[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-dev
Subject: Re: mod_wasm: Contributing Upstream to Apache
From: Joe Schaefer <joe () sunstarsys ! com>
Date: 2023-07-07 20:16:52
Message-ID: CAFQGv+YH7hWNtwGOpPSDt9QZ6OReuapjwV_xOFCgacc3bTSKsQ () mail ! gmail ! com
[Download RAW message or body]
All good. Just didn't want to see needless delays in getting this stuff
incorporated while you build out the non-content handler mode for mod_wasm
that IMO will never be in big demand (if it were, mod_perl wouldn't be such
a stagnant community over the past two decades).
On Fri, Jul 7, 2023 at 4:07 PM Jesús González <jesusgm@vmware.com> wrote:
> Joe, thanks for your feedback!
>
>
>
> Just to make sure I understand this feedback, what you are mentioning is
> that exposing the internals of Apache diminishes the value of the sandbox
> because programs could potentially perform write operations into the
> internals of httpd state, tables, etc. Is that correct?
>
>
>
> If my understanding is correct, this should not be an issue:
>
>
>
> - The current incarnation of mod_wasm is implemented as a content-handler
> and does not have access to the internals of Apache or tables. All the
> information is passed through environment variables, similar to a
> traditional CGI binary, but running in the Wasm sandbox (so you can control
> tightly any access to filesystem, network, etc.).
>
>
>
> - The proposed changes to mod_wasm that enable writing Apache modules in
> other languages would expose the API, but that's the idea: to make it easy
> to build fully featured Apache modules using any language that can compile
> to Wasm (ie: Go, Python). Think of this as an ‘universal' polyglot version
> of mod_lua with added sandboxing capabilities.
>
>
>
> Which mode to use can be configured. You definitely don't want random
> users having access to the internals of httpd when serving their regular
> application (ie: Drupal).
>
>
>
> Having said all of this, regarding the read-only structs, a Wasm binary
> cannot access the host memory space. So, a pointer to an apr table in the
> httpd memory space cannot be dereferenced within the sandbox. There exist
> opaque reference types (ie: externref) to host objects that comply with
> WebAssembly sandboxing guarantees as explained in
> https://fitzgeraldnick.com/2020/08/27/reference-types-in-wasmtime.html.
> This is great in terms of security, but a drawback from a performance
> perspective. To manipulate data structs, either they are copied into the
> Wasm memory and copied back to the server, or we offer a set of limited
> interfaces to the Wasm binary to perform such actions. So yes, we believe
> your proposal of getting the apreq_* (ARP table-based) interfaces exposed
> as read-only data structures is doable and useful.
>
> Cheers!
>
>
>
> *De: *Joe Schaefer <joe@sunstarsys.com>
> *Fecha: *miércoles, 5 de julio de 2023, 4:59
> *Para: *dev@httpd.apache.org <dev@httpd.apache.org>
> *Asunto: *Re: mod_wasm: Contributing Upstream to Apache
>
> *!! External Email*
>
> The win with having an apr table api from httpd is that by sharing those
> tables in the sandbox, various programming languages will be able to
> interact with others without stealing the client form inputs.
>
>
>
> Even if you don't go that route, and just expose the form inputs on stdin
> in your app, users can always configure apreq's input filter to activate on
> the protocol filter chain before wasm activates. That way other modules
> still can access form input without breaking the Wasm app.
>
>
>
> On Tue, Jul 4, 2023 at 10:48 PM Joe Schaefer <joe@sunstarsys.com> wrote:
>
> The more of the API you expose, the less value the sandbox has to end
> users. For Webapps, easy read/search / write/ iterate is essential. But
> also form data; which apreq stores in readonly apr tables.
>
>
>
> Joe Schaefer, Ph.D
>
> <joe@sunstarsys.com>
>
> +1 (954) 253-3732
>
> SunStar Systems, Inc.
>
> *Orion - The Enterprise Jamstack Wiki*
>
>
> ------------------------------
>
> *From:* Jesús González <jesusgm@vmware.com>
> *Sent:* Monday, July 3, 2023 8:49:33 AM
> *To:* dev@httpd.apache.org <dev@httpd.apache.org>
> *Subject:* Re: mod_wasm: Contributing Upstream to Apache
>
>
>
> Hola!
>
> mod_wasm v0.12.1
> <https://github.com/vmware-labs/mod_wasm/releases/tag/v0.12.1> is now
> available!
>
> This maintenance release bumps Wasmtime to 10.0.1, including preliminary
> support for WASI preview 2 among other improvements and fixes.
>
> Best,
> Jesús
>
>
>
> *De: *Jesús González <jesusgm@vmware.com>
> *Fecha: *viernes, 2 de junio de 2023, 19:09
> *Para: *dev@httpd.apache.org <dev@httpd.apache.org>
> *Asunto: *Re: mod_wasm: Contributing Upstream to Apache
>
> Thanks Joe for your encouragement! And yes, your feedback was what
> inspired us to expand mod_wasm in this direction.
>
> In the demo from my colleague Asen, we expose three wrapper functions to
> WebAssembly get_header, set_header, delete_header, that internally make use
> of apr_table_get, apr_table_set and apr_table_unset with the incoming
> request headers (r->headers_in). This shows read and write capabilities
> from a Wasm binary using internal Apache APIs. Is this what you are
> referring to with exposing apreq_*?
>
> Limiting to read-only (ie: just get_header) implies that some
> functionality that is possible with other extension modules (mod_headers,
> mod_perl, mod_lua, etc.) won't be available in mod_wasm. We would love to
> know more about those concerns, so we can understand better how to develop
> mod_wasm in a way that both allows you to develop fully capable modules but
> still address any concerns you may have.
>
> BTW, here is a recent article showing how mod_wasm can help mitigating
> vulnerabilities
> https://wasmlabs.dev/articles/mitigating-php-vulnerabilities-with-webassembly/,
> proving how it adds an extra layer of security to traditional applications.
>
> Looking forward to your feedback.
>
> *De: *Joe Schaefer <joe@sunstarsys.com>
> *Fecha: *jueves, 1 de junio de 2023, 22:16
> *Para: *dev@httpd.apache.org <dev@httpd.apache.org>
> *Asunto: *Re: mod_wasm: Contributing Upstream to Apache
>
> *!! External Email*
>
> Huge fan, love that you are receptive to my feedback. If you get to the
> point where the apreq_* (APR table-based) interfaces in trunk can be
> exposed as read-only data structures in mod_wasm as an optional API for
> power httpd users that like the sandboxed functionality you get OOTB, that
> would justify a lot of the more conservative concerns that some devs have
> for not putting incorporating this into the trunk codebase, which would be
> my recommendation at that point for how to get it into a releasable tree at
> some point.
>
>
>
>
>
> On Tue, May 30, 2023 at 8:42 AM José Carlos Chávez <jcchavezs@apache.org>
> wrote:
>
> I think not making WASM a first class concern in a proxy or server is
> missing out, more so in those platforms where extensibility isn't trivial.
> Apache will remain running in current setups but having limited
> extensibility is something concerning these days as systems are getting
> more and more complex. Writing an apache module isn't something you do
> every day and it probably takes quite some time, writing a wasm app
> following certain ABI is something you can do in minutes, hence supporting
> mod_wasm as a first class concern could be a good point in the
> sustainability of an ecosystem when it comes to moving forward out of the
> status quo.
>
> On 2022/11/14 06:37:34 Jesús González wrote:
> > Hi everyone,
> >
> >
> >
> > I'm Jesús González, and I am part of VMware's Wasm Labs: wasmlabs.dev<
> https://wasmlabs.dev/>, a group focused on creating open source tools for
> WebAssembly.
> >
> > We have created mod_wasm, an Apache module for running WebAssembly
> binaries inside httpd, and we would like to contribute it upstream. Please
> see below for more details. We would love to get your feedback and
> understand what improvements would be needed (if any) before it could be
> considered for contribution to the project.
> >
> >
> >
> >
> >
> > The details:
> >
> >
> >
> > WebAssembly<https://webassembly.org/> (Wasm) is a new binary
> instruction format that is open, portable, efficient, secure, and polyglot.
> It originated in the browser but is increasingly used in server
> applications, in particular NGINX, Apache APISIX, Istio provide Wasm-based
> plugin support (i.e.: https://apisix.apache.org/docs/apisix/wasm/).
> >
> >
> >
> > mod_wasm is a way to run WebAssembly modules inside Apache Server. This
> is similar to how mod_php embeds a PHP runtime to run PHP code. This
> enables any language that supports WebAssembly (including C++, Rust, Go but
> also Python, PHP, Ruby) to run with mod_wasm and take advantage of the
> extra level of security and sandboxing. To learn more about mod_wasm you
> can check out the following resources:
> >
> > * An overview article<https://wasmlabs.dev/articles/apache-mod-wasm/>
> for the original release.
> > * We presented mod_wasm at ApacheCon this year and here are the
> slides<
> https://apachecon.com/acna2022/slides/01_Gonz%c3%a1lez_mod-wasm_Bringing_WebAssembly.pdf
> <https://apachecon.com/acna2022/slides/01_Gonz%C3%A1lez_mod-wasm_Bringing_WebAssembly.pdf>>
> and the source code: https://github.com/vmware-labs/mod_wasm.
> > * CNCF Talk on mod_wasm showcasing how to run WordPress:
> https://www.youtube.com/watch?v=jXe8kulUscQ
> >
> >
> >
> > In terms of mod_wasm architecture, the module is split into two parts:
> >
> > * mod_wasm.so is the extension module for Apache and it's written in
> C.
> > * An external dependency: libwasm_runtime.so, which is written in
> Rust and needs to be installed into the system.
> >
> >
> >
> > We modelled this after mod_tls, a module that is part of httpd and also
> has a Rust dependency.
> >
> > You can take a look at the architecture diagram and instructions on how
> to build the module here:
> https://github.com/vmware-labs/mod_wasm#%EF%B8%8F-building-mod_wasm
> >
> >
> >
> > In terms of the actual contribution, please find a patch attached. We
> tried to follow all existing conventions in terms of autoconf/automake,
> providing module documentation, etc. Please let us know anything that you
> see missing or could be improved. In particular, we do not know yet if it
> is better to keep the Rust code separate, as an external dependency (like
> mod_tls does) or in the Apache source code repository.
> >
> >
> >
> > In summary, we believe mod_wasm is a worthy addition to httpd and it
> will allow us to catch up to some of the other web servers already
> supporting Wasm, like NGINX. We were encouraged by Rich Bowen, Jim
> Jagielski and Jean-Frederic Clere to submit it for contribution upstream
> and we are looking forward to your feedback.
> >
> >
> >
> > Cheers!
> >
> > Jesús
> >
> >
> >
> >
> >
>
>
>
> *!! External Email:* This email originated from outside of the
> organization. Do not click links or open attachments unless you recognize
> the sender.
>
>
>
> --
>
> Joe Schaefer, Ph.D.
>
> [image: Imagen quitada por el remitente.]
> <https://sunstarsys.com/orion/features>
>
> Orion - The Enterprise Jamstack Wiki
> <https://sunstarsys.com/orion/features>
>
> <joe@sunstarsys.com>
>
> 954.253.3732 <//954.253.3732>
>
>
>
>
>
--
Joe Schaefer, Ph.D.
<https://sunstarsys.com/orion/features>
Orion - The Enterprise Jamstack Wiki <https://sunstarsys.com/orion/features>
<joe@sunstarsys.com>
954.253.3732 <//954.253.3732>
[Attachment #3 (text/html)]
<div dir="auto">All good. Just didn't want to see needless delays in getting this \
stuff incorporated while you build out the non-content handler mode for mod_wasm that \
IMO will never be in big demand (if it were, mod_perl wouldn't be such a stagnant \
community over the past two decades).</div><div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Fri, Jul 7, 2023 at 4:07 PM Jesús González <<a \
href="mailto:jesusgm@vmware.com">jesusgm@vmware.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="ES" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="m_6697398234889284735WordSection1">
<p class="MsoNormal"><span lang="EN-US">Joe, thanks for your \
feedback!<u></u><u></u></span></p> <p class="MsoNormal"><span lang="EN-US"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span lang="EN-US">Just to make sure I \
understand this feedback, what you are mentioning is that exposing the internals of \
Apache diminishes the value of the sandbox because programs could potentially \
perform write operations into the internals of httpd state, tables, etc. Is that \
correct?<u></u><u></u></span></p> <p class="MsoNormal"><span lang="EN-US"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span lang="EN-US">If my understanding is \
correct, this should not be an issue:<u></u><u></u></span></p> <p \
class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p> <p \
class="MsoNormal"><span lang="EN-US">- The current incarnation of mod_wasm is \
implemented as a content-handler and does not have access to the internals of Apache \
or tables. All the information is passed through environment variables, similar to a \
traditional CGI binary, but running in the Wasm sandbox (so you can control tightly \
any access to filesystem, network, etc.).<u></u><u></u></span></p> <p \
class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p> <p \
class="MsoNormal"><span lang="EN-US">- The proposed changes to mod_wasm that enable \
writing Apache modules in other languages would expose the API, but that's the idea: \
to make it easy to build fully featured Apache modules using any language that can \
compile to Wasm (ie: Go, Python). Think of this as an ‘universal' polyglot version \
of mod_lua with added sandboxing capabilities.<u></u><u></u></span></p> <p \
class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p> <p \
class="MsoNormal"><span lang="EN-US">Which mode to use can be configured. You \
definitely don't want random users having access to the internals of httpd when \
serving their regular application (ie: Drupal).<u></u><u></u></span></p> <p \
class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p> <p \
class="MsoNormal"><span lang="EN-US">Having said all of this, regarding the read-only \
structs, a Wasm binary cannot access the host memory space. So, a pointer to an apr \
table in the httpd memory space cannot be dereferenced within the sandbox. There \
exist opaque reference types (ie: externref) to host objects that comply with \
WebAssembly sandboxing guarantees as explained in </span><span><a \
href="https://fitzgeraldnick.com/2020/08/27/reference-types-in-wasmtime.html" \
target="_blank"><span \
lang="EN-US">https://fitzgeraldnick.com/2020/08/27/reference-types-in-wasmtime.html</span></a></span><span \
lang="EN-US">. This is great in terms of security, but a drawback from a performance \
perspective. To manipulate data structs, either they are copied into the Wasm memory \
and copied back to the server, or we offer a set of limited interfaces to the Wasm \
binary to perform such actions. So yes, we believe your proposal of getting the \
apreq_* (ARP table-based) interfaces exposed as read-only data structures is doable \
and useful.<br> <br>
Cheers!<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<div id="m_6697398234889284735mail-editor-reference-message-container">
<div></div></div></div></div><div lang="ES" link="blue" vlink="purple" \
style="word-wrap:break-word"><div class="m_6697398234889284735WordSection1"><div \
id="m_6697398234889284735mail-editor-reference-message-container"><div> <div \
style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"> <p \
class="MsoNormal" style="margin-bottom:12.0pt"><b><span \
style="font-size:12.0pt;color:black">De: </span></b><span \
style="font-size:12.0pt;color:black">Joe Schaefer <<a \
href="mailto:joe@sunstarsys.com" target="_blank">joe@sunstarsys.com</a>><br> \
<b>Fecha: </b>miércoles, 5 de julio de 2023, 4:59<br> <b>Para: </b><a \
href="mailto:dev@httpd.apache.org" target="_blank">dev@httpd.apache.org</a> <<a \
href="mailto:dev@httpd.apache.org" target="_blank">dev@httpd.apache.org</a>><br> \
<b>Asunto: </b>Re: mod_wasm: Contributing Upstream to Apache<u></u><u></u></span></p> \
</div> <table border="0" cellspacing="0" cellpadding="0" align="left" width="100%" \
style="width:100.0%"> <tbody>
<tr>
<td style="background:#fdc591;padding:3.75pt 1.5pt 3.75pt 1.5pt"></td>
<td width="100%" style="width:100.0%;background:#fff8f0;padding:3.75pt 3.0pt 3.75pt \
9.0pt"> <div>
<p class="MsoNormal">
<b><span style="font-size:10.5pt;font-family:Metropolis;color:#444444">!! External \
Email</span></b><span style="font-size:10.5pt;font-family:Metropolis;color:black"> \
</span><span style="font-size:10.5pt;font-family:Metropolis"><u></u><u></u></span></p>
</div>
</td>
</tr>
</tbody>
</table>
</div></div></div></div><div lang="ES" link="blue" vlink="purple" \
style="word-wrap:break-word"><div class="m_6697398234889284735WordSection1"><div \
id="m_6697398234889284735mail-editor-reference-message-container"><div><div></div></div></div></div></div><div \
lang="ES" link="blue" vlink="purple" style="word-wrap:break-word"><div \
class="m_6697398234889284735WordSection1"><div \
id="m_6697398234889284735mail-editor-reference-message-container"><div><div> <div>
<p class="MsoNormal">The win with having an apr table api from httpd is that by \
sharing those tables in the sandbox, various programming languages will be able to \
interact with others without stealing the client form inputs.<u></u><u></u></p> \
</div> <div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Even if you don't go that route, and just expose the form inputs \
on stdin in your app, users can always configure apreq's input filter to activate on \
the protocol filter chain before wasm activates. That way other modules still can \
access form input without breaking the Wasm app.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Tue, Jul 4, 2023 at 10:48 PM Joe Schaefer <<a \
href="mailto:joe@sunstarsys.com" target="_blank">joe@sunstarsys.com</a>> \
wrote:<u></u><u></u></p> </div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm \
6.0pt;margin-left:4.8pt;margin-right:0cm"> <div>
<div>
<div>
<div>
<p class="MsoNormal">The more of the API you expose, the less value the sandbox has \
to end users. For Webapps, easy read/search / write/ iterate is essential. But \
also form data; which apreq stores in readonly apr tables.<u></u><u></u></p> </div>
</div>
<div id="m_6697398234889284735m_5979846040694427110ms-outlook-mobile-signature">
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">Joe Schaefer, Ph.D<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><<a href="mailto:joe@sunstarsys.com" \
target="_blank">joe@sunstarsys.com</a>><u></u><u></u></p> </div>
<div>
<p class="MsoNormal">+1 (954) 253-3732<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">SunStar Systems, Inc.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><i>Orion - The Enterprise Jamstack Wiki</i><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="0" width="100%" align="center">
</div>
<div id="m_6697398234889284735m_5979846040694427110divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black">From:</span></b><span \
style="color:black"> Jesús González <<a href="mailto:jesusgm@vmware.com" \
target="_blank">jesusgm@vmware.com</a>><br> <b>Sent:</b> Monday, July 3, 2023 \
8:49:33 AM<br> <b>To:</b> <a href="mailto:dev@httpd.apache.org" \
target="_blank">dev@httpd.apache.org</a> <<a href="mailto:dev@httpd.apache.org" \
target="_blank">dev@httpd.apache.org</a>><br> <b>Subject:</b> Re: mod_wasm: \
Contributing Upstream to Apache</span> <u></u><u></u></p> <div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p><span lang="EN-US" \
style="font-size:8.5pt;font-family:"Verdana",sans-serif;color:#333333;background:white">Hola!</span><span \
lang="EN-US" style="font-size:8.5pt;font-family:"Verdana",sans-serif;color:#333333"><br>
<br>
<span style="background:white"><a \
href="https://github.com/vmware-labs/mod_wasm/releases/tag/v0.12.1" \
target="_blank">mod_wasm v0.12.1</a> is now available!</span><br> <br>
<span style="background:white">This maintenance release bumps Wasmtime to 10.0.1, \
including preliminary support for WASI preview 2 among other improvements and \
fixes.</span><br> <br>
</span><span style="font-size:8.5pt;font-family:"Verdana",sans-serif;color:#333333;background:white">Best,</span><span \
style="font-size:8.5pt;font-family:"Verdana",sans-serif;color:#333333"><br> \
<span style="background:white">Jesús</span></span><u></u><u></u></p> <p> \
<u></u><u></u></p> <div \
id="m_6697398234889284735m_5979846040694427110x_mail-editor-reference-message-container">
<div>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm \
0cm;border-color:currentcolor currentcolor"> <p style="margin-bottom:12.0pt"><b><span \
style="font-size:12.0pt;color:black">De: </span></b><span \
style="font-size:12.0pt;color:black">Jesús González <<a \
href="mailto:jesusgm@vmware.com" target="_blank">jesusgm@vmware.com</a>><br> \
<b>Fecha: </b>viernes, 2 de junio de 2023, 19:09<br> <b>Para: </b><a \
href="mailto:dev@httpd.apache.org" target="_blank">dev@httpd.apache.org</a> <<a \
href="mailto:dev@httpd.apache.org" target="_blank">dev@httpd.apache.org</a>><br> \
<b>Asunto: </b>Re: mod_wasm: Contributing Upstream to Apache</span><u></u><u></u></p> \
</div> <p style="margin-bottom:12.0pt"><span lang="EN-US">Thanks Joe for your \
encouragement! And yes, your feedback was what inspired us to expand mod_wasm in this \
direction.<br> <br>
In the demo from my colleague Asen, we expose three wrapper functions to WebAssembly \
get_header, set_header, delete_header, that internally make use of apr_table_get, \
apr_table_set and apr_table_unset with the incoming request headers \
(r->headers_in). This shows read and write capabilities from a Wasm binary using \
internal Apache APIs. Is this what you are referring to with exposing apreq_*?<br> \
<br> Limiting to read-only (ie: just get_header) implies that some functionality that \
is possible with other extension modules (mod_headers, mod_perl, mod_lua, etc.) won't \
be available in mod_wasm. We would love to know more about those concerns, so we can \
understand better how to develop mod_wasm in a way that both allows you to develop \
fully capable modules but still address any concerns you may have.<br> <br>
BTW, here is a recent article showing how mod_wasm can help mitigating \
vulnerabilities <a href="https://wasmlabs.dev/articles/mitigating-php-vulnerabilities-with-webassembly/" \
target="_blank"> https://wasmlabs.dev/articles/mitigating-php-vulnerabilities-with-webassembly/</a>, \
proving how it adds an extra layer of security to traditional applications.<br> <br>
Looking forward to your feedback.<br>
<br>
</span><u></u><u></u></p>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm \
0cm;border-color:currentcolor currentcolor"> <p style="margin-bottom:12.0pt"><b><span \
style="font-size:12.0pt;color:black">De: </span></b><span \
style="font-size:12.0pt;color:black">Joe Schaefer <<a \
href="mailto:joe@sunstarsys.com" target="_blank">joe@sunstarsys.com</a>><br> \
<b>Fecha: </b>jueves, 1 de junio de 2023, 22:16<br> <b>Para: </b><a \
href="mailto:dev@httpd.apache.org" target="_blank">dev@httpd.apache.org</a> <<a \
href="mailto:dev@httpd.apache.org" target="_blank">dev@httpd.apache.org</a>><br> \
<b>Asunto: </b>Re: mod_wasm: Contributing Upstream to Apache</span><u></u><u></u></p> \
</div> <table border="0" cellspacing="0" cellpadding="0" align="left" width="100%" \
style="width:100.0%"> <tbody>
<tr>
<td style="background:#fdc591;padding:3.75pt 1.5pt 3.75pt 1.5pt">
</td>
<td width="100%" style="width:100.0%;background:#fff8f0;padding:3.75pt 3.0pt 3.75pt \
9.0pt"> <div>
<p>
<b><span style="font-size:10.5pt;font-family:Metropolis;color:#444444">!! External \
Email</span></b><span style="font-size:10.5pt;font-family:Metropolis;color:black"> \
</span><span style="font-size:10.5pt;font-family:Metropolis"><u></u><u></u></span></p>
</div>
</td>
</tr>
</tbody>
</table>
<div>
<div>
<p>Huge fan, love that you are receptive to my feedback. If you get to the point \
where the apreq_* (APR table-based) interfaces in trunk can be exposed as read-only \
data structures in mod_wasm as an optional API for power httpd users that like the \
sandboxed functionality you get OOTB, that would justify a lot of the more \
conservative concerns that some devs have for not putting incorporating this into the \
trunk codebase, which would be my recommendation at that point for how to get it into \
a releasable tree at some point. <u></u><u></u></p>
<div>
<p> <u></u><u></u></p>
</div>
</div>
<p> <u></u><u></u></p>
<div>
<div>
<p>On Tue, May 30, 2023 at 8:42 AM José Carlos Chávez <<a \
href="mailto:jcchavezs@apache.org" target="_blank">jcchavezs@apache.org</a>> \
wrote:<u></u><u></u></p> </div>
<blockquote style="border:none;border-left:solid windowtext 1.0pt;padding:0cm 0cm 0cm \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt;border-color:currentcolor \
currentcolor currentcolor rgb(204,204,204)"> <p>I think not making WASM a first class \
concern in a proxy or server is missing out, more so in those platforms where \
extensibility isn't trivial. Apache will remain running in current setups but \
having limited extensibility is something concerning these days as systems are \
getting more and more complex. Writing an apache module isn't something you do \
every day and it probably takes quite some time, writing a wasm app following certain \
ABI is something you can do in minutes, hence supporting mod_wasm as a first class \
concern could be a good point in the sustainability of an ecosystem when it comes to \
moving forward out of the status quo.<br> <br>
On 2022/11/14 06:37:34 Jesús González wrote:<br>
> Hi everyone,<br>
> <br>
> <br>
> <br>
> I'm Jesús González, and I am part of VMware's Wasm Labs: <a \
href="http://wasmlabs.dev/" target="_blank"> wasmlabs.dev</a><<a \
href="https://wasmlabs.dev/" target="_blank">https://wasmlabs.dev/</a>>, a group \
focused on creating open source tools for WebAssembly.<br> > <br>
> We have created mod_wasm, an Apache module for running WebAssembly binaries \
inside httpd, and we would like to contribute it upstream. Please see below for more \
details. We would love to get your feedback and understand what improvements would be \
needed (if any) before it could be considered for contribution to the project.<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> The details:<br>
> <br>
> <br>
> <br>
> WebAssembly<<a href="https://webassembly.org/" \
target="_blank">https://webassembly.org/</a>> (Wasm) is a new binary instruction \
format that is open, portable, efficient, secure, and polyglot. It originated in the \
browser but is increasingly used in server applications, in particular NGINX, Apache \
APISIX, Istio provide Wasm-based plugin support (i.e.: <a \
href="https://apisix.apache.org/docs/apisix/wasm/" \
target="_blank">https://apisix.apache.org/docs/apisix/wasm/</a>).<br> > <br>
> <br>
> <br>
> mod_wasm is a way to run WebAssembly modules inside Apache Server. This is \
similar to how mod_php embeds a PHP runtime to run PHP code. This enables any \
language that supports WebAssembly (including C++, Rust, Go but also Python, PHP, \
Ruby) to run with mod_wasm and take advantage of the extra level of security and \
sandboxing. To learn more about mod_wasm you can check out the following \
resources:<br> > <br>
> * An overview article<<a \
href="https://wasmlabs.dev/articles/apache-mod-wasm/" \
target="_blank">https://wasmlabs.dev/articles/apache-mod-wasm/</a>> for the \
original release.<br> > * We presented mod_wasm at ApacheCon this year and \
here are the slides<<a \
href="https://apachecon.com/acna2022/slides/01_Gonz%C3%A1lez_mod-wasm_Bringing_WebAssembly.pdf" \
target="_blank">https://apachecon.com/acna2022/slides/01_Gonz%c3%a1lez_mod-wasm_Bringing_WebAssembly.pdf</a>>
and the source code: <a href="https://github.com/vmware-labs/mod_wasm" \
target="_blank"> https://github.com/vmware-labs/mod_wasm</a>.<br>
> * CNCF Talk on mod_wasm showcasing how to run WordPress: <a \
href="https://www.youtube.com/watch?v=jXe8kulUscQ" target="_blank"> \
https://www.youtube.com/watch?v=jXe8kulUscQ</a><br> > <br>
> <br>
> <br>
> In terms of mod_wasm architecture, the module is split into two parts:<br>
> <br>
> * mod_wasm.so is the extension module for Apache and it's written in \
C.<br> > * An external dependency: libwasm_runtime.so, which is written in \
Rust and needs to be installed into the system.<br> > <br>
> <br>
> <br>
> We modelled this after mod_tls, a module that is part of httpd and also has a \
Rust dependency.<br> > <br>
> You can take a look at the architecture diagram and instructions on how to build \
the module here: <a href="https://github.com/vmware-labs/mod_wasm#%EF%B8%8F-building-mod_wasm" \
target="_blank"> https://github.com/vmware-labs/mod_wasm#%EF%B8%8F-building-mod_wasm</a><br>
> <br>
> <br>
> <br>
> In terms of the actual contribution, please find a patch attached. We tried to \
follow all existing conventions in terms of autoconf/automake, providing module \
documentation, etc. Please let us know anything that you see missing or could be \
improved. In particular, we do not know yet if it is better to keep the Rust code \
separate, as an external dependency (like mod_tls does) or in the Apache source code \
repository.<br> > <br>
> <br>
> <br>
> In summary, we believe mod_wasm is a worthy addition to httpd and it will allow \
us to catch up to some of the other web servers already supporting Wasm, like NGINX. \
We were encouraged by Rich Bowen, Jim Jagielski and Jean-Frederic Clere to submit it \
for contribution upstream and we are looking forward to your feedback.<br>
> <br>
> <br>
> <br>
> Cheers!<br>
> <br>
> Jesús<br>
> <br>
> <br>
> <br>
> <br>
> <u></u><u></u></p>
</blockquote>
</div>
</div>
<p> <u></u><u></u></p>
<table border="0" cellspacing="0" cellpadding="0" align="left" width="100%" \
style="width:100.0%"> <tbody>
<tr>
<td style="background:#fdc591;padding:3.75pt 1.5pt 3.75pt 1.5pt">
</td>
<td width="100%" style="width:100.0%;background:#fff8f0;padding:3.75pt 3.0pt 3.75pt \
9.0pt"> <div>
<p>
<b><span style="font-size:10.5pt;font-family:Metropolis;color:#444444">!! External \
Email:</span></b><span style="font-size:10.5pt;font-family:Metropolis;color:black"> \
This email originated from outside of the organization. Do not click links or open \
attachments unless you recognize the sender. </span><span \
style="font-size:10.5pt;font-family:Metropolis"><u></u><u></u></span></p> </div>
</td>
</tr>
</tbody>
</table>
<p> <u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<p class="MsoNormal"><span class="m_6697398234889284735gmailsignatureprefix">-- \
</span><u></u><u></u></p> </div></div></div></div></div><div lang="ES" link="blue" \
vlink="purple" style="word-wrap:break-word"><div \
class="m_6697398234889284735WordSection1"><div \
id="m_6697398234889284735mail-editor-reference-message-container"><div><div><div> \
<div> <p class="MsoNormal">Joe Schaefer, Ph.D. <u></u><u></u></p>
<div>
<p class="MsoNormal"><a href="https://sunstarsys.com/orion/features" \
target="_blank"><span style="color:windowtext;text-decoration:none"><span \
style="color:blue;border:solid windowtext 1.0pt;padding:0cm"><img border="0" \
width="32" height="32" style="width:.3333in;height:.3333in" \
id="m_6697398234889284735_x0000_i1025" alt="Imagen quitada por el \
remitente."></span></span></a><u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><a href="https://sunstarsys.com/orion/features" \
target="_blank">Orion - The Enterprise Jamstack Wiki</a><u></u><u></u></p> </div>
<div>
<div>
<div>
<p class="MsoNormal"><<a href="mailto:joe@sunstarsys.com" \
target="_blank">joe@sunstarsys.com</a>><u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><a href="tel://954.253.3732" \
target="_blank">954.253.3732</a><u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div></div><span class="gmail_signature_prefix">-- </span><br><div \
dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Joe \
Schaefer, Ph.D.<div></div><div><a href="https://sunstarsys.com/orion/features" \
target="_blank"><img \
src="https://ci3.googleusercontent.com/mail-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"></a></div><div><a \
href="https://sunstarsys.com/orion/features" target="_blank">Orion - The Enterprise \
Jamstack Wiki</a><br></div><div><div><div><<a href="mailto:joe@sunstarsys.com" \
target="_blank">joe@sunstarsys.com</a>></div><div><a href="tel://954.253.3732" \
target="_blank">954.253.3732</a></div><div><br></div><div><br></div></div></div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic