We'd like to make sure that the headless chromium instances spun off from the chromium-render service are properly firejailed and CPU limited for security and resource consumption purposes. According to T180626#3772070, firejailing is done automatically.
The task is a blocker for the service to go on production. But it's should be worked on after we're satisfied with the performance test of the service: T178278: Performance test the service.
Closed Questions
- How should we manage resource consumption (mem, CPU)? Look into using cpulimit to limit the CPU usage. What about memory usage?
firejail has the facility to limit CPU time and the maximum size of the processes virtual memory, the --rlimit-as and --rlimit-cpu options respectively (see https://firejail.wordpress.com/features-3/man-firejail/). We shouldn't need to worry about limiting CPU time as we've already implemented job timeouts in the service itself.