Cloud Native Wasm day is a twice-a-year highlight for all of us at Cosmonic. As the years go on Wasm Day continues to evolve from development progress to practical applications and impressive use of the technology. Today we saw a significant focus on security, especially isolation, high performance Wasm use cases, and an emphasis on the flexibility of the technology itself.
All of the presenters rightfully earned their speaking slot, addressing the biggest interests and challenges from The State of WebAssembly 2023 over the course of the day. We saw big improvements in consistent developer experiences between runtimes, compatibility, removal of custom code, and preferred language support: each mention the Component Model as a contributing factor.
In my opinion, here are the talks that I consider “unmissable” from this year's Wasm day NA, and you can take a look at the summaries and opinions to see why:
Welcome + Opening Remarks, Program Committee Members - Lin Sun, Solo.io & Liam Randall, Cosmonic
Lin Sun, Head of Open Source at Solo.io, and a contributor to Envoy & Istio, kicks off Wasm day with excitement! She developed over 20 patents at her time at Intel. Being one of the original contributors to Istio, Lin is a subject matter expert, and has written two books on the project. We got a brief insight into the minds of the program committee when Lin showed that a big factor in the accepted talks today was the biggest interest points from the state of Wasm survey. With all that being said, time for Wasm day!
WebAssembly Component Model: Enhancing Security, Productivity, and Green Computing - Bailey Hayes, Cosmonic & Kate Goldenring, Fermyon Technologies, Inc.
Kate and Bailey begin their talk by taking a step back. At Wasm day it can get easy to get caught up in the technology itself. Instead of looking at how Wasm impacts software, she looks at what it really means to write good software. Citing the Sysdig 2023 Cloud-Native Security and Usage Report, Bailey points out that 87% of container images running in production have a critical or high level vulnerability, and it often isn't even contained in user code. Using the Component Model, Kate and Bailey show an authentication middleware demo to a round of applause using a composable auth component that's completely separate from business logic.
We've heard the benefits of Wasm many times: security, portability, composability, flexibility, etc. This talk additionally highlights the tertiary benefits of Wasm thanks to the implications of the technology: isolation, energy efficient, productive developers, to name a few. With a series of well-balanced business logic and terminal demos, we got to see the same composable WebAssembly component run in Wasmtime, Fermyon Spin and Cosmonic (with CNCF wasmCloud under the hood.)
Opinion: This is the first time I've seen an individual Wasm component run across three runtimes that have their own developer SDKs, CLIs, and hosted cloud experiences. Working at Cosmonic we've built plenty of pluggable composable components, and we've been looking forward to the day that these components aren't tied to a specific runtime.
Bailey should've printed out and distributed her Wasm bingo board for all attendees!
Running Linux-Based Containers on Wasm and Browser with Container2wasm Converter - Kohei Tokunaga, NTT
Container2wasm enables running unmodified containers on Wasm. Other than just gaining the benefits of Wasm, rather than running an application in a container, this brings productivity benefits if you can avoid the engineering effort of porting and recompiling an application. It primarily works by emulating the CPU underneath the container, and implementing operating system APIs so that the container can use WASI APIs to interact with the host environment.
Opinion: The environment is a little slow and the project is still noted as experimental. That being said, this is a seriously impressive project in terms of scope and goals, it's hard to deny how cool it is to see
ubuntu:22.04 running in the browser. I could see this as a good starting point for containerized applications that depend on low level operating system APIs.
A Love Letter to Isolation - Kelly Shortridge, Fastly
Kelly started her talk at the beginning of life itself, and the role isolation played in why we even exist at all. After a little existentialism and a few fantastic metaphors like an axolotls regrowing a limb being akin to a single component failing but not taking down the whole system, you can see where this talk is going. She asserts that isolation and modularity make computers usable. Over different types of isolation: process, user, app/site, Wasm is built to protect the host. The Component Model lets you decompose apps into loosely coupled apps with robust imports and exports in order to share nothing.
Opinion: I loved the introduction to this talk that slowly lead into low level technical details of WebAssembly. The single-sentence slides, engaging anecdotes, and the impact of the Component Model on software made this one of my unmissable talks of the day.
The Falco Playground: A Cocktail of WebAssembly and Runtime Security - Jason Dellaluce, Sysdig & Rohith Raju, Independent
Falco is a container runtime security tool in the CNCF. The core developer loop with creating new Falco rules wasn't the best it could be, so they started working on the Falco Playground. In order to create a robust client-side environment, they added support for Wasm as a compilation target for the Falco language.
Opinion If you were at the last Wasm day in Amsterdam, Kelsey Hightower said: "If you do a good job with this, nobody will ever talk about it again.” Looking at the Falco playground, there's no big Wasm logo, or any knowledge that you're using Wasm at all. This is exactly the kind of thing that's so cool to see, a real use case within the cloud native space that uses Wasm to accomplish a need!
Extending Sidecarless Applications with Wasm in Istio Ambient Mesh - Lin Sun & Ben Leggett, Solo.io
Service meshes work off of sidecars, which can be expensive when you inject userspace proxies into Kubernetes pods. Istio has been working on the ambient service mesh functionality which started with Wasm in EnvoyFilter resources. Using Wasm, Istio is making the service mesh experience much nicer to let you update filter logic without reloading pods or updating the sidecar for an application deployment.
Opinion: In alignment with common goals of Wasm, extracting complexity from the user and making it a part of the platform, this talk shows again how Wasm can influence an entire ecosystem in the CNCF to make Kubernetes service mesh applications better.
Extending a High-performance Data Streaming System with WebAssembly - Tyler Rockwood, Redpanda
Redpanda has already made a name in the Wasm space with its Kafka compatible API, written entirely in Rust. Wasm comes into play during the data transformation piece of the message streaming process. Before Wasm, you would need to spin up entire processes in order to apply really simple data transformation on messages but, with Wasm, you can simply pass the original message through a WebAssembly transform to write to a different log. The developer experience feels similar to many Wasm application CLIs: create a new project in a source language, compile it to Wasm, and then deploy the transform to Redpanda.
Opinion: Redpanda is a model case study for the benefits of embedding a WebAssembly runtime into their application, and moving the compute as close to the data as possible. In the case of a highly efficient streaming platform, passing messages straight through precompiled Wasm modules provides faster transforms than what would be possible sending each message to a separate process.
Syscall Me by Your Name: Sandboxing Wasm Programs - Ryan Petrich, Two Sigma Investments
We see the second emphasis on isolation during this talk, diving right into techniques runtimes use to improve security via isolation. Ryan goes deep into the aspects of Wasm that create the sandboxed security model that we all know and love, for example talking about the linear memory layout of a module.
Opinion: This talk is a much needed lower level view into proving the isolated sandbox of Wasm, and I'm looking forward to taking a look at the code once it's open sourced after the talk.
Navigating Strategies for Debugging WASM - Ashwin Kumar Uppala, GitHub & Shivay Lamba, Meilisearch
Debugging WebAssembly is a continuously evolving story, with projects offering various levels of debugging support. Ashwin sums this up with an apt “it's a bit challenging right now.” Put a little more bluntly, there's not much debugging support past using logs at runtime to identify issues and failure points. Engines like wasmer, wasmedge and wazero have limited support for debugging.
Opinion Ashwin and Shivay do a great job throughout the talk giving an overview of the entire debugging story in WebAssembly. The middle section of the talk shows some practical tools like dylib.so's modsurfer site where you can inspect imports and the
wat format of a Wasm.
Exploit Parallelism for AI Workloads with WASM and OpenMP - Atanas Atanasov & Andrew Brown, Intel
The talk starts with an overview of OpenMP, an API specification for parallel programming. Compiling the runtime to Wasm starts had a few challenges, like needing conditional compilation in order to exit a thread early. They ran into a few deadlocks and cache-bound programs, but each issue was workable and the team was able to compensate for any issues. The Intel team was able to be successful compiling this to WASI and getting wasi-threads to work with matrix multiplication, of course with applications in AI workloads.
Opinion: WebAssembly has huge potential in the realm of compiling existing codebases to Wasm so you can modernize or add safety to applications. You can see this all over the place in the web environment with applications like Figma, Adobe Photoshop web, Google Earth, and many more. Compiling OpenMP (C, C++ or
Fortran implementations available) to
wasm32-wasi-threads is a practical and exciting application of Wasm on the server side, and it's exciting to see Intel's innovation and ability to get this project to compile to WASI.
Orchestrating Wasm: Reconciliation Loops Aren't Owned by Kubernetes - Taylor Thomas & Dan Norris, Cosmonic
Starting off with two Kubernetes horror stories, Dan and Taylor dove right into why wasmCloud needed its own orchestrator. Going through the background behind considering the Kubernetes orchestrator or the Nomad scheduler for the wasmCloud project, it became obvious that what was needed was a distributed scheduler that really understood Wasm components.
Through a series of rapid fire demos, Dan uses wadm with declarative manifests to iterate through massive changes in some demo applications. From a stateless component running on a single machine, to a full stateful application deployed in Kubernetes in two different clusters in GCP and Azure, the application component doesn't need to change at all. Simply, it's changing the scaling profile and specifying where you want things to run. Thanks to WebAssembly they didn't need to pay any heed to the platform wadm is deploying to, and thanks to wasmCloud there's no need to worry how the application components are able to talk to each other.
Opinion: Obviously with zero bias I loved this talk. I've been a maintainer in the wasmCloud ecosystem for nearly 4 years now, so all of the talking points resonated with me. From Dan's deadpan remarks about the wonderful world of YAML to Taylor's rapid fire explanation of the Wadm internals, this is a must-see talk for all developers who want to see a showcase of the orchestrator that we've built. I'd put this on the must-see list if it weren't for my, well, no bias.
Wasm Workers Server: Portable Serverless Apps with WebAssembly - Angel M De Miguel Meana, VMware
We've seen engineers at VMware talk about everything from interpreted languages to SQLite/WASI-Libc at past Wasm days, and today we get an overview of the Wasm workers server (
wws) project. After a short demo on the project bootstrapping and deployment process with
wws, Angel touches on the benefits and challenges of supporting interpreted languages, pointing towards the massive help the Component Model brings in terms of language compatibility support.
wws has support for many source languages and the soon-to-come Component Model, I hope to see the VMware engineers set the precedent that new language toolchains can be contributed upstream to the common component standard and benefit the entire ecosystem. We at Cosmonic are contributing our knowledge to the wasi-cloud interfaces after running with very similar application level interfaces for years. With the Component Model releasing soon, we are coming right up on an exciting spot for Wasm application collaboration across higher level runtimes.
Wasm Is Becoming the Runtime for LLMs - Michael Yuan, Second State
“Wasm is not a Docker replacement, Wasm is not a Go replacement, Wasm is a Python replacement.” Michael starts with a big statement, and rolls right into explaining the wasmedge ability to run a large language model like llama. Being able to run a
⚡ Lightning Talk: WebAssembly from the Inside Out - Edoardo Vacchi, Tetrate
Super Serious Short Summary: Edoardo narrates us through a video montage of Wasm and its support in wazero, particularly noting the benefits of Wasm like sandboxing.
Opinion: Delivery? Perfect. Memes? Chef's kiss. Timing? Impossibly good. There's really nothing I can add here, the talk speaks for itself and you'll have to check the recording!
Liam said it best, and I would love to reiterate his thanks to the program committee, 65 submitters for Wasm day, the speakers, and everyone involved in the making of this Wasm day.
With that, farewell Wasm Day 2023. If you're still at the conference, come see us at the Cosmonic booth at M21 or at the wasmCloud booth in the project pavilion. We'll add in the videos inline with these talks as they are published on the CNCF YouTube channel, and we'll see you next year for the KubeCon EU 2024 Wasm Day!