A lightweight Function-as-a-Service platform that accepts code via HTTP API and executes it securely inside a Bubblewrap sandbox.

• Features
• Architecture
• File Structure
• License
• Author
• Stars

go install github.com/pardnchiu/go-faas/cmd/api@latest · Documentation

All user-submitted code runs inside a Bubblewrap sandbox with full Linux namespace isolation covering filesystem, network, and process space. Every capability is dropped, and only read-only system paths and the wrapper script are mounted, ensuring user code cannot access host resources or make outbound connections.

Accept and execute Python, JavaScript, and TypeScript code through a unified HTTP API. Scripts are versioned and stored in Redis with automatic timestamp-based versioning on each upload, allowing callers to target a specific version or always run the latest iteration.

Each sandbox process is launched via systemd-run under a dedicated systemd slice that enforces CPU quota and memory ceiling. When a script exceeds its resource budget, the system terminates it at the kernel level, preventing any single execution from degrading overall service stability.

graph TB
    Client[HTTP Client] -->|POST /upload| Upload[Upload Handler]
    Client -->|POST /run/*path| Run[Run Handler]
    Client -->|POST /run-now| RunNow[RunNow Handler]

    Upload -->|Store script| Redis[(Redis)]
    Run -->|Fetch script| Redis
    Run --> Sandbox
    RunNow --> Sandbox

    subgraph Sandbox[Bubblewrap Sandbox]
        SystemdRun[systemd-run] --> Bwrap[bwrap]
        Bwrap --> Wrapper[Wrapper Script]
        Wrapper --> UserCode[User Code]
    end

    Sandbox -->|stdout/stderr| SSE[SSE Stream / JSON Response]
    SSE --> Client

go-faas/
├── cmd/
│   └── api/
│       └── main.go              # Entry point
├── internal/
│   ├── router.go                # HTTP route definitions
│   ├── checker/
│   │   └── checker.go           # Dependency check and auto-install
│   ├── database/
│   │   └── redis.go             # Redis script storage and versioning
│   ├── handler/
│   │   ├── run.go               # Code execution handler
│   │   ├── upload.go            # Script upload handler
│   │   └── sse.go               # SSE streaming output
│   ├── sandbox/
│   │   ├── command.go           # Bubblewrap sandbox command builder
│   │   └── slice.go             # Systemd slice resource limits
│   ├── resource/
│   │   ├── wrapper.py           # Python wrapper
│   │   ├── wrapper.js           # JavaScript wrapper
│   │   └── wrapper.ts           # TypeScript wrapper
│   └── utils/
│       └── getEnv.go            # Environment variable helpers
├── .env.example
├── go.mod
└── LICENSE

This project is licensed under the MIT LICENSE.

©️ 2025 邱敬幃 Pardn Chiu