May 15, 2024
Agenda
- DEMO and DISCUSSION: A special signing showcase with Joonas and Dan
- DEMO: Progress made with wRPC Go support - Roman
- DISCUSSION: H2 roadmap check-in
Meeting Notes
DEMO and DISCUSSION: A special signing showcase with Joonas and Dan
- JOONAS: The team has been considering the value of releasing and signing Wolfi images.
- Wolfi is a "distroless" base layer for containers that is intended to be used to deploy production-hardened versions of software in containers.
- Benefit: statically-compiled down to the leanest possible container image.
- If we want to deploy a wasmCloud host inside a K8s cluster but want to avoid CVEs in the base image, Wolfi is a good choice. When using Wolfi-based images we get zero CVEs.
- Joonas and Dan are building a non-Debian version of wasmCloud, built as an OCI artifact on Wolfi to allow us access to the goodness in that ecosystem.
- Wasm by default is more secure than containers but we're interested to see what it's like to sign Wasm components. Joonas's demo shows us how this is possible.
- SigStore's existing tooling allows signing and verifying of container images and artifacts. SigStore is now able to sign OCI artifacts.
- Great for us: components stored in registries are OCI artifacts. How hard would it be for us to take a component that we built in wasmCloud and sign it? (It turns out it's pretty easy…check out the recording for the demo)!
- Further reading on our Policy Service.
- DAN: There is another side to the discussion: build attestation.
- GitHub artifact attestation is now in public beta and so, along with SigStore, we wanted to do something similar with wasmCloud, integrated with GitHub.
- GitHub Action to attest builds. Attestation is different to signing as it deals with the CI/CD pipelines: "You can trust that this pipeline was the one that built the application."
- In the Github UI, you can build, verify, sign and attest any build.
- The name of the certification is the pipeline tag where it originated.
- Both the SigStore and GitHub Build Attestation demos were pretty quick to implement due to the Policy Service in wasmCloud, which is as flexible as you want it to be.
DEMO: Progress made with wRPC Go support—Roman
- Link to Roman's wRPC Go implementation.
- Last week: We can now run and maintain applications, built with components written in Go, in a distributed way with wRPC.
- This week: Go provider with outgoing HTTP contracts. Roman demos wRPC with support for futures and streams—optimized in 'wit-bindgen-wrpc-go'.
- You can now write interfaces with futures and streams, 'wit-bindgen-wrpc-go' will allow you to send HTTP requests with Go.
- Allows us to generate wRPC types in Go and turn these into capability providers.
- Streams and futures in go-bindgen and rust-bindgen.
- Only thing left is support for resources—should be complete this week.
- Imports wasi-http bindgen which generates some signing for resources but doesn't yet manage them adequately.
Q: Dan: Is there anything to look at around an example of how to implement futures and streams?
- Roman: Joel's project has support for async and futures but it's early—wRPC protocol has support for these types.
- Bailey: Joel has done a huge amount of work inside wasmtools and wit-bindgen is expected to roll out with WASI 0.3.
- Catch the recording below for a more wide-ranging discussion on this topic.
DISCUSSION: H2 roadmap check-in
- We have already had significant movement in the wasmCloud roadmap. We have fixed a bug which has, fortuitously, turned into a cool feature improvement: CPU memory for restricted systems. Kudos to Taylor for progress there.
- This will now use Wasmtime dynamic pooling. Suited to smaller systems where there is inherently less memory.
- This will be included in the latest version of wash, designed for the smallest VMs and IoT use cases.
- Significant improvements in terms of single-button updates for crates, great to get that wrapped up. In releasing wash 0.28 we almost entirely used that process; allowed us to deliver artifacts quicker.
- We released wasmCloud lattice client. You can see examples of usage in the wash repo. Hats off to Lachlan!
- In progress - some RFCs and docs continue to progress:
- Wasm WG and Runtime TAG published recommendations for publishing Wasm artifacts in OCI.
- We are adhering to as many standards as possible - work in progress.
- wasmCloud Postgres implementation - more to come here and we're gearing up for a request for testing.
Community Updates
Where we'll be…
- 16th May: On Cloud Native Live, Taylor will join Synadia's Jeremy Saenz to discuss the benefits of building a distributed Wasm-native reconciliation loop with NATS JetStream. Join to learn about key-value buckets, streams and work queues, how they work and why they matter. 12 midday ET.
Tune in…
- Bailey recently joined Dan Lorenc at Chainguard to discuss all things Wasm, Kubernetes, distroless compute models and more. Tune in for this step-by-step exploration of Wasm.
- The CNCF and Bytecode Alliance came together on CNCF Cloud Native Live for an interesting discussion on WASI 0.2 the Component Model..and the role of the BA in driving forward Wasm standards and tooling.
- Cloud Native Wasm Day recordings are available! Particular highlights are presentations from our community users MachineMetrics and Orange.
- Check out the Arm Developer Podcast where Bailey and Liam discussed the intersection of Wasm and GPU technologies.
- Cosmonic CTO Bailey Hayes met Chris Matteson (Fermyon) and Oscar Spencer (F5 NGINX) on the panel at the latest Kubernetes meetup in New York. They explored the Wasm what's, why's, standards and considerations when adoption. The recording is live!
- Listen in to the last WasmEdge community meeting where Bailey Hayes talks all things WASI 0.2 and we hear from the students of the University of Tokyo on some cool new projects.
- Bailey was a guest on a recent Rancher Live podcast with Divya Mohan. Tune in for a deep dive into WASI 0.2!