Spin 3.0 – open-source tooling for building and running WASM apps

Spin 3.0 – open-source tooling for building and running WASM apps(fermyon.com)

175 points by triplechill 1 year ago | 41 comments

simonw 1 year ago |

Does anyone know what the simplest possible recipe for running a Python script in a WASM sandbox using Spin is?

I basically want to do something like this:

    my-sandbox-cli-tool 'print("hello world")

And have the snippet of Python code I provide run inside a WebAssembly container that runs one of the Python compiled to WASM builds (https://github.com/brettcannon/cpython-wasi-build for example) - with a time limit and restrictions on memory usage, and file system access, and network access.

I am on a continued quest to figure out the cleanest way to achieve this, I have so many projects I would want to build on top of this capability!

ushakov 1 year ago | |

have you tried e2b.dev? it runs lightweight sandboxes using firecracker, python and third-party packages

disclaimer: i work there

simonw 1 year ago | | |

Is that something I can run on my own laptop? It says it's "open source" but the docs seem to be for client libraries that need an API key.

conroy 1 year ago | |

wasmtime works as long as you make sure to include the lib directory

    % wasmtime run --dir .::/ python.wasm -c 'print("hello world")'
    hello world

disclaimer: I run a code execution API service (https://riza.io/playground) that does this and more (HTTP, packages, etc.)

simonw 1 year ago | | |

Wow that's almost what I want.

    wget https://github.com/brettcannon/cpython-wasi-build/releases/download/v3.13.0/python-3.13.0-wasi_sdk-24.zip
    unzip python-3.13.0-wasi_sdk-24.zip
    wasmtime run --dir .::/ python.wasm -c 'print("hello world")'

So far so good! But... it looks like that --dir option mounts the current directory as both readable and writable:

    wasmtime run --dir .::/ python.wasm -c 'print(len(open("python.wasm", "rb").read()))'
    # Outputs 28775526

But malicious code can break the system like this:

    wasmtime run --dir .::/ python.wasm -c 'open("python.wasm", "wb").write(b"blah")'

And now it fails with an error if you try to run it because we over-wrote python.wasm. Even if I move python.wasm out of the current directory I'd still be able to break things by breaking those other lib files.

Although... I guess I could use unix filesystem permissions to make those read-only? That could work.

michaelmior 1 year ago | | |

s/disclaimer/shameless plug/ :P Nothing wrong with it, but not really a disclaimer.

avinassh 1 year ago | | |

> .::/

whats this magic

tholm 1 year ago |

Having worked heavily with gRPC before I like how syntactically similar WIT is to proto. Looks like its time to start experimenting more with web assembly component interop :).

barrrrald 1 year ago |

Component dependency is pretty wild and could massively simplify some complex apps

no_circuit 1 year ago | |

Yes, its great to see progress in the tooling [1] so that the component building is easier. Although I do like to think of the component model as the "ABI linking model". You can only bind one implementation to an interface import.

[1] https://developer.fermyon.com/spin/v3/writing-apps#declaring...

Onavo 1 year ago | |

You still need to cross the JS FFI boundary for wasm, I don't think WebAssembly has a specification for cross language FFI directly between WebAssembly languages.

rgrmrts 1 year ago | | |

Wasm components can talk to each other, you do not need the JS FFI boundary.

jauntywundrkind 1 year ago |

I really wish there were signs that maybe perhaps wasm components would be usable as such in the browser, sometime in the next handful of years. We have this whole amazing modular code system, but once again like with esm the browser gaps persist and drag on.

We finally in 2024 sort of have esm for workers, for example. But not import-maps, so the distributed esm modules aren't directly usable. This category of "making using the spec actually possible" problems tends to dwell for far too long alas.

euroderf 1 year ago |

I like the idea of CLI-first. But then could the tooling make it simple & convenient to run the exact same configuration in a browser ? With the choice of either (a) a shell-like prompt, or (b) an auto-generated basic GUI with the appropriate input widgets ?

VyseofArcadia 1 year ago |

Purple and green some to have become the colors of dev tooling. I'm seeing that color scheme everywhere.

triyambakam 1 year ago | |

I can see that at least Vite also uses those colors.

In part inspired by terminal colors but purple (instead of black) makes it feel more modern and sophisticated.

politelemon 1 year ago | | |

That's the neat thing about trends, the next wave of colours will always feel more modern and sophisticated.

rkunnamp 1 year ago |

Asking a question here that I long wanted to ask. Is it possible to have a python handler function that uses duckdb to query a S3 hosted parquet file and that uses pandas for some data manipulation, run as a WASM app? (leveraging all features of duckdb like predicate pushdown etc)

chrisjc 1 year ago | |

Maybe something like this? https://duckdb.org/2024/10/02/pyodide.html