WASI network access example

[JMLX42]

Hello,

I am trying to use container2wasm to run a Linux VM inside wasmtime. Here is my code:

#[tokio::main]
async fn main() -> Result<(), Box<dyn Error>> {
    // Create a new Wasmtime engine and store with unit data.
    // Construct the wasm engine with async support enabled.
    let mut config = Config::new();
    config.async_support(true);
    let engine = Engine::new(&config)?;

    // Embed the WebAssembly module into the binary.
    let wasm_bytes = include_bytes!("../images/ubuntu:22.04.wasm");

    // Create a linker to link the WASI module.
    let mut linker: Linker<WasiP1Ctx> = Linker::new(&engine);
    preview1::add_to_linker_async(&mut linker, |t| t)?;

    // Create a WASI context and put it in a Store; all instances in the store
    // share this context. `WasiCtxBuilder` provides a number of ways to
    // configure what the target program will have access to.
    let wasi_ctx = WasiCtxBuilder::new()
        .inherit_stdio()
        .inherit_network()
        .socket_addr_check(|_, _| Box::pin(ready(true)))
        .allow_ip_name_lookup(true)
        .allow_tcp(true)
        .allow_udp(true)
        .build_p1();
    let mut store = Store::new(&engine, wasi_ctx);

    // Load the WebAssembly module from the embedded bytes.
    let module = Module::new(&engine, wasm_bytes)?;
    let func = linker
        .module_async(&mut store, "", &module)
        .await?
        .get_default(&mut store, "")?
        .typed::<(), ()>(&store)?;

    // Create an instance of the module with a mutable store.
    func.call_async(&mut store, ()).await?;

    Ok(())
}

It works great and I have access to a shell/prompt. But for some reason, network requests fail:

$ cargo run --release
    Finished `release` profile [optimized] target(s) in 0.07s
     Running `target/release/prositronic`
root@localhost:/# apt-get update
apt-get update
Ign:1 http://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 http://archive.ubuntu.com/ubuntu jammy InRelease
Ign:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:1 http://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 http://archive.ubuntu.com/ubuntu jammy InRelease
Ign:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:2 http://archive.ubuntu.com/ubuntu jammy InRelease
Ign:1 http://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Err:1 http://security.ubuntu.com/ubuntu jammy-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:2 http://archive.ubuntu.com/ubuntu jammy InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.
root@localhost:/#

What am I missing?

[bjorn3]

container2wasm only supports networking through the use of a helper program c2w-net running on the host as native program: https://github.com/ktock/container2wasm/tree/main/examples/networking/wasi It looks like container2wasm targets wasip1 which only supports exposing a server over the network listening at a wasm runtime defined port (which c2w-net seems to take advantage of). You need wasip2 to be able to actually connect to arbitrary servers without a proxy like c2w-net.

[JMLX42]

@bjorn3 thank you for your quick response!

You need wasip2 to be able to actually connect to arbitrary servers

How do I do that? I thought my code was already already targeting preview2

[bjorn3]

Container2wasm doesn't use wasip2. You did have to ask the maintainer of container2wasm to add wasip2 support.

[JMLX42]

You did have to ask the maintainer of container2wasm to add wasip2 support.

@bjorn3 so you mean my code is fine and supports preview 2, but the loaded WASM module produced by container2wasm does not support preview2 ?

[bjorn3]

but the loaded WASM module produced by container2wasm does not support preview2 ?

Indeed. container2wasm produces wasip1 rather than wasip2 wasm modules.

so you mean my code is fine and supports preview 2

You need different code to load wasip1 and wasip2 modules. Your current code is correct for wasip1, but once container2wasm supports producing wasip2 modules, you will need some changes to load the wasip2 module.

[JMLX42]

you will need some changes to load the wasip2 module.

@bjorn3 are there any examples for wasip2?

[dicej]

This PR updates the WASI example in this repo to wasip2.

[alexcrichton]

It looks like Wasmtime is performing as-expected here and while there's perhaps follow-up items with tools like container2wasm I'm going to close this as I don't think there's anything to track on the Wasmtime side of things. If I'm wrong though let me know!