File tree Expand file tree Collapse file tree 3 files changed +72
-0
lines changed
Expand file tree Collapse file tree 3 files changed +72
-0
lines changed Original file line number Diff line number Diff line change 1+ # ADR-0004: Chrome
2+
3+ ## Context and Problem Statement
4+
5+ We need a way to render Grafana dashboards as websites to PDFs and PNGs.
6+
7+ ## Considered Options
8+
9+ - Draw the dashboards ourselves using a graphics library.
10+ - Use Google Chrome (or Chromium, or equivalent Chrome DevTools Protocol browser) to render the dashboards.
11+ - Use Mozilla Firefox (or equivalent WebDriver Bi-Di Protocol browser) to render the dashboards.
12+ - Deprecate the feature.
13+
14+ ## Decision Outcome
15+
16+ We're going for Chrome DevTools Protocol compliant browsers, primarily Chromium or Google Chrome:
17+
18+ - We do not think it is a wise investment to re-implement all panels and rendering logic.
19+ - There are currently no good WebDriver Bi-Di clients around in Go.
20+ - We cannot deprecate the feature, as it is widely used, and we have customers depending on it. This includes ourselves.
21+ - Chromium is a stable browser with good headless support, and wide adoption.
22+ - Chromium regularly patches security vulnerabilities.
23+ - There are Chrome DevTools Protocol clients for Go that are mature.
Original file line number Diff line number Diff line change 1+ # ADR-0005: Sandbox
2+
3+ ## Context and Problem Statement
4+
5+ We keep having security incidents due to Chromium's many security vulnerabilities.
6+ These are patched rapidly, but also so often that it still incurs a lot of work on us.
7+
8+ We need a way to reduce the impact of vulnerabilities to a level where we can either not care, or not care _ as much_ .
9+
10+ ## Considered Options
11+
12+ - Do nothing: keep patching Chromium as vulnerabilities are disclosed.
13+ - Use Chromium's built-in sandboxing features.
14+ - Implement our own "just enough" sandbox to run Chromium inside.
15+
16+ ## Decision Outcome
17+
18+ We will build our own "just enough" sandbox, and if possible, also implement the Chromium sandbox inside there:
19+
20+ - The current rate of incidents is too high to be sustainable.
21+ - Chromium's sandbox is strong, but there is still a lot of talk back and forth between the renderer and browser processes.
22+ This means that it is not _ that_ uncommon to have a sandbox escape.
23+ - We do not _ need_ Chromium's full sandboxing, we only want to ensure that:
24+ - Persistence is impossible as processes are killed after use, and the data is gone.
25+ - Processes cannot access other customers' data.
26+ - Processes should not, but can, be used for utilising our resources maliciously (e.g. cryptocurrency mining).
Original file line number Diff line number Diff line change 1+ # ADR-0006: Crash-Only
2+
3+ ## Context and Problem Statement
4+
5+ We run our pods in Kubernetes, and they are pretty memory-intensive as some websites have _ a lot_ of data to render.
6+ As such, it is not uncommon for our pods to either be ` OOMKilled ` , or to be killed by the scheduler.
7+
8+ We need to decide on how to handle pods' expected life cycles.
9+
10+ ## Considered Options
11+
12+ - Model after striving for clean shutdowns.
13+ - Try to limit crash causes.
14+ - Just let it crash; every pod is ephemeral, and the only way out is crashing.
15+
16+ ## Decision Outcome
17+
18+ We're letting it crash:
19+
20+ - We cannot limit crash causes perfectly. Some requests will cause crashes.
21+ - Clean shutdowns do not exist in our clusters; sometimes, pods must crash.
22+ - Crash-only software is a well-documented and proven way to run software,
23+ e.g. [ _ Crash-Only Software_ , George Candea & Armando Fox, Stanford University] ( https://dslab.epfl.ch/pubs/crashonly.pdf ) .
You can’t perform that action at this time.
0 commit comments