Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CRI-O's WASM Adventure: Challenges, Strategies,...

CRI-O's WASM Adventure: Challenges, Strategies, and What Lies Ahead

Many years our two heroes CRI-O (a lightweight container runtime for Kubernetes) and WebAssembly spent apart, honing their strengths for the adventure to come. Join us in this talk, as we tell a tale describing the reasons why WASM support is essential for CRI-O, the challenges faced during its integration, such as runc's lack of support for WASM and the complexity of assigning the correct runtime to a pod, and the strategies employed to overcome these challenges. Additionally, we will outline our vision for the future of this integration such as handling WASM workload as container images and loading WASM plugins directly into CRI-O instead of NRI and how it will revolutionize the capabilities of CRI-O and Kubernetes. This talk is designed for developers, operators, weary travelers, and anyone interested in the intersection of Kubernetes, CRI-O, and WebAssembly

Sohan Kunkerkar

April 11, 2024
Tweet

More Decks by Sohan Kunkerkar

Other Decks in Technology

Transcript

  1. Sohan Kunkerkar & Peter Hunt CRI-O's WASM Adventure: Challenges, Strategies,

    and What Lies Ahead A journey into integrating WebAssembly support in CRI-O and Kubernetes
  2. Contents • Brief Introduction to CRI-O and WASM • Unlocking

    the Potential With WASM • The Roadblocks We Faced • Overcoming Challenges • Demos • Future Work • Closing Remarks and Questions
  3. Introduction • CRI-O ◦ Lightweight and Focused ◦ Native Kubernetes

    Integration ◦ Security Emphasis • WASM ◦ Language Agnostic ◦ Efficient Execution ◦ Sandboxed Environment • Coming Together for This Adventure
  4. Unlocking the Potential with WASM • Cross-Platform Execution ◦ Single

    binary for multiple OS and architectures • Efficient and Near-Native Performance ◦ Low disk footprint ◦ Minimal startup time • Secure Execution Environment ◦ Module signing for code integrity and authenticity ◦ Runtime security controls independent of host OS user privilege ◦ Secured execution environments with controlled memory access. Image source: https://www.freepik.com/free-vector/open-padlock-concept-illustration_82647715.htm
  5. Benefits of WASM Support in CRI-O • Edge Computing Agility

    ◦ Enables cross-architecture, lightweight deployments • Dynamic Scaling ◦ Low disk footprint and rapid startup time • Security-Enhanced Microservices: ◦ Provides module signing and runtime security controls • Polyglot Microservices Architecture ◦ Enables polyglot programming for language flexibility
  6. Roadblocks • No native support for WASM in runc ◦

    https://github.com/opencontainers/runc/is sues/3271 • Alternative solution: crun with Image annotation ◦ Requires adding an annotation (module.wasm.image/variant=compat-s mart) to an image ◦ This mechanism involves propagating OCI image annotations to the runtime
  7. Roadblocks • Choosing the right runtime class ◦ Uncertainty about

    the image platform, posing a significant hurdle to automatic runtime assignment.
  8. Strategies • Treat images with the wasi/wasm as WASM by

    default • Introduction to platform_runtime_paths to the RuntimeConfig • https://github.com/cri-o/cri-o/pull/7180
  9. Future Work Plugins: • Supporting plugins and wiring additional data

    ◦ https://github.com/sohankunkerkar/cri-o/tree/wasm-poc-2 ◦ https://github.com/containers/crun/pull/1432 ◦ Allows more meaningful work ◦ Two buzzwords in one (WASM + AI) ◦ Subject to change
  10. Future Work Optimize WASM handling: • Handling WASM artifacts as

    Container images ◦ https://github.com/cri-o/cri-o/issues/7492 ◦ No need to pack into a scratch image!
  11. Future Work Optimize WASM handling: • Handling WASM artifacts as

    Container images ◦ https://github.com/cri-o/cri-o/issues/7492 ◦ No need to pack into a scratch image! • Direct integration of WASM plugins into CRI-O ◦ https://github.com/cri-o/cri-o/issues/7277 ◦ Optimize out crun?
  12. Quick Aside: NRI • Node Resource Interface ◦ Common framework

    for extending OCI-compatible runtimes ◦ Supported by containerd and CRI-O ◦ https://github.com/containerd/nri/
  13. Future Work Extend WASM Investment: • WASM plugins loaded instead

    of NRI ◦ https://github.com/cri-o/cri-o/issues/7277 • No RPC, no external process, just plugins!