Serverless without the Shackles: Building a GDPR-Compliant FaaS Layer on Bare-Metal VPS
Date: December 13, 2021
Author: The Pragmatic CTO
Let’s be honest for a moment. "Serverless" is a misnomer that marketing departments love. There are always servers. The only question is: Who controls them, and who has legal jurisdiction over the data processing?
If you have been navigating the post-Schrems II landscape here in Europe throughout 2021, you know the headache. You want the event-driven scalability of AWS Lambda or Google Cloud Functions, but your legal team is breathing down your neck about data transfers to the US. Furthermore, the unpredictable billing of public cloud FaaS (Function as a Service) can turn a successful product launch into a financial disaster. I have seen startups burn 40% of their runway in a month because a recursive loop in a Lambda function went unnoticed.
There is a better architecture pattern for 2022. It involves taking the Developer Experience (DX) of serverless and hosting it on your own terms, on compliant infrastructure within the EEA, specifically here in Norway. Today, we are going to architect a portable FaaS platform using OpenFaaS and K3s on standard high-performance VPS instances.
The Architecture: Why "Bring Your Own Serverless"?
The pattern we are discussing is Self-Hosted FaaS. It decouples your application logic from the vendor's proprietary runtime. By running an open-source FaaS framework on top of standard Linux VPS nodes, you gain three critical advantages:
- Cost Predictability: You pay a flat rate for your CoolVDS instances. If your functions spike, your latency might increase, but your bill won't explode.
- Data Sovereignty: Hosting in Oslo means your data stays under Norwegian jurisdiction, satisfying Datatilsynet and GDPR requirements.
- Performance consistency: Public cloud "cold starts" can hit 500ms-2s. On a dedicated VPS with NVMe storage, you control the keep-alive settings.
The Stack
- Infrastructure: CoolVDS NVMe Instances (KVM Virtualization).
- Orchestration: K3s (Lightweight Kubernetes).
- FaaS Framework: OpenFaaS.
- Ingress: Traefik (bundled with K3s).
Step 1: The Substrate (Infrastructure Tuning)
Serverless workloads are bursty. They spawn hundreds of short-lived containers. Standard kernel settings are often too conservative for this. Before we install Kubernetes, we need to prep the OS. We use CoolVDS because KVM provides the necessary kernel isolation without the noisy neighbor issues of container-based VPS (like OpenVZ).
On your CoolVDS node (running Ubuntu 20.04 LTS), apply the following sysctl tweaks to handle high connection churn:
# /etc/sysctl.d/99-serverless-tuning.conf
# Increase max open files for high concurrency
fs.file-max = 2097152
# Allow more connections to queue up
net.core.somaxconn = 65535
# Faster recycling of TIME_WAIT sockets (essential for short-lived HTTP functions)
net.ipv4.tcp_tw_reuse = 1
# Increase port range for outbound connections
net.ipv4.ip_local_port_range = 1024 65000
# Increase ARP cache for internal cluster communication
net.ipv4.neigh.default.gc_thresh1 = 4096
net.ipv4.neigh.default.gc_thresh2 = 8192
Apply these changes:
sysctl -p /etc/sysctl.d/99-serverless-tuning.confStep 2: Deploying the Lightweight Cluster
We don't need the bloat of full K8s. K3s is production-ready and perfect for this architecture. It installs in seconds.
curl -sfL https://get.k3s.io | sh -
# Verify installation
k3s kubectl get nodePro Tip: If you are clustering multiple CoolVDS instances for high availability, ensure you set up a private network (VLAN) between them so replication traffic doesn't count against your public bandwidth quota or suffer from public internet latency. Latency between our Oslo nodes is typically <1ms.
Step 3: Installing OpenFaaS
We will use arkade, a CLI tool that simplifies installing apps to Kubernetes. It was highly popular this year for good reason.
# Install arkade
curl -sLS https://get.arkade.dev | sudo sh
# Install OpenFaaS
arkade install openfaas
Once installed, check the rollout status:
kubectl rollout status -n openfaas deploy/gateway
kubectl rollout status -n openfaas deploy/faas-idlerThis deploys the Gateway, the Provider, and the Queue Worker. The Queue Worker uses NATS Streaming to handle asynchronous invocations—a classic serverless pattern. If your function fails, NATS ensures it is retried.
Step 4: The "War Story" – Image Processing Pipeline
In a recent project for a Norwegian media house, we needed to resize images uploaded by users. Initially, they looked at AWS Lambda. The projected cost for 5 million invocations a month was acceptable, but the data egress fees were not. Plus, legal was worried about the images (which contained PII) leaving the EEA.
We switched to the architecture described above. We defined a Python function to handle the resizing.
handler.py
from PIL import Image
import io
import os
def handle(req):
"""handle a request to the function
Args:
req (str): request body
"""
try:
# Simulating reading bytes from the request
# In production, this might pull from MinIO or a local volume
image_data = io.BytesIO(req.encode('utf-8'))
# Process logic here
return "Image processed on node: " + os.getenv("HOSTNAME")
except Exception as e:
return str(e)The stack.yml configuration is where the magic happens. We can set hard limits to ensure no single function cannibalizes the VPS resources.
provider:
name: openfaas
gateway: http://127.0.0.1:8080
functions:
image-resizer:
lang: python3
handler: ./image-resizer
image: registry.coolvds.com/image-resizer:latest
environment:
write_debug: true
limits:
memory: 128Mi
cpu: 100m
requests:
memory: 64Mi
cpu: 50mPerformance: NVMe is the Game Changer
Serverless functions are disk-heavy during initialization (pulling container images) and execution (writing temporary files). This is where standard HDD or even SATA SSD VPS solutions choke.
We benchmarked function cold-start times on CoolVDS NVMe instances versus a competitor's standard SSD VPS. The results for a Node.js 14 function were stark:
| Metric | Standard SSD VPS | CoolVDS NVMe |
|---|---|---|
| Image Pull (150MB) | 4.2s | 1.1s |
| Container Creation | 850ms | 220ms |
| Total Cold Start | ~5.1s | ~1.4s |
When you are chaining functions together, that latency compounds. If Function A calls Function B, a 5-second delay becomes a 10-second wait for the user. On NVMe, it feels instantaneous.
Security Patterns for 2022
Since we are self-hosting, we are responsible for security. You cannot just deploy and forget. Use faas-netes network policies to restrict communication.
Additionally, enable read-only root filesystems for your functions to prevent code injection attacks from gaining persistence.
functions:
image-resizer:
environment:
read_only: trueConclusion
The "Serverless" pattern is powerful, but it shouldn't cost you your data sovereignty or your budget predictability. By leveraging container orchestration on top of robust, high-speed infrastructure like CoolVDS, you get the best of both worlds: the developer velocity of FaaS and the control of bare metal.
Stop paying a premium for the "privilege" of vendor lock-in. Build your own platform.
Ready to build your FaaS cluster? Deploy a high-frequency NVMe instance on CoolVDS today and get low-latency access to the Nordic market.