wolfssl VS stargz-snapshotter

Or something a bit more lightweight - https://github.com/wolfSSL/wolfssl

> I have no room for TLS on micro computer

How micro is your micro? There are embedded TLS stacks such as wolfSSL[1]. If you carefully select the cipher suite and certificate requirements, and perhaps limit TLS payload sizes, you may be able to fit on a lot more systems than you initially suspect. x.509 is expensive in code space though, if that's the constraint, you may do better with an application specific certificate replacement of some sort.

[1] https://www.wolfssl.com/

There are many notable open-source projects (SSLyze, CipherScan, testssl.sh, tls-scan, …) and several SaaS solutions (CryptCheck, CypherCraft, Hardenize, ImmuniWeb, Mozilla Observatory, SSL Labs, …) to do a security setting analysis, especially when we are talking about TLS, which is the most common and popular cryptographic protocol. However, most of these tools heavily depend on one or more versions of one or more cryptographic protocol libraries, like GnuTLS, OpenSSL, or wolfSSL. But why is this such a problem?

wolfSSL 5.0.0

A lazy chunked delivery strategy like used in the k8s stargz-snapshotter[0] project could be effective here, where it only pulls chunks as needed, but it would probably require wasm platform changes.

[0] https://github.com/containerd/stargz-snapshotter

To optimize build speed, cache hits, and registry storage, we're building each image reproducibly and indexing the contents with eStargz[0]. The image is stored on Cloudflare R2, and served via a Cloudflare Worker. Everything is open source[1]!

Compared to alternatives like `git lfs clone` or downloading your model at runtime, embedding it with `COPY` produces layers that are cache-stable, with identical hash digests across rebuilds. This means they can be fully cached, even if your base image or source code changes.

And for Docker builders that enable eStargz, copying single files from the image will download only the requested files. eStargz can be enabled in a variety of image builders[2], and we’ve enabled it by default on Depot[3].

Here’s an announcement post with more details: https://depot.dev/blog/depot-ai.

We’d love to hear any feedback you may have!

[0] https://github.com/containerd/stargz-snapshotter/blob/main/docs/estargz.md

[1] https://github.com/depot/depot.ai

[2] https://github.com/containerd/stargz-snapshotter/blob/main/docs/integration.md#image-builders

[3] https://depot.dev

Seekable OCI (SOCI) is a technology open-sourced by AWS that enables containers to launch faster by lazily loading the container image. It’s usually not possible to fetch individual files from gzipped tar files. With SOCI, AWS borrowed some of the design principles from stargz-snapshotter, but took a different approach. A SOCI index is generated separately from the container image and is stored in the registry as an OCI Artifact and linked back to the container image by OCI Reference Types. This means that the container images do not need to be converted, image digests do not change, and image signatures remain valid.

This is interesting and seems general purpose. Not merely for container images.

There’s this option for OCI containers which I don’t pretend to understand: https://github.com/containerd/stargz-snapshotter

It is used by containerd and nerdctl. You do have to build the image with it. Images work in OCI compatible registry. By fetching most used files first container can be started before loading is finished. Or so I gather.

stargz is a gamechanger for startup time. You might not need to care about image size at all

kubernetes and podmand support it, and docker support is likely coming. It lazy loads the filesystem on start-up, making network requests for things that are needed and therefore can often start up large images very fast.

https://github.com/containerd/stargz-snapshotter

containerd/stargz-snapshotter: Fast container image distribution plugin with lazy pulling (github.com)

Yes, see https://github.com/containerd/stargz-snapshotter