WingNews logo WingNews
top | item 23345335

(no title)

cookrn | 5 years ago

I don’t know that it uses either of those tools as the built-in approach. It could have changed, but last I read, it used V8’s built-in Isolate concept to provide the sandbox and that when an Isolate is created, it is only provided the underlying system access specified by CLI flags or other options e.g. Filesystem, Network, etc...

discuss

order

lioeters|5 years ago

According to its architecture description ¹, there are no containers or virtualization involved in Deno.

I found deno::CoreIsolate in the source ². Userland process isolation seem to be provided by V8 Isolate.

The execution and security model remind me of recent trend in FaaS, in particular running WebWorkers (or similar), WASM, etc. Found a fascinating presentation about how V8 is used at CloudFlare ³.

"..using V8 isolates instead of containers or VMs, achieving 10x-100x faster cold starts and lower memory footprints.."

---

¹ https://deno.land/manual/contributing/architecture#schematic...

² https://github.com/denoland/deno/blob/2610ceac20bc644c0b58bd...

³ Fine-Grained Sandboxing with V8 Isolates - https://www.infoq.com/presentations/cloudflare-v8/

gutino|5 years ago

V8 is a sanbox by default, it does not expose any I/O functions. not even to the stadart output.