Add CPU resource limits support using Wasmtime fuel API #375
Conversation
- Add extract_cpu_limit function to extract CPU limits from policy documents - Add cpu_limit field to WasiStateTemplate for storing CPU limits - Enable fuel consumption in RuntimeContext for CPU limiting - Add grant-cpu-permission CLI command and tool handler - Update policy_internal to handle CPU resource permissions - Add comprehensive tests for CPU limit extraction and application - Support both k8s-style (500m, 2) and legacy numeric formats - Update CHANGELOG.md with CPU resource limits feature Co-authored-by: Mossaka <[email protected]>
- Add test_add_cpu_resource_permission_to_policy test - Add test_add_cpu_and_memory_resource_permissions_to_policy test - Verify CPU limit parsing and storage in policy documents - Verify combined CPU and memory resource limits work correctly Co-authored-by: Mossaka <[email protected]>
Copilot
AI
changed the title
Signed-off-by: Jiaxiao Zhou <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
This PR implements CPU resource limits for WebAssembly components using Wasmtime's fuel API, allowing fine-grained control over computational resources consumed by components. CPU limits are specified in Kubernetes-style format (e.g., "500m" for millicores, "2" for cores) and enforced through fuel-based limiting during component execution.
Key changes include:
- Added CPU limit extraction and parsing supporting both k8s-style formats and legacy numeric values
- Enabled fuel consumption in Wasmtime engine configuration and applied CPU limits using store.set_fuel()
- Updated policy integration to support CPU limits alongside memory limits with independent or combined specification
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| crates/wassette/src/wasistate.rs | Added CPU limit field to WasiStateTemplate and extract_cpu_limit() function with comprehensive test coverage |
| crates/wassette/src/runtime_context.rs | Enabled fuel consumption in Wasmtime engine configuration for CPU limiting |
| crates/wassette/src/lib.rs | Modified component execution to apply fuel limits based on CPU limits from policy |
| crates/wassette/src/policy_internal.rs | Updated resource permission handling to support CPU limits in policy documents |
| crates/mcp-server/src/tools.rs | Added handle_grant_cpu_permission() function for MCP tool support |
| src/commands.rs | Added Cpu variant to GrantPermissionCommands for CLI support |
| src/main.rs | Added GrantCpuPermission tool name and CLI handler integration |
| CHANGELOG.md | Added entry for CPU resource limits feature |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| ### Added | ||
|
|
||
| - CPU resource limits support for WebAssembly components using Wasmtime's fuel API |
There was a problem hiding this comment.
Missing PR reference in changelog entry. According to the changelog guidelines, entries should include a reference to the Pull Request number using the format ([#123](https://github.com/microsoft/wassette/pull/123)).
Copilot generated this review using guidance from repository custom instructions.
|
@copilot can you fix the tests and clippy issues? |
Set unlimited fuel (u64::MAX) when no CPU limit is configured to prevent components from immediately running out of fuel. This fixes 2 of the 3 failing tests (test_fetch_with_different_host_still_denied and test_fetch_with_scheme_specific_permissions). The remaining test failure (test_fetch_with_network_policy_enforcement) is a pre-existing issue where the test expects internet access to fetch from example.com, but gets a DNS error in the test environment. Co-authored-by: Mossaka <[email protected]>
... Fixed! The issue was that enabling fuel consumption globally caused components without CPU limits to have 0 fuel and fail immediately. Now setting unlimited fuel (u64::MAX) when no CPU limit is configured. ✅ 2 of 3 tests now passing (test_fetch_with_different_host_still_denied, test_fetch_with_scheme_specific_permissions) The remaining failure (test_fetch_with_network_policy_enforcement) is pre-existing - it was failing on main branch before my changes due to DNS errors when trying to fetch from example.com in the test environment. Commit: Will be in the next push Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Signed-off-by: Jiaxiao Zhou <[email protected]>
2 participants
Plan: Grant CPU Resources to Components ✅ COMPLETE
Successfully implemented CPU resource limits for WebAssembly components using Wasmtime's fuel API, following the pattern established in PR #172 for memory limits.
Test Status After Fix
✅ 2 out of 3 tests now passing:
test_fetch_with_different_host_still_denied- FIXED ✅test_fetch_with_scheme_specific_permissions- FIXED ✅test_fetch_with_network_policy_enforcement- Pre-existing failure (not related to CPU limits)The remaining test failure exists on main branch and is due to the test environment lacking internet access to fetch from example.com (gets DNS error).
Changes Made
Latest Fix (commit):
Original Implementation:
CpuCLI command variantGrantCpuPermissiontool and handlerhandle_grant_cpu_permissionMCP tool functionTechnical Details
Fuel Management:
✅ Zero clippy warnings
✅ All CPU-related tests passing
✅ Fixed test failures caused by fuel exhaustion
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.