the project is to find out if we can reduce the cost of hosting HTTP APIs written in node.js by securely and reliably sharing resources of a single process across multiple tenants.
Blog: http://tomasz.janczuk.org/2012/02/sub-process-multi-tenant-runtime-for.html Bits & test deployment: http://tjanczuk.github.com/haiku-http I am looking for opinions, comments, or suggestions regarding the problem of metering and limiting resource consumption (memory, network, CPU) at a sub-process granularity. In the current design of haiku-http, code from multiple tenants is running concurrently in a single node.js process. Each tenant's code is sandboxed by running it in its own V8 context and using its own copy of node.js modules, which prevents one tenant's code from accessing or modifying other tenant's in-memory state. However, current (v0.7.2) node.js runtime does not provide any mechanisms to measure or limit memory, CPU, and network usage at granularity other than the process level. This enables one tenant's code to perform a local denial of service attack on other tenants running code in the same process by using up unfair amount of resources available to the process. Some specific attacks are: 1. Performing CPU intensive computations. An extreme example is a 'while(true);' loop. Ideally there would be a mechanism whereby one can enforce a CPU quota for executing JS code. 2. Allocating large amounts of memory. In an extreme case code can cause out of memory exception with a single large allocation. Ideally there would be a mechanism to enforce memory allocation quota for executing JS code. 3. Unhandled exceptions. By throwing an unhandled exception, one tenant's code can cause recycling of the entire process (since currenlty this is the only reasonable way of responding to an unhandled exception). Ideally there would be a mechanism to a) associate the unhandled exception with code from a particular tenant, b) cleanly dispose all resources associated with that code only from the system (both native and managed). If you have an idea or opinion about addressing the problems above and what node.js/V8 mechanisms should be utilized, I would love to hear it. Regards, Tomasz Janczuk -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
