沙盒策略Sandbox policy

Azure 数据资源管理器会在沙盒中运行某些插件,这些插件的可用资源受到限制和控制,以确保安全性并进行资源管理。Azure Data Explorer runs certain plugins within sandboxes whose available resources are limited and controlled for security and for resource governance.

沙盒在 Kusto 引擎节点上运行。Sandboxes run on the nodes of the Kusto engine. 它们的某些限制在沙盒策略中定义,其中的每种沙盒类型都可以有自己的策略。Some of their limitations are defined in sandbox policies, where each sandbox type can have its own policy.

沙盒策略在群集级别进行管理,并影响群集中的所有节点。Sandbox policies are managed at cluster-level and affect all the nodes in the cluster.

若要更改策略,你需要 AllDatabasesAdmin 权限。To alter the policies, you'll need AllDatabasesAdmin permissions.

策略对象The policy object

沙盒策略具有以下属性。A sandbox policy has the following properties.

  • SandboxKind:定义沙盒的类型(如 PythonExecutionRExecution)。SandboxKind: Defines the type of the sandbox (such as, PythonExecution, RExecution).
  • IsEnabled:定义此类型的沙箱是否可以在群集的节点上运行。IsEnabled: Defines if sandboxes of this type may run on the cluster's nodes.
  • TargetCountPerNode:定义允许在群集节点上运行的此类型的沙盒数。TargetCountPerNode: Defines how many sandboxes of this type are allowed to run on the cluster's nodes.
    • 值可以是每个节点的处理器数的一到两倍。Values can be between one and twice the number of processors per node.
    • 默认值为 16。The default value is 16.
  • MaxCpuRatePerSandbox:将最大 CPU 使用率定义为单个沙盒可以使用的所有可用核心的百分比。MaxCpuRatePerSandbox: Defines the maximum CPU rate as a percentage of all available cores that a single sandbox can use.
    • 值可以介于 1 到 100 之间。Values can be between 1 and 100.
    • 默认值为 50。The default value is 50.
  • MaxMemoryMbPerSandbox:定义单个沙盒可以使用的最大内存量(以 MB 为单位)。MaxMemoryMbPerSandbox: Defines the maximum amount of memory (in megabytes) that a single sandbox can use.
    • 值可以介于 200 到 65536 (64GB) 之间。Values can be between 200 and 65536 (64GB).
    • 默认值为 20480 (20GB)。The default value is 20480 (20GB).

示例Example

以下策略为 PythonExecutionRExecution 沙盒设置不同的限制:The following policy sets different limits for PythonExecution and RExecution sandboxes:

[
  {
    "SandboxKind": "PythonExecution",
    "IsEnabled": true,
    "TargetCountPerNode": 4,
    "MaxCpuRatePerSandbox": 55,
    "MaxMemoryMbPerSandbox": 65536
  },
  {
    "SandboxKind": "RExecution",
    "IsEnabled": true,
    "TargetCountPerNode": 2,
    "MaxCpuRatePerSandbox": 50,
    "MaxMemoryMbPerSandbox": 10240
  }
]

备注

  • 对沙盒策略的更改将应用于从应用更改时开始创建的沙盒。Changes to the sandbox policy apply to sandboxes created starting from the time the change is applied. 在策略更改之前预分配的沙盒会继续按照以前的策略限制来运行,直到在查询中使用它们为止。Sandboxes that have been pre-allocated before the policy change, will continue running according to the previous policy limits, until they are used as part of a query.
  • 在策略更改生效之前,可能会有最多五分钟的延迟,因为群集节点会定期轮询策略更改。There could be a delay of up to five minutes until the change in policy takes effect, because the cluster nodes periodically poll for policy changes.

后续步骤Next steps

使用沙盒策略控制命令管理群集的沙盒策略。Use the sandbox policy control commands to manage the cluster's sandbox policy.