-
spawner
Discontinued Session backend orchestrator for ambitious browser-based apps. [Moved to: https://github.com/drifting-in-space/plane]
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
SSVM
WasmEdge is a lightweight, high-performance, and extensible WebAssembly runtime for cloud native, edge, and decentralized applications. It powers serverless apps, embedded functions, microservices, smart contracts, and IoT devices.
-
-
-
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
-
-
-
> If one writes Go or Rust, there are much better ways to run them than targeting WASM
wasm has its place, especially for contained workloads that can be wrapped in its strict capability boundaries (think, file-encoding jobs that shouldn't access anything else but said files: https://news.ycombinator.com/item?id=29112713).
> Containers are still the defacto standard.
wasmedge [0], atmo [1], krustlet [2], blueboat [3] and numerous other projects are turning up the heat [4]!
[0] https://github.com/WasmEdge/WasmEdge
[1] https://github.com/suborbital/atmo
[2] https://github.com/krustlet/krustlet
[3] https://github.com/losfair/blueboat
[4] https://news.ycombinator.com/item?id=30155295
Is the appeal of isolates in this case the cold start time or the isolation? We're working on some open source infrastructure for running sandboxed (gVisor) containers on the fly from web services[1], and one of the use cases people have is serving Jupyter notebooks which seems like it might resemble your use case?
[1] https://github.com/drifting-in-space/spawner/
> If one writes Go or Rust, there are much better ways to run them than targeting WASM
wasm has its place, especially for contained workloads that can be wrapped in its strict capability boundaries (think, file-encoding jobs that shouldn't access anything else but said files: https://news.ycombinator.com/item?id=29112713).
> Containers are still the defacto standard.
wasmedge [0], atmo [1], krustlet [2], blueboat [3] and numerous other projects are turning up the heat [4]!
[0] https://github.com/WasmEdge/WasmEdge
[1] https://github.com/suborbital/atmo
[2] https://github.com/krustlet/krustlet
[3] https://github.com/losfair/blueboat
[4] https://news.ycombinator.com/item?id=30155295
> If one writes Go or Rust, there are much better ways to run them than targeting WASM
wasm has its place, especially for contained workloads that can be wrapped in its strict capability boundaries (think, file-encoding jobs that shouldn't access anything else but said files: https://news.ycombinator.com/item?id=29112713).
> Containers are still the defacto standard.
wasmedge [0], atmo [1], krustlet [2], blueboat [3] and numerous other projects are turning up the heat [4]!
[0] https://github.com/WasmEdge/WasmEdge
[1] https://github.com/suborbital/atmo
[2] https://github.com/krustlet/krustlet
[3] https://github.com/losfair/blueboat
[4] https://news.ycombinator.com/item?id=30155295
> If one writes Go or Rust, there are much better ways to run them than targeting WASM
wasm has its place, especially for contained workloads that can be wrapped in its strict capability boundaries (think, file-encoding jobs that shouldn't access anything else but said files: https://news.ycombinator.com/item?id=29112713).
> Containers are still the defacto standard.
wasmedge [0], atmo [1], krustlet [2], blueboat [3] and numerous other projects are turning up the heat [4]!
[0] https://github.com/WasmEdge/WasmEdge
[1] https://github.com/suborbital/atmo
[2] https://github.com/krustlet/krustlet
[3] https://github.com/losfair/blueboat
[4] https://news.ycombinator.com/item?id=30155295
Answering the security question specifically: v8 is a runtime and not a security boundary. Escaping it isn't trivial, but it is common [1]. You should still wrap it in a proper security boundary like gVisor [2].
1. https://www.cvedetails.com/vulnerability-list/vendor_id-1224...
2. https://gvisor.dev/
I love v8 isolates so far-- I'm building chat tooling with it
When added to the "edge", it means they're (insanely) fast, obliterate cold-start problem (which is killer in chat where you might have not have retry), and as long as what you write can execute between 10-50ms (with ~30s for follow-on queries) it sometimes feels like cheating
The same way Cloudflare "pushes" configuration to their network, they use a similar mechanism to push code to their edge nodes.
They have killer dev tooling too-- https://github.com/cloudflare/wrangler2
You *DON'T* need to think about regions ever-- just deploy to a lot of small regions instantly & it usually "just works" and is fast everywhere.
For extra credit, you also get access to rough-grained location information from each "node" in their network that your users connect to (globally you can get access to rough-grained local timezone, country, city, zipcode, etc): https://blog.cloudflare.com/location-based-personalization-u...
ex. for chat, could so something like to prompt for location info: https://i.imgur.com/0qTt1Qd.gif
Kenton Varda (https://twitter.com/KentonVarda) who was in charge of Protobuf and other projects gave an overview tech talk @ 10:23 speaks to isolates: https://youtu.be/HK04UxENH10?t=625
## Downsides encountered so far
- Not 1-1 replacement, think of your code like a highly-performant service worker (usual suspects: https://developer.mozilla.org/en-US/docs/Web/API/Service_Wor...)
- Many libraries (like Axios for instance) won't work since they call out to Nodejs (this might be a good thing, there are so many web APIs available I was able to write a zero-dependency lib pretty easily) They're adding bespoke support for packages: https://blog.cloudflare.com/node-js-support-cloudflare-worke...
- There's only a tiny of bit of customization for Workers required, however, there's a bit of platform risk
If you haven't tried before, definitely worthy of further examination
Re: security, it seems like a pretty good model.
Actually that's incorrect, there are a nunber of wasm runtimes that don't use v8. Here's links to a couple.
https://wasmtime.dev/
https://www.fastly.com/products/edge-compute
As you scale up with R2, D3, Email Workers etc, is it possible that the _future_ scale of touching very sensitive, "ought-to-be-secure / separate" data / code help reconsider this decision?
Without process isolation, all it takes is one bad Chromium commit or a incorrectly allow-listed JS/V8 command for this model to fall through regardless of how thorough the defense-in-depth/vetted Workers may be.
"the public clouds that run arbitrary native code in hardware VMs." -> Isn't it double whammy then that a V8 isolate + HW attack surface in combination could provide an order of magnitude more hackability?
"Last I heard there were still some lower-powered Android phones where the overhead was too high" -> I believe a Zygote-process fork was made available to Chromium at some point (https://chromium.googlesource.com/chromium/src/+/HEAD/docs/l... ?).
