Wasm Builders 🧱

Connor Hicks for Suborbital

Posted on • Updated on

WebAssembly functions in OpenFaaS using Sat (Part 1)

If you're familiar with the open source serverless ecosystem, you've likely heard of OpenFaaS, a serverless platform for containers developed by Alex Ellis. It is designed to run automated workloads in a very simple manner, and allows deployment of containerized functions with a simple CLI and very little configuration.

OpenFaaS has been around for a while, and has a wonderful community around it. I wanted to show how to take advantage of WebAssembly's incredibly secure sandboxed execution environment, so I decided to get Sat working on the platform. Following Alex's guide and the Serverless for Everyone Else ebook, I was able to get WebAssembly running in faasd (the distribution of OpenFaaS that doesn't require Kubernetes) in no time.

To start, you'll need to get a faasd server up and running. I used the DigitalOcean + Terraform guide, but you can also follow along with the ebook linked above if you'd like a more thorough walkthrough.

I'll be using the sha256 function from my last post as the example function, so go through that < 5 minute guide first if you want to follow along here.

Once things got running, I created a new function based on the Dockerfile template using faas-cli:

faas new --lang dockerfile sha256
Enter fullscreen mode Exit fullscreen mode

And edited the Dockerfile to install Sat and copy the sha256.wasm module into the image:

FROM ghcr.io/openfaas/classic-watchdog:0.2.0 as watchdog
FROM suborbital/sat:v0.1.2 as sat
FROM alpine:3.12

RUN mkdir -p /home/app

COPY --from=watchdog /fwatchdog /usr/bin/fwatchdog
RUN chmod +x /usr/bin/fwatchdog

## Install Sat
COPY --from=sat /usr/local/bin/sat /usr/local/bin/sat

# Add non root user
RUN addgroup -S app && adduser app -S -G app
RUN chown app /home/app

WORKDIR /home/app

COPY ./sha256.wasm ./sha256.wasm

USER app

# Set Sat's stdin mode as the command to run
ENV fprocess="/usr/local/bin/sat --stdin ./sha256.wasm"

# Set to true to see request in function logs
ENV write_debug="true"


HEALTHCHECK --interval=3s CMD [ -e /tmp/.lock ] || exit 1

CMD ["fwatchdog"]
Enter fullscreen mode Exit fullscreen mode

Make sure you move sha256.wasm into the same directory as the Dockerfile so it can copy successfully!

As you can see, we use the suborbital/sat:v0.1.2 image to get the Sat executable, and then we COPY the Wasm module and set the fprocess environment variable to tell the "Function Watchdog" to call Sat (in stdin mode) for each incoming request. This is the simplest way to get something new running in OpenFaaS.

Part 2 of this series will take things further by building an HTTP-based Sat template for OpenFaaS with a more sophisticated application, so keep an eye out for that!

Once things are all set up, we build the function and push it to Docker Hub using faas-cli:

faas-cli publish -f ./sha256.yml --platforms linux/amd64
Enter fullscreen mode Exit fullscreen mode

NOTE: I'm using an M1 Mac, and my faasd server is running on an x86 DigitalOcean droplet, so I specified linux/amd64 to build a cross-platform container.

Once the build/publish command is complete, we can deploy the function to faasd:

faas-cli deploy -f ./sha256.yml
Enter fullscreen mode Exit fullscreen mode

And you should see something like this:

Deploying: sha256.
Function sha256 already exists, attempting rolling-update.

Deployed. 200 OK.
URL: https://faasd.cohix.ca/function/sat-sha256
Enter fullscreen mode Exit fullscreen mode

(and yes, that URL is live, so feel free to invoke the function... I'll leave it up for a few weeks)

Now that it's deployed, we can run the function with faas-cli or using curl:

curl -d 'hello world' https://faasd.cohix.ca/function/sat-sha256
Enter fullscreen mode Exit fullscreen mode

And that's all there is to it! Your WebAssembly functions can now live alongside scripts, native functions, and other services inside your OpenFaaS cluster. The security properties of WebAssembly combined with the performance of Sat and the ease of use of OpenFaaS makes this process a breeze, so you can ensure the security of your OpenFaaS applications are top-notch. Feel free to show off your functions, and look out for part 2 where we take things a step further with a more complex app and a higher-performance Sat template!

Top comments (2)

klindsay profile image
Kevin Lindsay

Interesting! I very much enjoyed discussing this on this week's OpenFaaS office hours!

aryank21 profile image
Aryan Kaushik