-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GR-49729] [Espresso] Support running without native access. #10239
Comments
thanks @gilles-duboscq for putting this up!
I am noob in this area, but this seems a lot of work. Would you be able to give a high level estimate of the quantity of work? (sorry for asking the hard part of it so early, but i am evaluating if we (Opensearch) would be able to use it any time in Q1 2025). |
tagging Opensearch's meta issue for referencing opensearch-project/OpenSearch#1687 |
Regarding unsafe: I don't think that's a lot of work, all unsafe field accesses are already "virtualized": we find the field that is accessed from the offset and then perform the access. Regarding the timeline. We had explored the subject a few months ago. We might be able to merge some of the building blocks based on that. |
thanks for the callout on the dates. Agreed Jan would be really a stretch; but the fact that we could get this in production is really exciting news and opens a new door for security manager alternative. I am going to discuss this option more verbally internally with our team. At the same time, we will be happy to help with contributions on the issue. |
Feature request
Is your feature request related to a problem? Please describe.
Espresso requires native access to run the JDK's native libraries. Native access is also requires due to the implementation of Unsafe.
As a result, to run espresso in a polyglot context it requires all access.
Describe the solution you'd like.
Some of the JDK's native methods could be implemented without having to call native code.
Unsafe can be virtualized in a way that it doesn't require native access.
Describe who do you think will benefit the most.
Users who want to run espresso in a polyglot context without having to enable all access or native access.
Describe alternatives you've considered.
Additional context.
The I/O part of the JDK would be taken care of by #4625.
The following JDK 21 modules contain native code and are relevant for espresso:
java.base
java.desktop
java.management
java.rmi
java.security.jgss
(kerberos)jdk.jdi
jdk.management
java.desktop
is too vast to realistically be implemented without calling into the native code.The following JDK 21 modules contain native code but are unlikely to be used in a no-native espresso context:
java.smartcardio
(ISO/IEC 7816 smart cards)jdk.crypto.cryptoki
(PKCS#11 tokens)The following JDK 21 modules contain native code but are not relevant for espresso:
jdk.hotspot.agent
jdk.jdwp.agent
jdk.jpackage
Express whether you'd like to help contributing this feature
If you'd like to contribute, please read the contribution guide.
The text was updated successfully, but these errors were encountered: