Change Details

We'd like to make sure that the headless chromium instances spun off from the chromium-render service are properly firejailed and CPU limited for security and resource consumption purposes. According to T180626#3772070, firejailing is done automatically. The task is a blocker for the service to go on production. But it's should be worked on after we're satisfied with the performance test of the service: {T178278}. ##A/C [] How should we manage resource consumption (mem, CPU)? Look into using [[ https://github.com/opsengine/cpulimit | cpulimit ]] to limit the CPU usage. What about memory usage? ##Sign off [] At the end of the spike create a task with instructions on how to limit resource concumption.

We'd like to make sure that the headless chromium instances spun off from the chromium-render service are properly firejailed and CPU limited for security and resource consumption purposes. According to T180626#3772070, firejailing is done automatically. The task is a blocker for the service to go on production. But it's should be worked on after we're satisfied with the performance test of the service: {T178278}. ##Closed Questions [x] How should we manage resource consumption (mem, CPU)? Look into using [[ https://github.com/opsengine/cpulimit | cpulimit ]] to limit the CPU usage. What about memory usage? `firejail` has the facility to limit CPU time and the maximum size of the processes virtual memory, the `--rlimit-as` and `--rlimit-cpu` options respectively (see https://firejail.wordpress.com/features-3/man-firejail/). We shouldn't need to worry about limiting CPU time as we've already implemented job timeouts in the service itself.

We'd like to make sure that the headless chromium instances spun off from the chromium-render service are properly firejailed and CPU limited for security and resource consumption purposes. According to T180626#3772070, firejailing is done automatically. The task is a blocker for the service to go on production. But it's should be worked on after we're satisfied with the performance test of the service: {T178278}. ##A/C [] How should we manage resource consumption (mem, CPU)? Look into using [[ https://github.com/opsengine/cpulimit | cpulimit ]] to limit the CPU usage. What about memory usage?Closed Questions ##Sign off [] At the end of the spike create a task with instructions on how to limit resource concumption[x] How should we manage resource consumption (mem, CPU)? Look into using [[ https://github.com/opsengine/cpulimit | cpulimit ]] to limit the CPU usage. What about memory usage? `firejail` has the facility to limit CPU time and the maximum size of the processes virtual memory, the `--rlimit-as` and `--rlimit-cpu` options respectively (see https://firejail.wordpress.com/features-3/man-firejail/). We shouldn't need to worry about limiting CPU time as we've already implemented job timeouts in the service itself.