FireCracker | Generate word list combining inputted words | Generator Utils library

@Mihai, if one needs to create a DPDK buffer in secondary and send it via RTE_RING following are the steps to do so

1. Start the secondary application
2. Get the Mbuf pool ptr via rte_mempool_lookup
3. Allocate mbuf from mbuf pool via rte_pktmbuf_alloc
4. set minimum fields in mbuf such as pkt_len, data_len, next and nb_segs to appropriate values.
5. fetch the starting of the region to mem copy your custom packet with rte_pktmbuf_mtod_offset or rte_pktmbuf_mtod
6. then memcopy the content from user vector to DPDK area

Note: based on the checksum offload, actual frame len and chain mbuf mode other fields need to be updated.

code snippet

I somehow managed to fix it by adjusting the cargo build command to use x86_64-unknown-linux-gnu as target instead of x86_64-unknown-linux-musl (By default cargo build was doing the musl target somehow)

So if you are trying to build a rust app which is using DPDK libraries and you are getting missing headers, make sure to try the following:

cargo build --target=x86_64-unknown-linux-gnu

Well if you have to use musl and there is no alternative, I don't have an answer. But to me this was enough.

If someone has an explanation why musl is nor working in this scenario, please let us know.

Reddit Rust community helped me as well, check this link out if you are interested: https://www.reddit.com/r/rust/comments/mo3i08/unable_to_compile_c_file_inside_buildrs_headers/

So Why build.rs was unable to find .C headers?

ANSWER

Because I was using x86_64-unknown-linux-musl as target.

Because addToCart() is a callback, you can use this to access its context (the caller element):

You can use click event here when user click on a tag get the id which has different category then loop through all productCard divs and check if the a tag inside it has data-slug equal to the category which user has selected depending on this show that div.

Demo Code :

Take a good look at what dataset vs .data - Difference? dataset do, or data for that matter, and then take a look at your inner HTML in .productItem there is not a single data attribute inside, no wonder dataset can not fetch any and is undefined. Please tel me what is wanted result in console.log(productInfo[0].name); What is expected to be inside and we will extract it.

You can fetch a name by simply doing:

Based on what stated on the documentation for Lambda execution context, Lambda tries to reuse the execution context between subsequent executions, this is what leads to cold-start (when the context is spun up) and warm-start (when an existing context is reused).

You typically see this latency when a Lambda function is invoked for the first time or after it has been updated because AWS Lambda tries to reuse the execution context for subsequent invocations of the Lambda function.

This is corroborated by another statement in the documentation for the Lambda Runtime Environment where it's stated that:

When a Lambda function is invoked, the data plane allocates an execution environment to that function, or chooses an existing execution environment that has already been set up for that function, then runs the function code in that environment.

A later passage of the same page gives a bit more info on how environments/resources are shared among functions and executions in the same AWS Account:

Execution environments run on hardware virtualized virtual machines (microVMs). A microVM is dedicated to an AWS account, but can be reused by execution environments across functions within an account. [...] Execution environments are never shared across functions, and microVMs are never shared across AWS accounts.

Additionally, there's also another doc page that gives some more details on isolation among environments but again, no mention to the ability to enforce 1 execution per environment.

As far as I know there's no way to make it so that a new execution will use a new environment rather than an existing one. AWS doesn't provide much insight in this but the wording around the topic seems to suggest that most people actually try to do the opposite of what you're looking for:

When you write your Lambda function code, do not assume that AWS Lambda automatically reuses the execution context for subsequent function invocations. Other factors may dictate a need for AWS Lambda to create a new execution context, which can lead to unexpected results, such as database connection failures.

I would say that if your concern is isolation from other customers/accounts, AWS guarantees isolation by means of virtualisation that although not being at the physical level, depending on their SLAs and your SLAs/requirements might be enough. If instead you're thinking on doing some kind of multi-tenant infrastructure that requires Lambda executions to be isolated from one another then this component might not be what you're looking for.

The solution per @Lamanus was to place variable outside of function making them global rather than storing them in a function (as I did) and call that function from another.

A simple, reproducible example of the problem (playground):

Both Firecracker and gVisor are technologies which provide sandboxing / isolation but in a different way.

• Firecracker (orange box) is a Virtual Machine Manager.
• gVisor (green box) has an architecture which controls/filters the system calls that reach the actual host.

Weave Ignite is a tool that helps you use Firecracker in order to run containers inside lightweight VMs and also do that with a nice UX, similar to using Docker.

This is also mentioned in the Scope section of github.com/weaveworks/ignite

Scope

Ignite is different from Kata Containers or gVisor. They don't let you run real VMs, but only wrap a container in new layer providing some kind of security boundary (or sandbox).

Ignite on the other hand lets you run a full-blown VM, easily and super-fast, but with the familiar container UX. This means you can "move down one layer" and start managing your fleet of VMs powering e.g. a Kubernetes cluster, but still package your VMs like containers.

Regarding the use-case part of your question, it's my feeling that because of the stronger isolation VMs offer, Ignite can be more production-ready. Also, the approach of gVisor seems to have a significant performance cost, as it is mentioned at The True Cost of Containing: A gVisor Case Study:

Conclusion

• gVisor is arguably more secure than runc
• Unfortunately, our analysis shows that the true costs of effectively containing are high: system calls are 2.2× slower, memory allocations are 2.5× slower, large downloads are 2.8× slower, and file opens are 216× slower

Current Sandboxing Methods

Sandboxing with gVisor

Do I Need gVisor?

No. If you're running production workloads, don't even think about it! Right now, this is a metaphorical science experiment. That's not to say you may not want to use it as it matures. I don't have any problem with the way it's trying to solve process isolation and I think it's a good idea. There are also alternatives you should take the time to explore before adopting this technology in the future.

Where might I want to use it?

As an operator, you'll want to use gVisor to isolate application containers that aren't entirely trusted. This could be a new version of an open source project your organization has trusted in the past. It could be a new project your team has yet to completely vet or anything else you aren't entirely sure can be trusted in your cluster. After all, if you're running an open source project you didn't write (all of us), your team certainly didn't write it so it would be good security and good engineering to properly isolate and protect your environment in case there may be a yet unknown vulnerability.

My answer has information from the following sources which are in quote sections when taken "as-is" and I recommend them for further reading:

• What is gVisor? from Rancher Blog
• Making Containers More Isolated: An Overview of Sandboxed Container Technologies
• Containers, Security, and Echo Chambers blog by Jessie Frazelle
• The True Cost of Containing: A gVisor Case Study
• Kata Containers vs gVisor?
• Firecracker: Lightweight Virtualization for Serverless Applications paper from AWS