New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow arbitrary plugins on Cloud #6855
Comments
The additional context here is that the in the first version I actually used |
Definitely worth investigating deeper though. |
Another issue to consider is abusing the cache and storage. |
This issue hasn't seen activity in two years! If you want to keep it open, post a comment or remove the |
This issue was closed due to lack of activity. Feel free to reopen if it's still relevant. |
A while ago we released Plugins for PostHog Cloud users.
However the limitation there is that only verified plugins from the official plugins repository are allowed for most users – system safety reasons prevent us from allowing arbitrary code in the multi-tenant architecture.
This is already very useful, but it would still be fantastic and even more powerful if ANYONE could run ANY plugin code (using the source code editor for instance).
Theoretically we could allow it right now, it's practically a single switch. However there's a few issues that we need to sort out beforehand to ensure stability of the system:
In CPU and memory usage protections we're severely limited by using
vm2
for running plugins, which is a wrapper over Node'svm
module. That's performant and convenient – this way all of the server is Node – but it also makes management of resources difficult in a multi-tenant system. Allvm
VMs runs inside the same Node process as the rest of the plugin server, so they all share the same pool of process resources.Cloudflare Workers for example use V8 Isolates more directly, running their own V8-based runtime alternative to Node. That gives them full oversight over activity of each individual worker, at the cost of lots of development effort.
A Node-based alternative to
vm2
could beisolated-vm
, which seems to offer better isolation characteristics. AFAIK @mariusandra may have some more context on that package.In any case, a rework of plugin VMs could be really useful, but would also require careful consideration, so a last resort for now.
Extra reading: PostHog/plugin-server#227 on isolation between Cloud tenants.
The text was updated successfully, but these errors were encountered: