Conversation
|
Hi @leyao-daily, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
repokitteh-read-only
bot
added
the
deps
PiotrSikora
left a comment
PiotrSikora
left a comment
There was a problem hiding this comment.
Thank you for working on this. You're still missing:
- Wasm Runtime factory for WAMR (see:
source/extensions/wasm_runtime), - tests executed on the CI (see:
bazel.compile_time_optionsinci/do_ci.sh).
leyao-daily
force-pushed
the
main
branch
3 times, most recently
from
14643f7 to
b2be443
Compare
leyao-daily
force-pushed
the
main
branch
3 times, most recently
from
f0752b5 to
49f1de8
Compare
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
bazel/repository_locations.bzl
Outdated
| cpe = "cpe:2.3:a:webassembly_virtual_machine_project:webassembly_virtual_machine:*", | ||
| ), | ||
| com_github_wamr = dict( | ||
| project_name = "Webassembly Micro Runtime", |
There was a problem hiding this comment.
@PiotrSikora what's our end game here? Will we eventually bring every Wasm runtime into the Envoy OSS build? Do we need this or can we be opinionated?
My main worry here is the increase in build time in CI, security risk envelope, etc.
CC @envoyproxy/dependency-shepherds
There was a problem hiding this comment.
Those are good questions.
From Proxy-Wasm C++ Host's perspective, supporting any decent Wasm runtime is desireable, since they all have a bit different features, and most implement variants of Wasm C/C++ API, so both implementation and maintanance have relatively small cost.
From Envoy's perspective, it's definitely not neccessary, and we could be opinionated, but since those are optional alternatives, I don't think there are too many downsides, especially since the common logic is abstracted away.
Regarding build time - Wasm runtimes are updated once a month or once a quarter, and the alternative ones are built only in bazel.compile_time_options target, so their artifacts should be pretty much always cached, and the overhead shouldn't be much of an issue.
Regarding security risk - we could officially support only the default Wasm runtime (currently: V8), and be upfront that there won't be any security releases for other runtimes.
Regarding WAMR specifically, it has interpreted mode, and claims very small binary size overhead and low memory usage, so it might be more desirable in Envoy Mobile than V8, for example.
There was a problem hiding this comment.
OK, can we add to this PR a change to threat model https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#core-and-extensions stating this explicitly?
I think this is a pretty important thing to get clear as we add more runtimes; we won't support anything other than V8 for now from a security perspective.
| name = "config", | ||
| srcs = ["config.cc"], | ||
| category = "envoy.wasm.runtime", | ||
| security_posture = "unknown", |
There was a problem hiding this comment.
Can we add a comment that "This may never change from unknown until the threat model at https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#core-and-extensions is updated to capture additional Wasm runtimes". This should also be done for all other Wasm runtimes other than V8.
There was a problem hiding this comment.
So add an annotation above the unknown line to explain the meaning?
There was a problem hiding this comment.
Yes. Could you add that comment here and to Wasmtime and WAVM?
|
The PR is waiting for #16112 merging. |
repokitteh-read-only
bot
removed
the
deps
|
About the API change, what should I do to pass the check? |
Wait for one of the @envoyproxy/api-shepherds to approve. |
|
/lgtm api |
|
@leyao-daily this needs merge with master to resolve conflicts. @htuch @lizan could one of you please take a look at this PR? |
repokitteh-read-only
bot
added
the
deps
- generate llvm libraries list with "llvm-config --libnames" ``` $ llvm-config --version 10.0.0 $ llvm-config --libnames asmparser core debuginfodwarf engine lto mcparser mirparser orcjit passes runtimedyld support x86asmparser x86desc ``` - change WAMR default mode to JIT. - change to latest bytecodealliance/wasm-micro-runtime commits Signed-off-by: Liang He <liang.he@intel.com>
fix several comments
Signed-off-by: Le Yao <le.yao@intel.com>
|
/lgtm deps |
repokitteh-read-only
bot
removed
the
deps
Signed-off-by: Le Yao <le.yao@intel.com>
repokitteh-read-only
bot
added
the
deps
Signed-off-by: Le Yao <le.yao@intel.com>
Signed-off-by: Le Yao <le.yao@intel.com>
|
Once the CI/CD pass, I think this PR is ready to be merged. |
Signed-off-by: Le Yao <le.yao@intel.com>
repokitteh-read-only
bot
removed
the
deps
WebAssembly Micro Runtime (WAMR) is a standalone WebAssembly (WASM) runtime with a small footprint. It includes a few parts as below: The "iwasm" VM core, supporting WebAssembly interpreter, ahead of time compilation (AoT) and Just-in-Time compilation (JIT) The application framework and the supporting API's for the WASM applications The dynamic management of the WASM applications Risk Level: Medium Testing: Runtime unit testing, integration testing and manual testing Signed-off-by: Le Yao <le.yao@intel.com>
9 participants
Commit Message: Enabling WAMR(Webassembly Micro Runtime) as wasm runtime in Envoy
Additional Description:
Risk Level: Medium
Testing: Runtime unit testing, integration testing and manual testing
Docs Changes: N/A
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Deprecated:]
[Optional API Considerations:]