Gate

Run untrusted code from anonymous sources. Instead of sending messages composed of passive data, send programs which can react to their environment. Migrate or duplicate running applications across hosts and computer architectures. See Introduction to Gate.

• License: 3-clause BSD
• Author: Timo Savola [email protected]

Foundations

WebAssembly is the interchange format of the user programs. However, the APIs are different from the browsers' usual WebAssembly environments. See low-level C API or the higher-level Rust crate for details.

The sandboxing and containerization features of the Linux kernel provide layers of security in addition to WebAssembly. See Security for details.

Gate services are akin to syscalls, but they work differently. New services can be added easily, and available services are discovered at run time. See Service implementation for details.

Building blocks

Gate appears as Go packages and programs. The execution mechanism is implemented in C and assembly, and needs to be built separately (see below). It's highly Linux-dependent. x86-64 and ARM64 are supported.

Important Go packages:

• wag: The WebAssembly compiler (implemented in a separate repository).

• gate/runtime: Core functionality. Interface to the execution mechanism.

• gate/image: Low-level executable building and instance management.

• gate/build: High-level executable building and snapshot restoration.

• gate/server/webserver: HTTP server component which executes your code on purpose. It has a RESTful API, but some actions can be invoked also via websocket.

• gate/service: Service implementation support and built-in services.

Programs:

• gate: Command-line client. Uses SSH keys (ed25519) for authentication.

• gate-server: Standalone HTTP server with the built-in and plugged-in services.

• gate-run: Run your programs locally, with the built-in and plugged-in services.

• gate-runtimed: For optionally preconfiguring the execution environment, e.g. as a system service.

See the complete list of Go packages.

Objectives

While code is data, most of the time data cannot be treated as code for safety reasons. Change that at the Internet level. Data encapsulated in code can describe and transform itself.

Application portability. Migrate processes between mobile devices and servers when circumstances change: user presence, resource availability or demand, continuity etc.

Overhead needs to be low enough so that the system can be practical. Low startup latency for request processing. Low memory overhead for high density of continually running programs.

Work in progress

• Linux x86-64 host support
• Android host support
• Support for WebAssembly version 1
• Planned security measures have been implemented
• HTTP server for running programs
• Client can communicate with the program it runs on the server
• Speculative execution security issue mitigations
• Pluggable authentication
• Load programs from IPFS
• Reconnect to program instance
• Snapshot
• Restore
• Programs can discover and communicate with their peers on a server
• Full ARM64 host support
• milestone/1
• Clone programs locally or remotely (with or without snapshotting)
• milestone/2
• Expose program instance at some type of internet endpoint to implement ad-hoc servers
• Mechanism for implementing services in a programmer-friendly way
• Useful resource control policies need more thought (cgroup configuration etc.)
• Stable APIs
• Additional security measures (such as a SELinux profile)
• Non-Linux host support

User program support:

• Low-level C API
• Rust support
• Improved Rust support
• Go support
• Approach for splitting WebAssembly app between browser (UI) and server (state)

Build requirements

The non-Go components can be built with make. They require:

• Linux
• musl-tools (musl-gcc), unless CC make variable is overridden
• pkg-config
• uidmap (shadow-utils)
• protobuf-compiler
• libc-dev
• libsystemd-dev, unless CGROUP_BACKEND=none is specified for make

make bin builds the programs using the Go 1.11 module mechanism. (Individual packages may be buildable with older Go versions.)

Additional requirements for make check:

• libgtest-dev
• python

Other make targets: benchmark install install-apparmor install-lib install-bin install-capabilities install-lib-apparmor install-lib-capabilities

The capabilities targets grant capabilities for the installed container binary (lib). That requires:

• libcap2-bin

See also

• Gain crate for Rust user programs
• C API for user programs
• ABI for user programs
• Web server API
• Service implementation
• Security
• Container capabilities
• Go packages
• wag