Using WebAssembly and Kubernetes in Combination

The Ubiquitous WebAssembly


Complicated Relationship Between WASM and Containers

Will WebAssembly Replace Containers?


WebAssembly Containers

  • WebAssembly developers may completely reuse Docker and OCI image specifications and toolchains to further simplify application distribution and delivery. For example, using the WASM image of NGINX as the basic image, to build an application image that contains different web content. Meanwhile, use tags to track application versions and use Docker Registry to distribute applications. Also, use digital signatures to ensure the security of the software supply chain.
  • Docker image specifications support multi-arch images, which simplify the construction and distribution of application images for different CPU architectures such as x86, ARM, and RISC-V. WebAssembly is inherently portable, which greatly simplifies the construction and distribution of cross-platform Docker application images.
$ sudo ctr image ls
REF TYPE DIGEST SIZE PLATFORMS LABELS application/vnd.docker.distribution.manifest.v2+json sha256:2efa759f46f901cda2e6a9b4228c423b17a960c06e957964e72c21dc5b42408f 29.2 KiB linux/amd64 - application/vnd.docker.distribution.manifest.v2+json sha256:cadcc8b07eb82b18db2c8f500fa2b11e5ebf2e9054cfa687e4ffe44861860132 8.2 KiB linux/amd64 - application/vnd.docker.distribution.manifest.v2+json sha256:8735c82524a463b842b7c79f2c1be8094ee1c57cfd34154f68752fbe79c25998 582.7 KiB linux/amd64 -
  • WebAssembly implements a linear memory model for memory resources. WebAssembly applications only use indexes to access the segments of logically linear memory. The WASM VM is responsible for determining the physical address of the memory, so the WASM application cannot obtain the real address of the memory or launch attacks through cross-border access. Therefore, in theory, it’s possible to limit the resource capacity of a WASM application. However, some WASM VMs cannot implement accurate memory isolation restrictions.
  • Some WASM VMs can measure CPU resources used by applications, but most of them cannot implement accurate quota limits, priorities, and preemptible scheduling.
  • At present, WASM has no relevant isolation capabilities for I/O resources, such as IOPS.
  • The capability model used by WASI makes it relatively easy to protect file system access. However, this static security model is not applicable to dynamic network scenarios. In a microservice architecture, applications often discover services through a service registry and dynamically bind callers and providers. These semantics cannot be described and injected by using a static capability model. As a result, some of the WASI network APIs are still being discussed. For more information on the WASI network security model and the ongoing discussion, visit this link. The Linux operating system and container technology already provide complete resource isolation and security isolation. By combining these solutions with WebAssembly, it’s possible to meet the requirements of different isolation levels in different scenarios.

Let Your Code Speak: Demonstration

Create a VM Test Environment

minikube start --image-mirror-country cn \
--iso-url= \
--registry-mirror= \
$ minikube ssh
_ _
_ _ ( ) ( )
___ ___ (_) ___ (_)| |/') _ _ | |_ __
/' _ ` _ `\| |/' _ `\| || , < ( ) ( )| '_`\ /'__`\
| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )( ___/
(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)
  • wasmer 0.13
  • By default, Minikube installs Containerd 1.2.x, which needs to be upgraded to 1.3.x.
  • Here, I pre-compiled containerd-wasm-shim-v1, but you can also compile a version yourself.
cd ~# Install Wasmer 0.13.1
curl -L -O
gunzip wasmer-linux-amd64.tar.gz
tar xvf wasmer-linux-amd64.tar
sudo cp bin/* /usr/bin/
# Upgrade containerd to v1.3.2
curl -L -O
gunzip containerd-1.3.2.linux-amd64.tar.gz
tar xvf containerd-1.3.2.linux-amd64.tar
sudo systemctl stop containerd
sudo cp bin/* /usr/bin/
sudo systemctl restart containerd
# Install containerd-wasm-shim
chmod +x containerd-shim-wasm-v1
sudo mv containerd-shim-wasm-v1 /usr/bin/

Configure Containerd to Support WASM Shim

$ cat <<EOF | sudo tee -a /etc/containerd/config.toml
disabled_plugins = ["restart"]
runtime_type = "io.containerd.wasm.v1"
$ sudo systemctl restart containerd
$ sudo ctr image pull resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:cadcc8b07eb82b18db2c8f500fa2b11e5ebf2e9054cfa687e4ffe44861860132: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ecda28441283ecf01d35bca0361f2c1ef26a203454a06789ee5ce71ba1e32ca3: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:57974480d640c8d60d254a8b0fa4606b2c7107fe169bc3ddd455091277c3a5e4: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 3.0 s total: 0.0 B (0.0 B/s)
unpacking linux/amd64 sha256:cadcc8b07eb82b18db2c8f500fa2b11e5ebf2e9054cfa687e4ffe44861860132...
$ sudo ctr run --rm --runtime io.containerd.wasm.v1 test1
Hello world
$ sudo ctr image pull resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:8735c82524a463b842b7c79f2c1be8094ee1c57cfd34154f68752fbe79c25998: exists |++++++++++++++++++++++++++++++++++++++|
layer-sha256:27f4d8ad067fbb709d18ea5acd7a5ddfb85851e5d9f030636e9da3d16cc4bd07: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:a55bd3bdb9d00fdac5ee2f64bfc1856e58e8bb90587943969ad3d8115f4ced70: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 3.0 s total: 0.0 B (0.0 B/s)
unpacking linux/amd64 sha256:8735c82524a463b842b7c79f2c1be8094ee1c57cfd34154f68752fbe79c25998...
$ sudo ctr run --rm --runtime io.containerd.wasm.v1 test2
2020/02/01 07:01:21 [notice] 30672#0: using the "select" event method
2020/02/01 07:01:21 [notice] 30672#0: nginx/1.15.3
2020/02/01 07:01:21 [notice] 30672#0: built by clang 6.0.1 (emscripten 1.38.11 : 1.38.11)
2020/02/01 07:01:21 [notice] 30672#0: OS: Linux 4.19.81
2020/02/01 07:01:21 [notice] 30672#0: getrlimit(RLIMIT_NOFILE): 1024:1024
$ echo http://$(minikube ip):8080

Create the RuntimeClass CRD of the WASM Container

$ git clone
$ cd wasm-container-samples
$ cat wasm-runtimeclass.yaml
kind: RuntimeClass
name: wasm
handler: wasm
$ kubectl apply -f wasm-runtimeclass.yaml created
$ kubectl get runtimeclass
kubectl get runtimeclass
wasm 2020-02-01T06:24:12Z

Run the WASM Container Application in Kubernetes

$ cat nginx-wasm.yaml
apiVersion: v1
kind: Pod
name: nginx-wasm
runtimeClassName: wasm
- name: nginx
image: denverdino/nginxwasm
- containerPort: 8080
$ kubectl apply -f nginx-wasm.yaml
pod/nginx-wasm created
$ kubectl get pod
nginx-wasm 1/1 Running 0 9s

New Opportunities and Hopes

Original Source:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website: