Background
Application running on GEISA need separation / isolation from each other to ensure that one application doesn’t impact another. While some level of resource management and process isolation is provided by most operating systems, this isn’t robust enough to for GEISA.
There are several methods for providing advanced isolation including:
Containers
Virtual Machines / Hypervisors
Virtual Execution Environments (e.g. Java’s JVM, Erlang’s BEAM, .Net’s CLR)
Amazon’s Firecracker team released a whitepaper on their efforts which includes a helpful discussion of the advantages and disadvantages of these approaches.
Isolation Mechanism
Resource Management
Define Container Resource Limits
CPU limit (% of CPU)
Memory Limit (in 1 KB units)
Storage Limit ( in 1 KB units)
Define Container Access Levels:
Level 0 - Read & Control - Core Features - Immutable
Level 1 - Read & Control - Utility
Level 2 - Read Only