jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/internal/worker/process/isolation.go
Jeremie Fraeys 95adcba437
feat(worker): add Jupyter/vLLM plugins and process isolation 
Extend worker capabilities with new execution plugins and security features:
- Jupyter plugin for notebook-based ML experiments
- vLLM plugin for LLM inference workloads
- Cross-platform process isolation (Unix/Windows)
- Network policy enforcement with platform-specific implementations
- Service manager integration for lifecycle management
- Scheduler backend integration for queue coordination

Update lifecycle management:
- Enhanced runloop with state transitions
- Service manager integration for plugin coordination
- Improved state persistence and recovery

Add test coverage:
- Unit tests for Jupyter and vLLM plugins
- Updated worker execution tests
2026-02-26 12:03:59 -05:00

63 lines
2 KiB
Go
Raw Blame History

// Package process provides process isolation and resource limiting for HIPAA compliance.
// Implements Worker Process Isolation controls.
package process
import (
"fmt"
"os"
"runtime"
"syscall"
)
// IsolationConfig holds process isolation parameters
type IsolationConfig struct {
MaxProcesses int // Fork bomb protection (RLIMIT_NPROC on Linux)
MaxOpenFiles int // FD exhaustion protection (RLIMIT_NOFILE)
DisableSwap bool // Prevent swap exfiltration
OOMScoreAdj int // OOM killer priority adjustment (Linux only)
}
// ApplyIsolation applies process isolation controls to the current process.
// This should be called after forking but before execing the target command.
func ApplyIsolation(cfg IsolationConfig) error {
// Apply resource limits (platform-specific)
if err := applyResourceLimits(cfg); err != nil {
return err
}
// OOM score adjustment (only on Linux)
if cfg.OOMScoreAdj != 0 && runtime.GOOS == "linux" {
if err := setOOMScoreAdj(cfg.OOMScoreAdj); err != nil {
return fmt.Errorf("failed to set OOM score adjustment: %w", err)
}
}
// Disable swap (Linux only) - requires CAP_SYS_RESOURCE or root
if cfg.DisableSwap && runtime.GOOS == "linux" {
if err := disableSwap(); err != nil {
// Log but don't fail - swap disabling requires privileges
// This is best-effort security hardening
}
}
return nil
}
// setOOMScoreAdj adjusts the OOM killer score (Linux only)
// Lower values = less likely to be killed (negative is "never kill")
// Higher values = more likely to be killed
func setOOMScoreAdj(score int) error {
// Write to /proc/self/oom_score_adj
path := "/proc/self/oom_score_adj"
data := []byte(fmt.Sprintf("%d\n", score))
return os.WriteFile(path, data, 0644)
}
// IsolatedExec runs a command with process isolation applied.
// This is a helper for container execution that applies limits before exec.
func IsolatedExec(argv []string, cfg IsolationConfig) error {
if err := ApplyIsolation(cfg); err != nil {
return err
}
return syscall.Exec(argv[0], argv, os.Environ())
}
Reference in a new issue View git blame Copy permalink