Proxy-Wasm: Wasmを利用したPlugin機構の開発

Transcript

1. Takeshi Yoneda, Software Engineer, Tetrate.io WebAssembly Night #10 Proxy-Wasm: WasmΛར༻ͨ͠Pluginػߏͷ։ൃ

2. • Takeshi Yoneda (Ϛελέ) / Twitter, Github: @mathetake • Software

   Engineer at Tetrate, California, US • “Paid” OSS dev: Envoy, Istio, Proxy-Wasm, Wasm, TinyGo • C++ committer of Proxy-Wasm project • Creator of Go SDK for Proxy-Wasm • Contributor/Member of V8, Envoy, TinyGo, Weaveworks/Flagger, etc. whoami

3. 1. The current state of WebAssembly 2. Background: Envoy’s extensibility

   3. Proxy-Wasm: WebAssembly For Proxies 4. The Challenges and Future Agenda

4. 1. The current state of WebAssembly

5. • Stack-basedͳԾ૝Ϛγϯͱͦͷ࢓༷ • ݩʑ͸ϒϥ΢β(JS)ͷߴ଎Խ͕໨త • asm.js -> WebAssembly(Wasm)΁ͱਐԽ • ࢓༷ΛಡΊ͹෼͔Δ͕Ұݴ΋

   “host” ΁ͷཁٻ͕ͳ͍ • Portable, platform-agnostic • Run at near-native speed: ΊͬͪΌ଎͍(※࣮૷ʹΑΔ) • Security: ελοΫ͕ϓϩάϥϜ͔Βݟ͑ͳ͍ͱ͔ͦ͏͍͏ͷ WebAssembly 101

6. • ༷ʑͳݴޠ͔ΒίϯύΠϧՄೳ: C, C++, Rust, Go(TinyGo), AssemblyScript • ౰ॳ͸js΁ͷ૊ΈࠐΈ͕લఏ: ͦΕͧΕͷݴޠ͕ಠࣗͷ

   “glue.js”Λ࣋ͭ • ίϯύΠϥڞ௨ͷ“Platform”λʔήοτ͕ͳ͍(͍΍, jsͳΜ͚ͩͲ͞, Έ͍ͨͳ) • VMͱͯ͠༏ल&ίϯύΠϥج൫΋͋Δͷʹ໪ମͳ͍ • ϒϥ΢βͷ֎Ͱ΋࢖͍͍ͨ WebAssembly 101

7. • Wasm <-> Hostͷ࿩͠ํ(ΠϯλʔϑΣΠε)Λඪ४Խ͠·͠͠ΐ͏ • Wasm΁ͷίϯύΠϥͷ“platform”λʔήοτʹ͠Α͏ • WASI (WebAssembly System

   Interface)ͷొ৔ WebAssembly 101 https://hacks.mozilla.org/2019/03/standardizing-wasi-a-webassembly-system-interface/

8. • WASIΛ࣮૷ͨ͠ϥϯλΠϜ͕ొ৔ • WAVM, Wasmtime, Wasmer, Lucet, ౳ʑ • “ී௨ͷϓϩηε”ͱಉ͡Α͏ʹWasm͕ಈ͘Α͏ʹͳΔ

   Wasm gets out of web browsers

9. Example: TinyGo’s WASI support https://github.com/tinygo-org/tinygo/pull/1373

10. • Q. Կނ͜Μͳ͜ͱ͕Ͱ͖Δͷ͔ Wasm: Host functions

11. • Q. Կނ͜Μͳ͜ͱ͕Ͱ͖Δͷ͔: A. ࢓༷ॻΛݟΑ͏ Wasm: Host functions

12. • Q. Կނ͜Μͳ͜ͱ͕Ͱ͖Δͷ͔: A. ࢓༷ॻΛݟΑ͏ Wasm: Host functions

13. • Q. Կނ͜Μͳ͜ͱ͕Ͱ͖Δͷ͔: A. ࢓༷ॻΛݟΑ͏ Wasm: Host functions

14. Example: TinyGo’s WASI support

15. Example: TinyGo’s WASI support “clock_time_get” Λimport

16. Example: TinyGo’s WASI support “clock_time_get” Λimport Wasmtime WASI Implementation

17. Example: TinyGo’s WASI support https://github.com/tinygo-org/tinygo/blob/release/src/runtime/runtime.go

18. Example: TinyGo’s WASI support time.Nowͷ࣮ମ https://github.com/tinygo-org/tinygo/blob/release/src/runtime/runtime.go

19. Example: TinyGo’s WASI support https://github.com/tinygo-org/tinygo/blob/release/src/runtime/runtime.go time.Nowͷ࣮ମ

20. Example: TinyGo’s WASI support https://github.com/tinygo-org/tinygo/blob/release/src/runtime/runtime_wasm_wasi.go ticks nanotime time.Now

21. Example: TinyGo’s WASI support https://github.com/tinygo-org/tinygo/blob/release/src/runtime/runtime_wasm_wasi.go ticks nanotime time.Now

22. Example: TinyGo’s WASI support Wasmtime Runtime͕࣮૷ https://github.com/tinygo-org/tinygo/blob/release/src/runtime/runtime_wasm_wasi.go ticks nanotime time.Now

23. • ݁ہABI (Wasm <-> Hostͷ࿩͠ํ)ܾ͑͞ΊΕ͹ͳΜͰ΋Ͱ͖Δ • ೚ҙͷΞϓϦͷதͰVMΛಈָ͔͍ͯ͜͠͠ͱ͕Ͱ͖ͦ͏ʂ • WASIʹݶΒ༷ͣʑͳABI͕ొ৔͍ͯ͠ΔΒ͍͠ •

    Blockchain༻ͷABI • k8s֦ு༻ͷABI • Proxyαʔό༻ͷABI Wasm gets out of web browsers

24. • ݁ہABI (Wasm <-> Hostͷ࿩͠ํ)ܾ͑͞ΊΕ͹ͳΜͰ΋Ͱ͖Δ • ೚ҙͷΞϓϦͷதͰVMΛಈָ͔͍ͯ͜͠͠ͱ͕Ͱ͖ͦ͏ʂ • WASIʹݶΒ༷ͣʑͳABI͕ొ৔͍ͯ͠ΔΒ͍͠ •

    Blockchain༻ͷABI • k8s֦ு༻ͷABI • Proxyαʔό༻ͷABI Wasm gets out of web browsers ࠓ೔ͷ͓࿩

25. 2. Background: Envoy’s extensibility

26. What is Envoy?

27. • “Cloud-native high-performance edge/middle/service proxy” • CNCF Graduated Project, Github

    Star: 15,000+ • Written in C++ • αʔϏεϝογϡͷData planeͱͯ͠།Ұແೋͷଘࡏ What is Envoy?

28. • ϓϩΩγαʔόʔͳͷͰuse case͕ແݶ • Envoyʹ͸౰વϓϥάΠϯ(֦ு)ػߏ͕ଘࡏ • ֦ுͷྫ • ࣾ಺ಠࣗͷAuthn/Authz ػೳΛೖΕ͍ͨ

    • ಛघͳϓϩτίϧΛѻ͍͍ͨ • MySQL, Redis, DynamoDB, etc. Envoy’s extensibility

29. Envoy’s extensibility

30. • Envoy͸੩తϦϯΫ͕લఏ • C++Ͱॻ͔ͳ͍ͱ͍͚ͳ͍ • มߋ൓өͷͨΊʹશ୆࠶ىಈ͕ඞཁ • StableͳABI͕ܾ·͍ͬͯͳ͍ • ֦ுػೳΛ௥Ճ͢Δʹ͸

    1. Upstream΁Ϛʔδ͢Δ —> ಛघ(private)ͳϢʔεέʔε͸ෆՄ 2. ಠࣗϏϧυΛ͢Δ —> upstream΁ͷ௥ै͕େม Envoy’s extensibility

31. • ղܾ͍ͨ͠՝୊͸ҎԼͷ௨Γ • ಈతʹϓϥάΠϯͷload͕Ͱ͖Δ • ෳ਺ݴޠͷαϙʔτ • EnvoyࣗମͷಠࣗϏϧυ͸ඞཁͳ͍ • Security-awareͳ࢓༷

    Envoy’s extensibility

32. • ղܾ͍ͨ͠՝୊͸ҎԼͷ௨Γ • ಈతʹϓϥάΠϯͷload͕Ͱ͖Δ • ෳ਺ݴޠͷαϙʔτ • EnvoyࣗମͷಠࣗϏϧυ͸ඞཁͳ͍ • Security-awareͳ࢓༷

    Envoy’s extensibility

33. • ղܾ͍ͨ͠՝୊͸ҎԼͷ௨Γ • ಈతʹϓϥάΠϯͷload͕Ͱ͖Δ • ෳ਺ݴޠͷαϙʔτ • EnvoyࣗମͷಠࣗϏϧυ͸ඞཁͳ͍ • Security-awareͳ࢓༷

    Envoy’s extensibility

34. • ղܾ͍ͨ͠՝୊͸ҎԼͷ௨Γ • ಈతʹϓϥάΠϯͷload͕Ͱ͖Δ • ෳ਺ݴޠͷαϙʔτ • EnvoyࣗମͷಠࣗϏϧυ͸ඞཁͳ͍ • Security-awareͳ࢓༷

    Envoy’s extensibility

35. • ղܾ͍ͨ͠՝୊͸ҎԼͷ௨Γ • ಈతʹϓϥάΠϯͷload͕Ͱ͖Δ • ෳ਺ݴޠͷαϙʔτ • EnvoyࣗମͷಠࣗϏϧυ͸ඞཁͳ͍ • Security-awareͳ࢓༷

    Envoy’s extensibility
36. None

37. • ϓϥάΠϯ = WasmͷόΠφϦͱͯ͠Envoyʹ഑෍ • Envoy <-> Wasmͷ࿩͠ํ(ABI)Λstableʹ͠Α͏ • ͢΂ͯͷ՝୊ΛΫϦΞ

    • ೚ҙͷݴޠ, ಈతload, ηΩϡΞ, stableͳABI Extending Envoy with Wasm ಠࣗͷABI

38. • ͦ΋ͦ΋ϓϩΩγαʔόͷ֦ு༻API͸ීวతͳ΋ͷͳ͸ͣ • ྫ: Http Header/Body/Trailerʹରͯ͠◦◦͢Δ, tcpίωΫγϣϯʹରͯ͠xx͢Δ • Envoy͔Β੾Γ཭ͤΔͷͰ͸ʁ =>

    Proxy-Wasmͱ͍͏Envoy͔Βಠཱͨ͠ϓϩδΣΫτʹ Extending Envoy with Wasm

39. 3. Proxy-Wasm: WebAssembly For Proxies

40. • https://github.com/proxy-wasm • ϓϩΩγαʔόͷ֦ுػߏͷͨΊͷABIͱSDK౳ͷ։ൃͷͨΊͷϓϩδΣΫτ • ։ൃ͸࣮࣭తʹ͸EnvoyίϛϡχςΟ • Linkerd΍MosnͳͲ΄͔ͷϓϩΩγք۾΋ࢀೖͷؾ഑ Proxy-Wasm: WebAssembly

    for Proxies

41. • ̐ͭͷݴޠͷSDK͕͋Γ, ؆୯ʹcompatibleͳWasm΁ͷίϯύΠϧ͕Մೳ • C++, Rust, Go(TinyGO), AssemblyScript • Hostͷެ࣮ࣜ૷͸C++ͷΈ

    • https://github.com/proxy-wasm/proxy-wasm-cpp-host • VMͱͯ͠ Wasmtime(wasm-c-api), V8(wasm-c-api), WAVM͕ݱঢ়ར༻Մೳ • Envoy, Apache Traffic Server(PoC)౳͸͜ͷެ࣮ࣜ૷ΛϥΠϒϥϦͱͯ͠࢖͏ Proxy-Wasm: WebAssembly for Proxies

42. • Spec: https://github.com/proxy-wasm/spec • WasmͷϓϩΩγαʔόͷABI(࿩͠ํ)ΛఆΊͨ΋ͷ • (proxy-wasm-cpp-host࣮૷͸v0.2.1ʹͳͬͯΔ͕, spec͕ߋ৽͞Ε͍ͯͳ͍…) Proxy-Wasm specification

43. Proxy-Wasm specification: Example 1. ϩΪϯάͷͨΊʹ “Wasm͔Β”ݺͿؔ਺

44. Proxy-Wasm specification: Example 1. proxy_logͷ࣮૷ in ϗετ https://github.com/proxy-wasm/proxy-wasm-cpp-host/blob/master/src/exports.cc#L854-L864

45. Proxy-Wasm specification: Example 1. proxy_logͷ࣮૷Λظ଴ https://github.com/proxy-wasm/proxy-wasm-rust-sdk/blob/master/src/hostcalls.rs#L20-L32

46. Proxy-Wasm specification: Example 2. ίωΫγϣϯཱ֬࣌, ϗετ͔Βݺ͹ΕΔ “Wasm”಺ͷؔ਺ Tcp data͕౸ண࣌, ϗετ͔Βݺ͹ΕΔ

    “Wasm”಺ͷؔ਺

47. Proxy-Wasm specification: Example 2. http request header౸ண࣌, ϗετ͔Βݺ͹ΕΔ “Wasm಺”ͷؔ਺ http

    request body͕౸ண࣌, ϗετ͔Βݺ͹ΕΔ “Wasm಺”ͷؔ਺

48. Proxy-Wasm specification: Example 2. SDK಺Ͱ࣮૷ & export https://github.com/tetratelabs/proxy-wasm-go-sdk/blob/main/proxywasm/abi_l7.go#L21-L40

49. Proxy-Wasm specification: Example 2. Envoy಺ͷEventϧʔϓ https://github.com/envoyproxy/envoy/blob/master/source/extensions/common/wasm/context.cc#L1577-L1587 https://github.com/proxy-wasm/proxy-wasm-cpp-host/blob/master/src/context.cc#L308-L319

50. Proxy-Wasm specification: Example 2. Envoy಺ͷEventϧʔϓ https://github.com/envoyproxy/envoy/blob/master/source/extensions/common/wasm/context.cc#L1577-L1587 https://github.com/proxy-wasm/proxy-wasm-cpp-host/blob/master/src/context.cc#L308-L319 proxy-wasm-cpp-host಺ͷ onResponseHeadersΛݺͿ

51. Proxy-Wasm specification: Example 2. Envoy಺ͷEventϧʔϓ https://github.com/envoyproxy/envoy/blob/master/source/extensions/common/wasm/context.cc#L1577-L1587 https://github.com/proxy-wasm/proxy-wasm-cpp-host/blob/master/src/context.cc#L308-L319 proxy-wasm-cpp-host಺ͷ onResponseHeadersΛݺͿ “Wasm಺”ͷproxy_on_request_headers

52. • 1 VM / (Plugin, Worker Thread) • Nativeͷ֦ுͷதͰproxy-wasm- cpp-hostΛ࢖༻

    • 1೥൒΋ͷؒ “envoy-wasm”ͱ͍͏ forkઌͰ։ൃ • 10݄ʹupstream΁Ϛʔδ͞Εͨ Proxy-Wasm in Envoy

53. • 2ͭͷDeployͷํ๏ • EnvoyͷϑΝΠϧγες ϜʹWasmΛஔ͍ͯ, ىಈ ࣌ʹϩʔυ • xDSͱݺ͹ΕΔಠࣗͷಈ తconfigurationͷϓϩτ

    ίϧͰRuntimeͰ੾Γସ ͑Δ Proxy-Wasm in Envoy

54. Proxy-Wasm in Envoy

55. Proxy-Wasm in Envoy

56. Proxy-Wasm in Mosn

57. Proxy-Wasm in Linkerd?

58. 4. The Challenges and Future

59. • ೚ҙͷϓϩάϥϜ͔ΒͲ͏ͷΑ͏ʹϗετΛकΔ͔? • Proxyαʔό͸ϛογϣϯΫϦςΟΧϧͳιϑτ΢ΣΞ • ςετ͸ॻ͍ͯ΋ॻ͍ͯ΋ॻ͖͖Εͳ͍ • I/F͕ηΩϡΞͱ͸͍͑ɺಛఆͷύεͰΫϥογϡ͢Δ͜ͱ΋͋Δ Challenges in

    Proxy-Wasm

60. • ύϑΥʔϚϯεͷ໰୊ • Near-nativeͱ͸͍͑΍ͬͺΓগ͠஗͍ • GC෇͖ͷݴޠ͸Proxy-Wasm޲͚ͷGCΞϧΰϦζϜΛ։ൃ͠ͳ͍ͱ ͍͚ͳ͍? Challenges in Proxy-Wasm

61. • αϙʔτݴޠ, ͦ͜·Ͱଟ͘ͳ͍Α͏ͳ….? • WasmͷΤίγεςϜࣗମ͕·ͩະख़ Challenges in Proxy-Wasm

62. • V8, WAVM, WasmtimeΛಉ࣌ʹlink͠Α͏ͱͨ͠Βsymbol͕িಥ • libunwind, wasm-c-api, GDB JIT interface

    Challenges in Proxy-Wasm

63. • ABI͕Envoyͷ࣮૷ʹ͍ͩͿد͍ͬͯΔ(౰ͨΓલͱ͍͑͹౰ͨΓલ…) • 1VM͕ෳ਺ͷϦΫΤετΛࡹ͘ͱ͍͏ઃܭ • V8 / WAVMͷoverhead͕എܠ • 1VM

    = 1 requestͱ͍͏Ϟσϧͷ৔߹ʹෆཁͳઃఆ͕͍͔ͭ͋͘Δ Challenges in Proxy-Wasm

64. • RuntimeͲΕબ΂͹ྑ͍ͷ͔໰୊ • (Runtimeͷ)Compile, (Wasm)ͷCompile, ࣮ߦ଎౓ͷτϨʔυΦϑ Challenges in Proxy-Wasm

65. • ·ͩ·ͩEarly days (Join us!): server-side Wasmͷ੒ޭྫͱͳΓ͍ͨ • EnvoyҎ֎ͷProxyʹΑΔαϙʔτ Future

    of Proxy-Wasm

66. • BytecodeAllienceೖΓ…? • ࣮ࡍProxy-Wasm͸͋ΔछͷWASIͷ֦ுͰ͋Δ • Pre-Proposal phaseͱͯ͠WASIͷProposalʹ͍Δ • https://github.com/WebAssembly/WASI/blob/master/docs/ Proposals.md

    Future of Proxy-Wasm

67. Future of Proxy-Wasm https://stackoverflow.com/questions/60969344/what-is-the-relationship-between-wasi-and-proxy-wasm

68. • OCI-compilantͳartifact imageͱͯ͠WasmͷόΠφϦΛ֨ೲ • docker pullͱಉ͡Α͏ʹ֦ுػೳΛϩʔυ • ͜Ε͸Proxy-Wasmʹݶͬͨ࿩Ͱ͸ͳ͍ • https://github.com/deislabs/krustlet

    : k8s্Ͱίϯςφͱͯ͠WasmΛಈ͔͢project • https://github.com/deislabs/oras: OCI Registry As Storage • ๭͔ࣾΒ“Proxy-Wasm༻” OCI Spec͕ఏҊ͞Ε͍ͯΔ͕…(ࣾձੑϑΟϧλʔ) Future of Proxy-Wasm

69. • Proxy-Wasm = WasmΛ࢖ͬͨϓϩΩγαʔόͷ֦ுػߏͷඪ४ԽϓϩδΣΫτ • WasmΛαʔό಺Ͱಈ͔ͯ͠ΠϕϯτຖʹWasm΁࿩͔͚͠Δ • ·ͩ·ͩearly days •

    Wasm/WASIͱڞʹ೔ʑਐԽ͍ͯ͠Δ • Envoy slackͷ #envoy-wasmͱ͍͏νϟϯωϧ͕Ұ൪ϝϯςφʹ͍ۙ ·ͱΊ

70. • Service Meshͷ࣮૷ͷࠐΈೖͬͨ࿩ • Envoyͷ֦ுͷਏ͞͸IstioଆͰڧ͍Ϟνϕʔγϣϯ͕͋ͬͨ͜ͱ • IstioଆͰطʹproductionͰ࢖ΘΕ͍ͯΔ͜ͱ • ֤SDKͷ࣮૷ͷਏ͞ͷ࿩ •

    Rust͸Wasmͷத΁ͷreentrant call͕ෳ਺ͷmutable borrowΛੜΜͰࢮ͵ͱ͔ • GoͷWASIαϙʔτ͸Ұੜདྷͳ͍ؾ͕͢Δͱ͔ͦ͏͍͏࿩ • V8ઌੜͱͷϝϞϦϦʔΫ֨ಆ೔ه • Rustͷίʔυ͕ॳΊͯEnvoyʹlink͞ΕΔ·Ͱͷي੻(ۤস) • GetEnvoy Extension Toolkit౳ͷ։ൃπʔϧ ࠓ೔࿩ͤ(͞)ͳ͔ͬͨ͜ͱ

71. We are hiring! https://www.tetrate.io/careers/