If you're familiar with the open source serverless ecosystem, you've likely heard of OpenFaaS, a serverless platform for containers developed by Alex Ellis. It is designed to run automated workloads in a very simple manner, and allows deployment of containerized functions with a simple CLI and very little configuration.
OpenFaaS has been around for a while, and has a wonderful community around it. I wanted to show how to take advantage of WebAssembly's incredibly secure sandboxed execution environment, so I decided to get Sat working on the platform. Following Alex's guide and the Serverless for Everyone Else ebook, I was able to get WebAssembly running in faasd (the distribution of OpenFaaS that doesn't require Kubernetes) in no time.
To start, you'll need to get a faasd server up and running. I used the DigitalOcean + Terraform guide, but you can also follow along with the ebook linked above if you'd like a more thorough walkthrough.
I'll be using the sha256 function from my last post as the example function, so go through that < 5 minute guide first if you want to follow along here.
Once things got running, I created a new function based on the
Dockerfile template using
faas new --lang dockerfile sha256
And edited the Dockerfile to install Sat and copy the
sha256.wasm module into the image:
FROM ghcr.io/openfaas/classic-watchdog:0.2.0 as watchdog
FROM suborbital/sat:v0.1.2 as sat
RUN mkdir -p /home/app
COPY --from=watchdog /fwatchdog /usr/bin/fwatchdog
RUN chmod +x /usr/bin/fwatchdog
## Install Sat
COPY --from=sat /usr/local/bin/sat /usr/local/bin/sat
# Add non root user
RUN addgroup -S app && adduser app -S -G app
RUN chown app /home/app
COPY ./sha256.wasm ./sha256.wasm
# Set Sat's stdin mode as the command to run
ENV fprocess="/usr/local/bin/sat --stdin ./sha256.wasm"
# Set to true to see request in function logs
HEALTHCHECK --interval=3s CMD [ -e /tmp/.lock ] || exit 1
Make sure you move
sha256.wasminto the same directory as the Dockerfile so it can copy successfully!
As you can see, we use the
suborbital/sat:v0.1.2 image to get the Sat executable, and then we
COPY the Wasm module and set the
fprocess environment variable to tell the "Function Watchdog" to call Sat (in
stdin mode) for each incoming request. This is the simplest way to get something new running in OpenFaaS.
Part 2 of this series will take things further by building an HTTP-based Sat template for OpenFaaS with a more sophisticated application, so keep an eye out for that!
Once things are all set up, we build the function and push it to Docker Hub using
faas-cli publish -f ./sha256.yml --platforms linux/amd64
NOTE: I'm using an M1 Mac, and my faasd server is running on an x86 DigitalOcean droplet, so I specified
linux/amd64to build a cross-platform container.
Once the build/publish command is complete, we can deploy the function to faasd:
faas-cli deploy -f ./sha256.yml
And you should see something like this:
Function sha256 already exists, attempting rolling-update.
Deployed. 200 OK.
(and yes, that URL is live, so feel free to invoke the function... I'll leave it up for a few weeks)
Now that it's deployed, we can run the function with
faas-cli or using
curl -d 'hello world' https://faasd.cohix.ca/function/sat-sha256
And that's all there is to it! Your WebAssembly functions can now live alongside scripts, native functions, and other services inside your OpenFaaS cluster. The security properties of WebAssembly combined with the performance of Sat and the ease of use of OpenFaaS makes this process a breeze, so you can ensure the security of your OpenFaaS applications are top-notch. Feel free to show off your functions, and look out for part 2 where we take things a step further with a more complex app and a higher-performance Sat template!