Google App Engine 如何限制 Python?

发布于 2024-10-09 00:36:54 字数 78 浏览 6 评论 0原文

有谁知道GAE如何限制Python解释器?例如,它们如何阻止 IO 操作或 URL 操作。

共享主机也以某种方式做到这一点吗?

Does anybody know, how GAE limit Python interpreter? For example, how they block IO operations, or URL operations.

Shared hosting also do it in some way?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

毁虫ゝ 2024-10-16 00:36:54

沙箱通过具有特殊版本的 Python 解释器“在内部工作”。您运行的不是标准的 Python 可执行文件,而是经过专门修改以在 Google App 引擎上运行的可执行文件。

更新:

不,它不是普通意义上的虚拟机。每个应用程序都没有完整的虚拟PC。可能会有一些虚拟化正在进行,但谷歌并没有具体说明虚拟化的程度或内容。

操作系统中的进程通常已经限制了对操作系统其余部分和硬件的访问。谷歌对此进行了更多限制,您得到的环境中只允许读取文件系统的特定部分,而根本不能写入它,不允许打开套接字,也不允许进行系统调用等 不过,

我不知道操作系统/文件系统/解释器的每个限制是在哪个级别实现的。

The sandbox "internally works" by them having a special version of the Python interpreter. You aren't running the standard Python executable, but one especially modified to run on Google App engine.

Update:

And no it's not a virtual machine in the ordinary sense. Each application does not have a complete virtual PC. There may be some virtualization going on, but Google isn't saying exactly how much or what.

A process has normally in an operating system already limited access to the rest of the OS and the hardware. Google have limited this even more and you get an environment where you are only allowed to read the very specific parts of the file system, and not write to it at all, you are not allowed to open sockets and not allowed to make system calls etc.

I don't know at which level OS/Filesystem/Interpreter each limitation is implemented, though.

橙味迷妹 2024-10-16 00:36:54

来自 Google 的网站:

  • 应用程序只能访问其他应用程序
    通过互联网连接的计算机
    提供 URL 获取和电子邮件
    服务。其他电脑只能
    通过以下方式连接到应用程序
    HTTP(或 HTTPS)请求
    标准端口。

  • 应用程序无法写入
    文件系统。应用程序可以读取文件,
    但仅限使用以下方式上传的文件
    应用程序代码。该应用程序必须使用
    App Engine 数据存储、memcache 或
    所有数据的其他服务
    在请求之间持续存在。

  • 应用程序代码仅运行在
    对网络请求的响应,排队
    任务或计划任务,并且必须
    30以内返回响应数据
    无论如何,秒。一个请求
    处理程序无法生成子进程或
    响应后执行代码
    已发送。

除此之外,您只能使用 Python 2.5,无法使用任何基于 C 的扩展,更新版本的 Web 框架在某些情况下将无法工作(再次是 Python 2.5)。

您可以阅读整篇文章什么是 Google App Engine?

From Google's site:

  • An application can only access other
    computers on the Internet through the
    provided URL fetch and email
    services. Other computers can only
    connect to the application by making
    HTTP (or HTTPS) requests on the
    standard ports.

  • An application cannot write to the
    file system. An app can read files,
    but only files uploaded with the
    application code. The app must use
    the App Engine datastore, memcache or
    other services for all data that
    persists between requests.

  • Application code only runs in
    response to a web request, a queued
    task, or a scheduled task, and must
    return response data within 30
    seconds in any case. A request
    handler cannot spawn a sub-process or
    execute code after the response has
    been sent.

Beyond that, you're stuck with Python 2.5, you can't use any C-based extensions, more up-to-date versions of web frameworks won't work in some cases (Python 2.5 again).

You can read the whole article What is Google App Engine?.

与之呼应 2024-10-16 00:36:54

我发现这个网站

有一些相当不错的信息。你到底想做什么?

此处

新鲜!

请查看此处:http://code.google.com/appengine/docs/python /runtime.html

您的 IO 操作受到如下限制(超出禁用的模块):

App Engine 记录应用程序在一个日历日内使用的每种资源的数量,并在该数量达到应用程序的资源配额时认为资源已耗尽。日历日是从太平洋时间午夜开始的 24 小时周期。 App Engine 会在每天开始时重置所有资源测量值,存储数据除外,它始终代表正在使用的数据存储区存储量。

当应用消耗完所有分配的资源时,该资源将变得不可用,直到配额得到补充。这可能意味着您的应用在配额得到补充之前将无法运行。

应用程序可以通过调用配额 API 来确定当前请求到目前为止已占用了多少 CPU 时间。这对于分析 CPU 密集型代码以及查找可以提高 CPU 效率以进一步节省成本的地方非常有用。您可以测量整个请求使用的 CPU,或者在一段代码之前和之后调用 API,然后减去以确定这两点之间使用的 CPU。

资源|免费默认配额|启用计费的默认配额
Blobstore |存储的数据| 1GB| 1 GB 可用空间;无上限
资源|计费已启用|默认配额
每日限额|最大速率
Blobstore API 调用 |140,000,000 次调用| 72,000 次调用/分钟

嗯,我的表格不太好,但希望仍然可读。

编辑:好的,我明白了。但是先生,您不必使用“f”这个词。 :) 你知道,这有点像整个“授人以鱼”的场景。我总是问 Google,这就是为什么我在这里回答问题只是为了好玩。

再次编辑:好的,在发表评论之前这更有意义。所以我又去回答了这个问题。我希望它有帮助。

I found this site

that has some pretty decent information. What exactly are you trying to do?

Here

FRESH!

Look here: http://code.google.com/appengine/docs/python/runtime.html

Your IO Operations are limited as follows (beyond disabled modules):

App Engine records how much of each resource an application uses in a calendar day, and considers the resource depleted when this amount reaches the app's quota for the resource. A calendar day is a period of 24 hours beginning at midnight, Pacific Time. App Engine resets all resource measurements at the beginning of each day, except for Stored Data which always represents the amount of datastore storage in use.

When an app consumes all of an allocated resource, the resource becomes unavailable until the quota is replenished. This may mean that your app will not work until the quota is replenished.

An application can determine how much CPU time the current request has taken so far by calling the Quota API. This is useful for profiling CPU-intensive code, and finding places where CPU efficiency can be improved for greater cost savings. You can measure the CPU used for the entire request, or call the API before and after a section of code then subtract to determine the CPU used between those two points.

Resource| Free Default Quota| Billing Enabled Default Quota
Blobstore |Stored Data| 1 GB| 1 GB free; no maximum
Resource |Billing Enabled| Default Quota
Daily Limit| Maximum Rate
Blobstore API Calls |140,000,000 calls| 72,000 calls/minute

Hmm my table isn't that good, but hopefully still readable.

EDIT: OK, I understand. But sir, you did not have to use the "f" word. :) And you know, it's kinda like the whole 'teach a man to fish' scenario. Google is who I always ask and that's why I'm answering questions here for fun.

EDIT AGAIN: OK that made more sense before the comment was tooked. So I went and answered the question a little more. I hope it helps.

野稚 2024-10-16 00:36:54

IMO 它不是标准的 python,而是专门为应用程序引擎修补的版本。换句话说,你可以或多或少地思考一个“更高级别”的虚拟机,但它不是模拟 x86 指令,而是模拟 python 操作码(如果你不知道它们是什么,请尝试编写一个名为“foo”的小函数,然后执行“import” dis; dis.dis(foo)”,您将看到编译器生成的 python 操作码)。

通过修补 python,您可以对其施加任何您喜欢的限制。当然,您必须禁止使用用户提供的 C/C++ 扩展模块,因为 C/C++ 模块将有权访问进程可以访问的所有内容。

使用这样的虚拟环境,您可以安全地运行 python 代码,而无需为每个实例使用单独的 x86 VM。

IMO it's not a standard python, but a version specifically patched for app engine. In other words you can think more or less like an "higher level" VM that however is not emulating x86 instructions but python opcodes (if you don't know what they are try writing a small function named "foo" and the doing "import dis; dis.dis(foo)" you will see the python opcodes that the compiler produced).

By patching python you can impose to it whatever limitations you like. Of course you've however to forbid the use of user supplied C/C++ extension modules as a C/C++ module will have access to everything the process can access.

Using such a virtual environment you're able to run safely python code without the need to use a separate x86 VM for every instance.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文