Building a Containerless Future

with WebAssembly

About Me

  • Capital One Distinguished Engineer
  • Distributed Systems Nerd
  • Build back-ends for fun
    • Biometrics as a Service
    • Waste Management
    • Cloud Foundry "Pez" Dispenser
    • Search & Rescue Drones
  • WebAssembly Zealot Proponent

Twitter: @KevinHoffman

GH: autodidaddict

WebAssembly

Why Should We Care?

Benefits of Wasm in the Browser

  • Speed
  • Small Footprint
  • Security
    • Rigid Sandbox
    • Memory Isolation
  • Developer Productivity
  • Rapid, Continuous Deployment

🤔

Benefits of Wasm in the Cloud

  • Speed
  • Small Footprint
  • Security
    • Tamper-Proofing
    • Provenance
    • Policy Control
    • Rigid Sandbox
    • Memory Isolation
  • Developer Productivity
  • Rapid, Continuous Deployment

🤓

WebAssembly Is Small

  • Self-contained, portable file
  • Microservices* can be as small as 2MB!
  • Most of the work is done by the host runtime, not the wasm file
  • I've lost 51lbs since learning WebAssembly
    • Coincidence?

WebAssembly Is Secure

  • Immune to buffer overruns & similar
  • Custom sections ideal for storing signature + hash, metadata
  • Host decides what module can/cannot do
  • Isolated memory sandbox, cannot leak or exfil sensitive data
  • Format is easily disassembled
    • Don't hide trade secrets in wasm files

WebAssembly Is Portable

  • Single file runs anywhere there's a host
    • Browser
    • Cloud
    • IoT
  • OS, Processor, Platform Agnostic
  • Does not require containers
  • Only as portable as we make it*

WebAssembly Is Polyglot

  • Language for host runtime and modules are decoupled
  • Can write modules in any* language
    • Rust
    • Go*
    • Zig
    • AssemblyScript
    • C/C++

Host Runtimes

Wasm Outside the Browser

Low-Level Runtimes

  • C/C++
  • Rust
  • Go
  • Python
  • V8/Node
  • ...

Hosts

Host Langs

Interpreters and Compilers

Mid-Level Runtimes

Layers Built on/Used with Low-Level Runtimes

  • waPC
    • Bi-Directional Functional Calling
    • Pass Arbitrary Binary Payloads
    • Memory Agnostic
      • Neither Side Maintains Pointers to Other Side's Memory
    • Stateless
    • Synchronous (no multi-threading in Wasm)
  • wascap - Sign, Embed, Query JWTs in WebAssembly Modules

High-Level Runtime

waSCC - Layer Built on waPC and wascap

  • Build services & functions in Wasm as Actors!
  • Utilize Embedded, Signed JWTs
    • Verify Provenance
    • Restrict Access to High-Level Capabilities
    • Integrate with OPA
  • Dynamically Bind Actors to Capabilities:
    • Message Broker
    • HTTP client, server
    • Key-Value Store
    • Custom Capabilities
  • Rust Host SDK
  • Rust Actor SDK (Go* coming soon)

WebAssembly Secure Capabilities Connector (waSCC)

WebAssembly Ecosystem

"If I have seen further, it is by standing on the shoulders of giants"

    - Isaac Newton

Building our own Shoulders

  • Out of Browser Host Runtimes
  • Tooling
  • Education
  • Documentation
  • Community

DEMOS!

DEMOS

  • "Wasm in the Raw" - wat2wasm
  • Basic Procedure Calls - waPC
  • WebAssembly in the Cloud - waSCC

Call to Action

Building a Containerless Future with WebAssembly

By Kevin Hoffman

Building a Containerless Future with WebAssembly

WebAssembly is the future of distributed computing. Its security, memory isolation, small footprint, and true portability are all advantages on the web, but become truly game-changing when used to build functions and services deployed in the cloud. This session illustrates how to host WebAssembly modules in Rust code, how to build modules in many different languages (including pros and cons of each), and how to securely grant cloud-native capabilities to these modules. Discussed in detail is the current state of the art in WebAssembly and what can be built with it today. Learn what developers can start doing now to build the containerless future where WebAssembly modules are the de-facto unit of immutable deployment in the cloud, at the edge, and even in IoT and embedded devices.

  • 1,545