Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WebAssembly for the Backend: GlueCon 2023

WebAssembly for the Backend: GlueCon 2023

This was an updated deck with new content on what's going out in Dapr 1.11 and some upcoming work on the Kubernetes Scheduler.

Adrian Cole

May 24, 2023

More Decks by Adrian Cole

Other Decks in Technology


  1. All-in on wazero.io, the zero dependency WebAssembly runtime for Go

    2 I’m Adrian from Tetrate codefromthecrypt on GitHub @adrianfcole
  2. Agenda WebAssembly is about safely running 3rd party code. We’ll

    review non-browser use cases, in architecture order from high to low level. Integrations use wazero, but code run often isn’t Go. 3
  3. WebAssembly allows decoupling without RPC. Tools like go-plugin allow you

    to define ABI as protobuf services. 5 knqyf263/go-plugin gRPC Host Guest Decoupled with gRPC API Decoupled with WebAssembly Monolith Modularization Service
  4. Sidecars Sidecars are usually monolithic, and while highly customizable, tricky

    to change. For example, Envoy versions are tightly coupled to Istio versions. Dapr is a static binary, so cannot load custom libraries dynamically. 6
  5. Customizing sidecars with HTTP Middleware My App Middleware 1 Middleware

    2 Middleware 3 Dapr Sidecar Request Response You install this You built this You configure this
  6. You want to break the monolith My App Middleware 2

    Middleware 3 Dapr Sidecar Request Response My Filter You can’t change this binary You built this You want to own this code
  7. Sidecars define the WebAssembly function contract they support ABI is

    a contract between the host running wasm and the guest. It defines functions like an IDL. Dapr (golang) supports the http-wasm ABI, implementing the server side of an HttpHandler. Compatible middleware, compiled to wasm, can be replaced without changing Dapr 9
  8. So.. WebAssembly can break the monolith My App Middleware 2

    Middleware 3 Dapr Sidecar Request Response My Filter WebAssembly allows custom functionality in a static binary, based on an ABI contract http-wasm guest http-wasm host My Filter http-wasm/http-wasm-guest-tinygo v1.10
  9. Dapr v1.11 supports binding wasm to outputs Wasm Normal flow

    to outside process Provisioning free!
  10. Kubernetes Today, you can customize the scheduler in two ways:

    Scheduler framework plugins are compiled in Extender delegates to an external process via WebHooks 12
  11. Scheduling framework is great, but requires a rebuild Scheduler Your

    code Cache Process local cache Can use any feature Growing list of plugins to maintain…
  12. Extender has some significant downsides Your code API server Remote

    HTTP + JSON Scheduler Deployment concern Get state not in WebHook Requests Hard to abort
  13. Scheduler Cache A SIG just started to extend the scheduler

    with wasm kubernetes-sigs/kube-scheduler-wasm-extension Your code
  14. WebAssembly is a great extension model Wasm are binaries that

    can be distributed as files or OCI images. Inline 3rd party dynamically instead of baking more into the build Avoid problems of remote RPC or WebHook deployment and availability.
  15. Containers images are platform specific Container images must be built

    for the intended OS + architecture. “FROM scratch” can reduce this to kernel+arch, but only for static binaries. Many applications require a base layer with dependencies like libc, complicating deployment 18
  16. 19 Just like Java, Wasm has no operating system •

    Compiling to %.wasm removes platform dependencies • You can compile it on linux and run it on windows • wasm containers are emerging, but not mature
  17. 20 DIY WebAssembly containers look similar to java ones Container

    integration means pushing a WebAssembly Virtual Machine into the container runtime. For example, wasmer or wasmtime in crun. Some pros of wasm containers is re- use of Dockerfile and OCI registries
  18. Wasm containers are limited The POSIX layer used by containers

    is called WASI. There are only 44 usable system calls in the de- facto wasip1 version, supported by most compilers. Don’t assume programs will compile to WASI, become smaller, or run more efficiently. Measure! 21
  19. WebAssembly isolates via a lightweight VM When applied to containers,

    WASI is like a limited operating system. WebAssembly is integrated into an OCI runtime like crun OCI integration gives WebAssembly the benefits of Dockerfile
  20. 24 • Start a process (os/exec) • Call a Foreign

    Function (CGO) Sometimes we want to call code we can’t import
  21. Wasm cannot directly affect resources like files. Guests call imported

    host functions with pointers to shared memory they own. 25 out, err := run(ctx, fi leFS(path), "dcraw", "-e", "-c", "input") WASI commands are like os/exec but safer _start fd_read(input) args_get mem.Write(dcraw_-e_…) out.Write(mem) fi le.Read(mem) github.com/ncruces/RethinkRAW fd_write(stdout) memory dcraw.wasm wasi dcraw.c clang
  22. 26 Why use WebAssembly instead of normal FFI? github.com/ncruces/go-sqlite3 You

    can embed stateful processes into your application, provided they can be compiled to wasm and route I/O through WASI
  23. Code may look similar, but wasm is very different than

    CGO 27 WebAssembly isn’t integrated like usual FFI, but it is safer. github.com/ncruces/go-sqlite3 Not C.CString Not unsafe.Pointer Dynamic not pre- defined in import “C”
  24. Trivy provides an SDK which implements their custom ABI for

    config and analysis. Modules are installed locally or via OCI repository. 28 You can embed wasm or you can distribute it trivy.dev acme-cves.wasm acme-cves.go Tinygo Trivy SDK ghcr.io/acme
  25. Wasm facilitates re-use without forking or FFI Something compiled to

    WASI can be used like a forked process. You can re-use foreign functions without the safety hazards. Apps can choose whether to leverage wasm internally, or expose it for plugins.
  26. 31 Zig can compile Zig and C/C++ TinyGo and Go

    can compile Go A tale of 2 compilers
  27. Programming WebAssembly is a work in progress Compilers are different

    or at least need different flags. Don’t make assumptions from blogs. Develop, profile and benchmark! Be prepared for more work than usual, usually more technical.
  28. Star any project you enjoyed, including tetratelabs/wazero Join me #wazero

    on gophers slack! 35 • WebAssembly impacts all layers of architecture • OCI Dockerfile is a natural fit for WASI binaries • Developers can use wasm instead of subprocesses or native libraries • WebAssembly is evolving, so proceed with caution. Here are some good talks: Wasmer Things: An Upside Down Guide To WebAssembly by Edoardo Vacchi CGO-less Foreign Function Interface With WebAssembly by Takeshi Yoneda