Wasm -
The Container Killer?

Rainer Stropek | @rstropek@fosstodon.org | @rstropek


Rainer Stropek

  • Passionate developer since 25+ years
  • Microsoft MVP, Regional Director
  • Trainer, Teacher, Mentor
  • πŸ’• community


Only run code that you trust

  • Trusted sources
    • Trusted suppliers, employees
    • Open-source software
  • Trusted languages and platforms
    • E.g. C vs. Rust
  • Who can we trust?
    • E.g. supply-chain attacks
    • Rogue people
    • Human errors

Trust, but limits

We need to isolate un/semitrusted code

  • Limited view on the host system
    • Processes
    • File system
    • Network
  • Limited access to resources
    • CPU and memory limits
  • Different levels
    • Physical machines
    • Virtual machines
    • Containers
    • Processes





  • We want to make good use of resources
    • Hardware
    • Peoples' time
  • Sharing on different levels
    • VMs on hypervisors
    • Containers
    • Different Processes
    • Same process
  • Influencing factors
    • Strength of separation
    • System overhead
    • Toil required to keep system alive
    • Developer productivity


  • Containers can help in some areas
  • More efficient than VMs
  • Complex architectures compared to monoliths
    • DevOps toil
    • Reduced developer productivity
  • In practice: Choose between simplicity/productivity
    and security through separation



Build once, run everywhere

  • Portable code to avoid having to build for many platforms
    • E.g. IL in C# and Java, JavaScript
    • No longer the case when using AOT
  • Ideally: JIT or AOT available on many different platforms
    • (including the browser)
  • Containers cannot really help here


+ Sandbox

+ Efficiency


What is WebAssembly (Wasm)?

  • Binary instruction format for stack-based VM
  • Language-agnostic
    • Portable compilation target for many languages
    • E.g. Rust, C, C#, etc.
  • Inside the browser and outside of the browser
  • Outside of the browser we need a host
    • Custom host πŸ”—
    • Ready-made hosts (e.g. wasmtime πŸ”—, wasmer πŸ”—)
    • WebAssembly Systems Interface (WASI πŸ”—) for accessing OS-like features (e.g. file system, web requests) in a platform-agnostic way



Run Wasm module in .NET with limited fuel


# Sample: https://github.com/rstropek/rust-samples/tree/master/hello-wagi

just wasmtime

...build a web server for Wasm and host each request handler in a separate (sandboxed) process?

Enter: WAGI πŸ”—



# Sample: https://github.com/rstropek/rust-samples/tree/master/hello-wagi

just run-native level1
just run level1
# Open http://localhost:3000/level1-ping
# Change modules.toml and open http://localhost:3000/ping-oci

just run-native level2
just run level2
# Do some web requests to http://localhost:3000/level2

just run level3
# Open http://localhost:3000/level3
# Discuss file mappings
# Discuss routing

just run level4
# Execute GET http://localhost:3000/level4?year=2022&month=5&day=18
# Discuss allowed host

...define a Wasm-based standard for building and running language-agnostic (sandboxed) components?

Enter: Wasm Components πŸ”—



# Sample: https://github.com/rstropek/rust-samples/tree/master/hello-spin

just run
# Open http://localhost:3000/level1
# Send requests to http://localhost:3000/level2
# Send requests to http://localhost:3000/level3

Fractal Tree

Fun With Trees 🌲

# Build everything for Linux
just build-linux

# Check CLI
just help-linux

# Run native app
just run-linux

Fun With Trees 🌲 - Let's Go Wasm

# Build everything for Wasm (Wasi)
just build-wasi

# Run tree generator with Wasmtime
just run-wasi
# Add gas limit to see resource limits in action


Fun With Trees 🌲 - Let's Go Wasm

# Build everything for Wasm (Wasi)
just build-wasi

# Run tree generator with WasmEdge
just run-wasmedge

# Run tree generator with stats
just run-wasmedge-stats

# AOT compile using wasmedgec
just aot

# Run AOT compiled version
just run-aot


...make tree generator available online using Wasm and Spin?

Enter: Spin

Fun With Trees 🌲 - Let's Go Wasm

# Build spin app
just build-spin

# Run spin app
just run-spin

# Publish everything in the Spin cloud
just deploy-spin

Spin πŸ”—

...put our Wasm module on Dockerhub and run it on K8s?

Enter: Containerd Wasm Shims πŸ”—

Fun With Trees 🌲 - Let's Go AKS

# Build and publish Docker image
just docker

Wasm Workload on AKS πŸ”—

  • Add a Wasm/Wasi node pool to AKS πŸ”—
kubectl get nodes -o wide
kubectl describe node aks-mywasipool-41740949-vmss000000
kubectl describe node aks-mywasipool-41740949-vmss000000 | grep spin
  • Add Wasm/Wasi workload
cd AKS/spin-workload
kubectl apply -f spin.yaml

So What?

  • Containers did not kill VMs in Hypervisors
  • Wasm will not kill Containers!
  • However,...
    • ...Wasm is similar to Containers on a higher abstraction level
    • ...Wasm is platform-agnostic
    • ...Wasm runs in a sandbox
    • ...you can build light-weight Wasm-based components
  • Many application areas beyond webservers
    • Serverless cloud environments ("cloud edge")
    • Run semi-trusted components in Sandbox, protects against supply-chain attacks
    • Build language-agnostic extensibility layers for e.g. business apps
    • ...


Thank you for your attention!


By Rainer Stropek


  • 851