Hi Laurent,

No, "sandboxing" isn't what I want - at least not usually.  I want to be able to limit the VM process itself ... particularly the heap size but occasionally other things as well.  I often have the need to squeeze a Racket application into the corner of a small cloud VM, and I would like is more fine-grained control over Racket processes.

Also, sandboxing only notices the overrun when it's too late.  If the memory is known limited from the beginning, it would be used differently, e.g., GC'd more often.


Without a lot of details about the memory use of various features[*], "ulimit -H -d ..." at best is a guess.  "ulimit -H -m ..." works to limit memory use, but it can't be used without swap, and without limiting the data segment as well, it's easy to start thrashing code vs data and kill performance.

"cgroups" helps with multiprocess applications, but it is complicated to set up properly.

But in Windows there is no built-in user control for resource use ... there are some 3rd party utilities, but many admins won't permit using them.  I work a lot with various DBMS, and things may get easier as SQL Server is available for Linux, but most people who run it still run it on Windows.


And, of course, containers can limit (at least) memory and CPU, but they have their own sets of issues, and the container system itself can require substantial resources.  Generally I prefer to avoid containers and run on the bare machine wherever possible.

YMMV,
George


[*] particularly JIT:  e.g., application mapped files are "data" from the POV of the OS regardless of whether the mapping is executable.  So JIT'd code really is data for "ulimit" purposes.



On 7/23/2020 12:47 PM, Laurent wrote:
Just in case (not sure how relevant this is to you):
https://docs.racket-lang.org/reference/Sandboxed_Evaluation.html?q=with-limits#%28form._%28%28lib._racket%2Fsandbox..rkt%29._with-limits%29%29
Works pretty well, but there are some caveats: if an object can be reached outside of the `with-limits` scope, it's not counted.

On Thu, Jul 23, 2020 at 5:42 PM George Neuner <gneun...@comcast.net <mailto:gneun...@comcast.net>> wrote:


    Limits on resources used by individual VMs.  ulimit works only at the
    process level (so only indirectly affects in-process "thread"
    places),
    and Windows has no simple equivalent:  I am aware of Windows "job
    objects", but there are no user controls for them.


--
You received this message because you are subscribed to the Google Groups "Racket 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to racket-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/racket-users/7ef2f992-076d-1f0e-a36c-243fd810ad3d%40comcast.net.

Reply via email to