jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/internal/worker/process/isolation.go
Jeremie Fraeys 0b5e99f720
refactor(scheduler,worker): improve service management and GPU detection 
Scheduler enhancements:
- auth.go: Group membership validation in authentication
- hub.go: Task distribution with group affinity
- port_allocator.go: Dynamic port allocation with conflict resolution
- scheduler_conn.go: Connection pooling and retry logic
- service_manager.go: Lifecycle management for scheduler services
- service_templates.go: Template-based service configuration
- state.go: Persistent state management with recovery

Worker improvements:
- config.go: Extended configuration for task visibility rules
- execution/setup.go: Sandboxed execution environment setup
- executor/container.go: Container runtime integration
- executor/runner.go: Task runner with visibility enforcement
- gpu_detector.go: Robust GPU detection (NVIDIA, AMD, Apple Silicon, CPU fallback)
- integrity/validate.go: Data integrity validation
- lifecycle/runloop.go: Improved runloop with graceful shutdown
- lifecycle/service_manager.go: Service lifecycle coordination
- process/isolation.go + isolation_unix.go: Process isolation with namespaces/cgroups
- tenant/manager.go: Multi-tenant resource isolation
- tenant/middleware.go: Tenant context propagation
- worker.go: Core worker with group-scoped task execution
2026-03-08 13:03:15 -04:00

63 lines
2 KiB
Go
Raw Blame History

// Package process provides process isolation and resource limiting for HIPAA compliance.
// Implements Worker Process Isolation controls.
package process
import (
"fmt"
"os"
"runtime"
"syscall"
)
// IsolationConfig holds process isolation parameters
type IsolationConfig struct {
MaxProcesses int // Fork bomb protection (RLIMIT_NPROC on Linux)
MaxOpenFiles int // FD exhaustion protection (RLIMIT_NOFILE)
DisableSwap bool // Prevent swap exfiltration
OOMScoreAdj int // OOM killer priority adjustment (Linux only)
}
// ApplyIsolation applies process isolation controls to the current process.
// This should be called after forking but before execing the target command.
func ApplyIsolation(cfg IsolationConfig) error {
// Apply resource limits (platform-specific)
if err := applyResourceLimits(cfg); err != nil {
return err
}
// OOM score adjustment (only on Linux)
if cfg.OOMScoreAdj != 0 && runtime.GOOS == "linux" {
if err := setOOMScoreAdj(cfg.OOMScoreAdj); err != nil {
return fmt.Errorf("failed to set OOM score adjustment: %w", err)
}
}
// Disable swap (Linux only) - requires CAP_SYS_RESOURCE or root
if cfg.DisableSwap && runtime.GOOS == "linux" {
if err := disableSwap(); err != nil {
// Log but don't fail - swap disabling requires privileges
// This is best-effort security hardening
}
}
return nil
}
// setOOMScoreAdj adjusts the OOM killer score (Linux only)
// Lower values = less likely to be killed (negative is "never kill")
// Higher values = more likely to be killed
func setOOMScoreAdj(score int) error {
// Write to /proc/self/oom_score_adj
path := "/proc/self/oom_score_adj"
data := []byte(fmt.Sprintf("%d\n", score))
return os.WriteFile(path, data, 0600)
}
// IsolatedExec runs a command with process isolation applied.
// This is a helper for container execution that applies limits before exec.
func IsolatedExec(argv []string, cfg IsolationConfig) error {
if err := ApplyIsolation(cfg); err != nil {
return err
}
return syscall.Exec(argv[0], argv, os.Environ())
}
Reference in a new issue View git blame Copy permalink