Skip to content(if available)orjump to list(if available)

WASM will replace containers

WASM will replace containers

139 comments

·February 12, 2025
Visit

not2b

"The main thing holding back wider adoption is a lack of system interfaces. File access, networking, etc. But it's just a matter of time before these features get integrated."

But then you've got to figure out and prevent all the security holes that can be introduced by adding file access, networking, etc. That's what killed the Java write-once, run-anywhere promise. Maybe put the whole thing into a container? Oops, looks like the container wasn't replaced after all (though perhaps it could be simplified).

josephg

True, but I suspect it'll be a lot easier to virtualise all those APIs through WASM than it is for a regular native binary. I mean, half the point of docker is that all syscalls are routed into an LXD container with its own filesystem and network. It should be pretty easy to do the same thing in userland with a wasm runtime.

And the nice thing about that is you can pick which environment a wasm bundle runs in. Want to run it on the browser? Sure! Want to give it r/w access to some particular path? Fine! Or you want to run it "natively", with full access to the host operating system? That can work too!

We just ("just") need wasi, and a good set of implementations which support all the different kinds of sandboxing that people want, and allow wasm containers to talk to each other in all the desirable ways. Make no mistake - this is a serious amount of work. But it looks like a very solvable problem.

I think the bigger adoption problem will be all the performance you leave on the table by using wasm instead of native code. For all its flaws, docker on linux runs native binaries at native speed. I suspect big companies running big cloud deployments will stick with docker because it runs code faster.

quesomaster9000

As somebody who's in the process of building a sandbox for RISC-V 64 Linux ELF executables, even I'm still on the fence.

The problem is that in WASM-land we're heading towards WASI and WAT components, which is similar to the .NET, COM & IDL ecosystems. While this is actually really cool in terms of component and interface discovery, the downside is that it means you have to re-invent the world to work with this flavor of runtime.

Meaning... no, I can't really just output WASM from Go or Rust and it'll work, there's more to it, much more to it.

With a RISC-V userland emulator I could compile that to WASM to run normal binaries in the browser, and provide a sandboxed syscall interface (or even just pass-through the syscalls to the host, like qemu-user does when running natively). Meaning I have high compatibility with most of the Linux userland within a few weeks of development effort.

But yes, threads, forking, sockets, lots of edge cases - it's difficult to provide a minimal spoof of a Linux userland that's convincing enough that you can do interesting enough things, but surprisingly it's not too difficult - and with that you get Go, Rust, Zig, C++, C, D etc. and all the native tooling that you'd expect (e.g. it's quite easy to write a gdbserver compatible interface, but ... you usually don't need it, as you can just run & debug locally then cross-compile).

hardwaresofton

> The problem is that in WASM-land we're heading towards WASI and WAT components, which is similar to the .NET, COM & IDL ecosystems. While this is actually really cool in terms of component and interface discovery, the downside is that it means you have to re-invent the world to work with this flavor of runtime.

At the application level, you're generally going to write to the standards + your embedding. Companies that write embeddings are encouraced/incentivized to write good abstractions that work with standards to reduce user friction.

For example, for making HTTP requests and responding to HTTP requests, there is WASI HTTP:

https://github.com/WebAssembly/wasi-http

It's written in a way that is robust enough to handle most use cases without much loss of efficiency. There are a few inefficiencies in the WIT contracts (that will go away soon, as async lands in p3), but it represents a near-ideal representation of a HTTP request and is easy for many vendors to build on/against.

As far as rewriting the world, this happens to luckily not be quite true, thanks to projects like wasi-libc:

https://github.com/webassembly/wasi-libc

Networking is actually much more solved in WASI now than it was roughly a year ago -- threads is taking a little longer to cook (for good reasons), but async (without function coloring) is coming this year (likely in the next 3-4 months).

The sandboxing abilities of WASM are near unmatched, along with it's startup time and execution speed compared to native.

danpalmer

This assumes that everyone implements the same set of APIs that work in the same way.

More likely, the browser will implement some that make sense there, some browsers will implement more than others, Cloudflare workers will implement a different set, AWS Lambda will implement a different set or have some that don't work the same way... and now you need to write your WASM code to deal with these differing implementations.

Unless the API layer is, essentially, a Linux OS or maybe POSIX(?) for Docker, which I doubt it would be as that's a completely different level of abstraction to WASM, I don't have a lot of faith in this being a utopian ideal common API, given that as an industry we've so far failed almost every opportunity to make those common APIs.

hardwaresofton

Good point! This is the hard work that people are undertaking right now.

Things are going to change a little bit with the introduction of Preview3 (the flagship feature there is async without function coloring), but you can look at the core interfaces:

https://github.com/WebAssembly/WASI/tree/main/wasip2

This is what people are building on, in the upstream, and in the bytecode alliance

You're absolutely right about embeddings being varied, but the standard existing enforces the expectations around a core set of these, and then the carving out of embeddings to support different use cases is a welcome and intended consequence.

WASI started as closer to POSIX now, but there is a spectacular opportunity to not repeat some mistakes of the past, so some of those opportunities are taken where they make sense/won't cause too much disruption to people building in support.

josephg

True. Its probably worth creating a validation suite for wasi which can check that any given implementation implements all the functions correctly & consistently. Like, I'm imagining a wasm bundle which calls all the APIs it expects in every different configuration and outputs a scorecard showing what works properly and what doesn't.

I suspect you're right - unless people are careful, it'll be a jungle out there. Just like javascript is at the moment.

resonious

This is what I was thinking. WASM is a good replacement for containers because it doesn't have these things.

gchamonlive

So basically virtual machines, those we can spin up with lxd or firecracker. Not that they don't have file access, it's just that's finnicky compared to containers (I'm thinking docker/podman)

hardwaresofton

Yes, but note the difficulty of building a specialized I/O or drivers for controlling access in a virtual machine versus the WASI model.

Also, startup times are generally better w/ availability of general metering (fuel/epochs) for example. The features of Wasm versus a virtual machine are similar but there are definitely unique benefits to Wasm.

The closer comparison is probably the JVM -- but with support for many more languages (the list is growing, with upstream support commonplace).

Capricorn2481

I don't understand WASM, but I read that a big draw of WASM is it's ability to provide portability to any language. This would mean Python libraries that depend on an unpopular C library (which could be lost to time) could instead be a single WASM blob.

Assuming equivalent performance, which I understand might not be the case, is there merit to this idea? Or is there nothing new WASM provides?

tyingq

The closest way to visualize it is probably how cloudflare offers something kind of like a container (if you squint) via it's workers product.

https://blog.cloudflare.com/announcing-wasi-on-workers/

I assume the merit for cloudflare is lower overhead cost per worker than if they had done something more like AWS lambda. Explained better than I can, here: https://developers.cloudflare.com/workers/reference/how-work...

It does currently present a lot of restrictions as compared to what you could do in a container. But it's good enough to run lots of real world stuff today.

throwaway7783

You meant Java applets perhaps? Java is still write-once run-anywhere if you stick with its APIs.

rr808

ActiveX had this sorted out 25 years ago. Code signing with different levels available for access outside the sandbox controllable by the user.

lxgr

And a nice centralized authority that judges the trustworthiness of a given application by staring at a binary extensively?

BrouteMinou

I think you meant Java Applets instead of Compile once run everywhere.

Dalewyn

>But then you've got to figure out and prevent all the security holes that can be introduced by adding file access, networking, etc.

So an operating system?

klabb3

Yes. Wasm does to my knowledge not have an answer for this, even if some projects patch in their bridge logics. Networking and file systems, and the permission model, is "the rest of the fucking owl". Linux isn't standardized, but at least it's Linux. Without consensus on the fundamental APIs I don't see how we can get to a platform agnostic experience. Even an https call isn't simple: you need TCP and you need to pull root certs from the env, at the very least. Where's the API for that?

I hope for a much more near term bright future for WASM: language interop. The lowest common denominator today is C, and doing FFI manually is stone age. If you can leverage WASM for the FFI boundary, perhaps we can build cross language applications that can enjoy the strengths of all libraries, not just those outside of our language silos.

danpalmer

WASM solves a different problem to containers. Where WASM does well is in running sandboxed code efficiently, because that's where it started out. I think WASM will likely take over as the standard for shipping things like Functions-as-a-Service implementations, and other forms of plugins, where one host application/server of some kind wants to efficiently run pieces of untrusted logic.

Containers don't solve that problem. They aren't a particularly good security boundary, and they are much heavier weight, in terms of bytes and startup costs, than WASM binaries, because they are deeply integrated into the OS for networking, etc. However, when what you need to do is ship a binary with a bunch of accoutrements, dependencies, files, etc, and then run multiple processes, multiple threads, and use more of the OS primitives, containers are an ergonomic way to do that, and that suits Infrastructure-as-a-Service much more closely.

konaraddi

Cloudflare, Fastly, and Amex use WASM in their FaaS implementations

shortrounddev2

I think WASM will end up being more useful as a universal language VM on client machines than it will as a tool for browser computation

TZubiri

Wasm: client, user's device

Containers: server, dev's device

Cmon OP try to keep up

danpalmer

Well, not quite, that's an oversimplification. As I mentioned I think there's a place for WASM as the common unit of business logic, for things like plugins.

Implementing a FaaS runtime like Lambda is actually quite hard to do in a way that is both safe and multi-language. Compiling down to a safe, sandboxed bytecode, is not a bad idea, regardless of whether you're doing that to run it in a user's browser, or to run a FaaS function on some cloud infra, or to write a server-side plugin to a SaaS product.

paulgb

> WebAssembly is a true write-once-run-anywhere experience. (Anywhere that can spin up a V8 engine, which is a lot of places these days.)

This is true if your wasm code is purely computational, but if it interacts with the outside world it’s a different story. Each V8 runtime has a subtly different interface, so code that runs on cloudflare V8 might not run in Bun or Deno. Not to mention if you want to support WASI too, which is a different set of bindings even though it’s still WebAssembly.

Love or hate Docker, part of its success was that POSIX was already a fairly established standard and there weren’t a lot of vendors driving it in different directions.

porridgeraisin

> Bun

Nit: bun uses javascriptcore

hardwaregeek

When? We’ve been talking about wasm for years. When are we actually getting this future? It’s been 8 years since wasm 1.0, and still we don’t have a stable, easy to use toolchain. Rust has maybe the best support and I still can’t get a basic async application with tokio to work on wasm.

To put it into context, Rust was released in 2012. 8 years later it was stable, had a solid toolchain and plenty of people using it in production. Wasm still feels like a toy compared to that

azakai

Lots of people use wasm in production right now, and toolchain support is in a good place across several languages. In that sense we are already there.

You likely visited a website using wasm today without realizing it, and major apps like Photoshop have been ported to wasm, which was the original dream behind it all. That has all succeeded.

But if you want to replace containers specifically, as this article wants, then you need more than wasm 1.0 or even 2.0. I don't know when that future will arrive.

harrall

WASM is another VM and it reminds me of the difficulty that the JVM has faced. You can write-once-run-once a lot of languages like Ruby or JavaScript on the JVM and some of the runtimes are pretty good.

But the rest of the community prefers using the original implementation. If some library that you want to use doesn’t work, no one is going to help you. You’re using the second class implementation.

otterley

> When are we actually getting this future?

Around the same time Linux is ready for the desktop.

octopoc

Blazor is stable and extremely easy to use. It’s just a little slow to load, although there are ways to mitigate that.

catmanjan

Blazor is a great developer experience but when you put it side by side with the other technology solutions (react, angular, anything really) its so slow that you will quickly be told to use something else...

dustbunny

Emscripten seems pretty stable and easy to use to me?

zfg

American Express uses WebAssembly for exactly this use case:

https://thenewstack.io/amexs-faas-uses-webassembly-instead-o...

moribvndvs

One benefit of being an old engineer is watching how excited people get when they rediscover something that has gone around the bend over and over again. I swear if you fuckers reinvent DCOM I will shit in your hats.

RantyDave

OMG I hated DCOM so thoroughly.

mdaniel

Preach it, because document/literal SOAP and WSDL are The Way, The Truth, and The Light!

invalidname

Exactly. It's like the JVM circa 2004. Without all the observability and features we have today and half the performance/reliability/security.

stackskipton

As PlatformOps (formerly DevOps (formerly SRE(formerly Ops))), either this was hilarious satire or ChatGPT Ketamine trip. I'm not sure.

> In the year 2030, no one will remember Kubernetes.

So what's going to handle out rolling out new versions of your WASM, setting up whatever Reverse Proxy you pick and other stuff involved getting. A bunch of scripts you wrote to do this for you? https://www.macchaffee.com/blog/2024/you-have-built-a-kubern...

> The promise of DevOps has been eroded by complicated tooling and tight coupling of program-container-linux. In my experience, developers want to write code and ship features to hit their quarterly goals.

Here is why we ended up here: In my experience, developers want to write code and ship features to hit their quarterly goals.

Sure, and my angry PlatformOps (formerly DevOps (formerly SRE(formerly Ops))) is stuck picking up the pieces because we are getting crap while we desperately paging you because we have no clue what "duplicate street key" in your logs mean. On top of that, InfoSec dropped us 10 tickets about code level library vulnerabilities in your docker container but all the Developer's Managers got together to convince them it was our problem somehow.

So we are forced to write this bundle of terribly written Ops type software in attempt to keep this train on the tracks while you strap rockets to cafe car.

WASM replacing containers is just a solution looking for a problem. Containers solved a problem of "How do we run two different versions of PHP on a single server without them colliding." Most of the containers problem is higher level DevOps problems that we haven't been able to solve and WASM isn't going to change that. I deal with a team that writes 100% Golang so their code is like WASM as it's ship binary and done. Yea, they begged for Kubernetes because it works a ton better then custom Ansible they wrote to keep these VMs/Load Balancer in sync.

trescenzi

Containers have two goals: reproducibility/portability, and encapsulation. WASM could replace the reproducibility but it can't replace the encapsulation.

> My money is on WebAssembly (WASM) to replace containers. It already has in some places. WebAssembly is a true write-once-run-anywhere experience. (Anywhere that can spin up a V8 engine, which is a lot of places these days.)

Luckily a container is a place that can spin up a V8 engine. If you want to bet on WASM my bet would be on containers running WASM.

jagged-chisel

> … it can't replace the encapsulation.

Can you explain your thoughts here? WebAssembly is sandboxed and effort must be expended to provide a mechanism for getting data through that boundary. How does that differ from “encapsulation?”

trescenzi

I'm referring to a different kind of encapsulation. Dependencies, tools, version management, configurations, environment variables, etc. Even if you can fully compile your code into WASM and host it on V8 you need to ship it with configuration files, set specific environment variables and so on. Containers allow you to bundle all of that together into a single unit you can share with others.

aftbit

Unless you run the build in WASM itself. Are there any self-hosting WASM build chains?

Capricorn2481

What about WASM doesn't encapsulate dependencies? Isn't it all one WASM blob at the end of the day?

birdiesanders

The author has not seemingly considered the vastly different networking in wasm. You don’t have networking. There is an entirely different utility in these environments, containers are meant to host applications, wasm is an application. Don’t even get me started on disk access, env handling, etc. wasi is great, for the places it does well. It is not a replacement for writing a pure golang/rust/c/julia app and running it in a container, it doesn’t have the facilities for that task.

mavdi

Anyone comes up with any shit these days, say apples will replace oranges.

“ChatGPT make me sound confident”

Thaxll

"Learning how to use Docker is a distraction"

As if you need to learn anything, you get your Dockerfile and that's it, what else there is to learn? Your WASM app still need Kubernetes to run so it's not adding any value.

The complexity is not in running your app in Docker, the complexity is running your container somewhere, and WASM does not help at all with that.

WebAssembly is not going anywhere, it's pretty clear it won't grow much in the next 5years.

TZubiri

Disagree.

It's not trivial to manage a running container or group of, with firewalls and filesystems and whatnot.

My biggest gripe is that it's quite redundant with the os and tends to reinvent stuff. You end up needing to learn, doc, and build towards both os layer fw and container layer fw for example.

LeFantome

WASM does not run on real hardware. At best, WASM can be considered a virtual machine (in the way that the JVM and the .NET CLR are virtual machines). I guess we can call that a "runtime".

Containers package applications that run directly on real hardware (well, directly on a real kernel that is running on real hardware). There is no runtime. I am talking OCI containers here (Docker and Kubernetes). At least they can. Most containers are probably running on a Linux kernel that is running in a virtual machine (in the way that KVM, EC2, and VirtualBox are virtual machines).

WASM needs a runtime. That is, it is going to run inside an application. That application needs to run on a kernel. So, WASM will always be further from the hardware than a container is.

WASM solves the same "portability" problem that the JVM and .NET do. So, maybe WASM wins against those environments.

That is not the problem that containers solve though. Containers bundle applications with their dependencies. They replace "installation and configuration" with instantiation (deployment). WASM does not magically eliminate dependencies or the differences between environments (not even the difference between V8 implementations).

If anything, the technologies are complementary. Maybe, in the future, all our containers will be runing WASM applications.

Or maybe we will run a different kind of container that ONLY runs WASM applications and then WASM can replace the Linux kernel running in a VM that hosts all our OCI containers today. Perhaps that is what the author really envisions. Even then, it sounds like more of a complement than a true alternative.

lxgr

WASM needs an execution environment just like containers. The execution environment for containers just happens to be largely provided by Linux.

> WASM does not magically eliminate dependencies or the differences between environments (not even the difference between V8 implementations).

Not by itself, and not currently, but I don't find it too much of a leap of faith to assume that that'll be standardized before too long.

invalidname

Yes. It doesn't provide the roughly 20 years of advancements in JVM technology either. Modern observability and JVM scale is at a different level. The trend was to get the maximum use of hardware. Specifically get away from virtualization to containers. This bucks the trend for absolutely no tangible benefit.

bocahtie

I'm always reminded of Gary Bernhardt's "the birth and death of javascript" when wasm gets discussed. While it's a bit tongue-in-cheek, I think it really drives home that it's really just another layer of abstraction that may or may not be useful for a given problem, and might not be the silver bullet that anyone is looking for. I recon that whether or not wasm will take over everything will mostly be about trade offs between it and the other solutions.

josh11b

That is what I was thinking of too! From 2014: https://www.destroyallsoftware.com/talks/the-birth-and-death....

tantalor

Yes! I was trying to search for this but I couldn't remember the name.

remram

WASM might replace processes, but the idea that people will take the stuff they can't manage to put in a native process, and somehow manage to cram it into WASM... ridiculous.

There's not even a single argument in there to support the clickbait title. We have containers, but "containers are annoying". WASM won't be annoying? Pray tell, how do you surmise that?

Docker too complicated? Build times too long? You believe WASM tools will be simpler and faster... why?