undefined | Better HN

0 pointslaurencerowe7mo ago0 comments

I guess my question here is if you are already writing Rust do you care about per-request isolation so much? If you don't then deploying a container to AWS Lambda or GCP Cloud Run is already pretty easy. It might be possible to offer better cold start performance with the TinyKVM approach, but that is still an unknown.

For the Varnish TinyKVM vmod they brought up examples of running image transcoding which is definitely something that benefits from per request isolation given the history of exploits for those kinds of C/C++ libraries.

It's worth noting that Cloudflare/AWS Lambda don't have per-request isolation and that's pretty important for server side rendering use cases where code was initially written with client side assumptions.

Not sure this will ever turn into a business for me personally - my motivation is in trying to regain some of the simplicity of the CGI days without giving up the performance gains of modern software stacks. Though it would be helpful to have a production workload to improve at some point.

0 comments

vlovich1237mo ago

> do you care about per-request isolation so much

> It's worth noting that Cloudflare/AWS Lambda don't have per-request isolation and that's pretty important for server side rendering use cases where code was initially written with client side assumptions.

It wasn’t just because of SSR. There’s numerous opportunities for security vulnerabilities because of request confusion in global state. Per request isolation is definitely something Cloudflare would enable if they had a viable solution from that perspective. As such it’s irrelevant the language you write it in - Rust is as equally vulnerable to this problem as JS or anything else.

> If you don't then deploying a container to AWS Lambda or GCP Cloud Run is already pretty easy

Yea, but cloud functions like your talking about are best for running at the edge as close to the user as possible, not for traditional centralized servers. It also promotes a very different programming paradigm that when you fit into it is significantly cheaper to run and maintain because you can decompose your service.

> It might be possible to offer better cold start performance with the TinyKVM approach, but that is still an unknown.

https://blog.cloudflare.com/eliminating-cold-starts-with-clo...

You’d want to start prewarming an instance to be ready to handle the request when a TLS connection for a function comes in.

j / k navigate · click thread line to collapse