6/29/2023

This proposal attempts to do two things:

Describe the current and future needs of Hyperlight's public Sandbox API
Describe how to meet these needs with a single, type-safe implementation in Rust

This proposal is linked from issue #754

Current state

Currently, in the dev branch, we have several different types of Sandboxes, detailed in this section.

`UninitializedSandbox`

As its name implies, the UnintializedSandbox - represents a sandbox that has not yet been initialized and thus is not ready to execute guest code.

The primary purposes of this component are twofold:

Allow a caller to create a VM and load guest code into its memory, but stop short of actually running any computation
Allow a caller to initialize a new fully-functional sandbox with custom logic
- At the time of this writing, this custom logic feature is used most frequently to load a web assembly module into the Hyperlight-WASM guest

(Initialized) `Sandbox`

As described in the previous section, the UninitializedSandbox has an initialization function attached to it. The return value of this function is a Sandbox type, which represents a fully initialized Hyperlight virtual machine (VM) inside of which the user can execute code.

Ths Sandbox has two variants of note:

reusable - you can call guest functions on these two or more times. internally, a reusable sandbox takes snapshots of VM memory between function calls, thus allowing the end user to "hot-swap" different guests into it
non-reusable - you can only call one guest function, then this Sandbox is destroyed. No further action is possible

Current design notes

As implied easlier, this overall design was put in place to fulfill the requirements primarily of the first major user of Hyperlight, Hyperlight-WASM. As we look toward the future of Hyperlight and its users, we see several developments, listed below, that require a more flexible, generic design:

Hyperlight-WASM's requirements have evolved
We want to support a more diverse set of workloads beyond only Hyperlight-WASM

Aside: who's a user of what?

This document attempts to define a clear separation between three different types of code, listed below.

Hyperlight-Core: the project at github.com/deislabs/hyperlight
Libraries - code that uses Hyperlight-Core, including tests inside Hyperlight-Core and Hyperlight-WASM
End users - code that interacts with libraries from (2), such as the systems that run within AFD and more

This distinction is important because this proposal moves a significant amount of implementation and API design from Hyperlight-Core to libraries.

Future requirements

As requirements have changed over time, one general idea continues to arise. We would like to implement a generic way to implement a sandbox that is "partially loaded", allow libraries to load only part of a guest's code and/or memory, and then load the remainder at a later time. What "partially loaded" actually means, and how to load the remainder of a guest depends greatly on the library.

The Hyperlight-WASM project would enlist this feature set by doing the following steps, in both forwards and backwards order:

Load the WAMR-based guest, but not yet load a customer's WASM module, into a VM
Load the customer's WASM module into the partially-loaded Sandbox from (1)

This feature set would also allow an end user to "roll back" from a fully-loaded Sandbox in (2) to a partially-loaded Sandbox in (1) that has just the WAMR-based guest, or rollback from one intermediate state to another in other circumstances.

Current limitations

In C#, we have implemented a single Sandbox class that internally has a recycleAfterRun boolean flag to indicate whether that Sandbox can be "recycled", and memory can be swapped in and out of it (this flag is passed in via the SandboxRunOptions.RecycleAfterRun argument). This strategy solves the hot-swap functionality described above.

As implied by the "future requirements" section, though, the C# Sandbox does not directly allow you to "partially load" it. In our Rust implementation, however, we have started to represent a "partial" Sandbox state with our UninitializedSandbox struct.

This design currently limits us in several ways with respect to the "future requirements" section:

We can only allow libraries to implement one "partial" state rather than an arbitrary number N partial states
We do not provide the ability to roll back from a more "advanced" state to a previous one

Proposed design

From our requirements and our plans for developing the Hyperlight ecosystem going forward, a few themes emerge:

In Hyperlight Core, we're currently trying to define application-specific rules like sandbox initialization states. Instead, I think we should get out of the business of doing that and build a general enough API to empower library authors to do that safely.
We have a fairly clear, general set of states and transitions, and thus need to be able to model a state machine. We can use Rust's rich type system to model both the states and their transitions. Doing this enlists the compiler to check and eliminate an entire class of bugs and runtime errors, greatly increasing the safety of resulting libraries.

I propose Hyperlight provide a set of traits and reusable logic to do both these things. The code that follows illustrates this approach.

Sandboxes in the new design


































/// The minimal functionality of a sandbox
pub trait Sandbox {
    fn generation_num(&self) -> u8;
}

/// A "final" sandbox implementation that can be reused and devolved, but not
/// evolved.
///
/// Thus, `ReusablsSandbox`es implement `DevolvableSandbox`
/// and have `run` methods that borrow `self`, so they can be called more
/// than once.
pub trait ReusableSandbox {
    /// Borrow `self` and run this sandbox.
    fn run(&self) -> Result<()>;
}

/// A fully-initialized sandbox that can run guest code only once,
/// and then must be destroyed.
pub trait OneShotSandbox {
    /// Consume `self` and run the sandbox.
    ///
    /// After this call, you can no longer use this `OneShotSandbox`
    fn run(self) -> Result<()>;
}

/// A sandbox that can be evolved to a next state
pub trait EvolvableSandbox<Next: Sandbox>: Sandbox + Sized {
    fn evolve(self) -> Result<Next>;
}

/// A sandbox that can be devolved to a previous state
pub trait DevolvableSandbox<Next: Sandbox>: Sandbox + Sized {
    fn devolve(self) -> Result<Next>;
}

Pull Request #756 contains the above code and an extensive code sample to model Hyperlight-WASM.

Specifying and implementing transitions between states

It's intended that library authors will create structs as necessary to represent the states specific to their application's needs. Each state will implement Sandbox at minimum, and will implement EvolvableSandbox and DevolvableSandbox as necessary to specify each state transition. If a state transition is not implemented, it will be disallowed by the Rust compiler. A simple example follows:























struct State1{}
struct State2{}

impl Sandbox for State1 {
    ...
}
impl Sandbox for State2 {
    ...
}

/// Specifies the transition from State1 => State2
impl EvolvableSandbox<State2> for State1 {
    fn evolve(self) -> State2 {
        State2{}
    }
}

/// Specifies the transition from State2 => State1
impl DevolvableSandbox<State1> for State2 {
    fn devolve(self) -> State1 {
        State1{}
    }
}

Implementing states

We've shown an example set of possible states and transitions above, but it's important to note almost all end users will interact with libraries like Hyperlight-WASM rather than Hyperlight Core.

Thus, for all practical purposes, this API, along with much of the rest of Hyperlight's public API, is directed only at library authors. I've tried to design the components in this proposal to enable library authors (like us, as we build Hyperlight-WASM) to build ergonomic, intuitive APIs for their end users.

To this end, I believe we can make available a set of "building block" APIs to ease the process of building the desired Sandbox, EvolvableSandbox, DevolvableSandbox etc… implementations in a library like Hyperlight-WASM. I believe as Hyperlight Core is used more widely, our ability to provide well-design building block APIs alongside our sandbox/transition abstractions will become more essential.

The sub-sections herein describe these building blocks in detail.

`Sandbox`, `OneShotSandbox`, and `ReusableSandbox`

Most of the primary functionality within these implementations is concerned with dispatching calls to guest functions from the host, and vice-versa. The major pieces of this process are as follows:

Allow guest functions to be easily dispatched, accounting for guest callbacks back into the host and optionally doing state snapshot/restore operations appropriately
Allow host functions to be registered where appropriate
Allow users to react to errors in guest calls from (1) with custom code.

If we provide a construct to library authors that provides a set of easy-to-use, safe APIs to do these things, I believe we'll make the task of implementing these three traits nearly trivial.

`EvolvableSandbox` and `DevolvableSandbox`

These traits represent state transitions, so any implementation thereof represents an action of moving from one sandbox to the next. Generally speaking, this doesn't involve a lot of work, but it may involve taking memory snapshots and/or changing the set of registered host functions (e.g. functions the guest can call on the host) available to guests.

I expect if we implement utilities for the previous section, we will have most of what we need to implement utilities for this one.

Final notes

Those familiar with Hyperlight's C# codebase will notice this proposal represents the conceptually-large, but practically-small, task of breaking up the monolithic Sandbox C# class into utility functions as we rebuild them in Rust, and ending up with no single Sandbox implementation. In fact, this document proposes we end up with no single Sandbox-like "entrypoint" to Hyperlight whatsoever.

This design would enable a kind of inversion-of-control between Hyperlight-Core and its libraries like Hyperlight-WASM. If this proposal is implemented, library authors, like us as we build Hyperlight-WASM (after we rewrite it in Rust), would use the aforementioned "building blocks" to build a set of Transition and Sandbox implementations, then use those to implement a single HyerlightWasm.Sandbox class in that library.

I believe this design in Hyperlight Core can safely scale to a wide, diverse set of libraries and can accommodate arbitrary design changes within any one of them.

Dan Chiarlone

2023/06/30 17:22:34

# Proposed design

When you say this – Do you mean the C# type action? Like the callback we pass onto initialize? (Edited)

Aaron Schlesinger

2023/06/30 18:42:54

Good point. I will remove this. I was thinking about the fact that we don't let users define and store these actions for use later on evolve and devolve actions

2023/06/30 17:29:37

```rust= /// The minimal fun

nit: I think you meant to add the `evolve` `fn` inside `impl UnintializedSandbox` inside of a `impl EvolvableSandbox for UnintializedSandbox` (Edited)

2023/06/30 18:39:22

Yes, you're right. I'll fix that up

2023/06/30 17:34:52

Why rollback from one `UninitializedSandbox` to another? (Edited)

2023/06/30 18:11:19

There may be N>2 intermediate "generations", so I wanted to account for a user's potential desire to go from intermediate2 back to intermediate1 (Edited)

2023/06/30 17:37:12

Why is going from a `OneShotSandbox` to a `UninitializedSandbox` an `EvolveTransition`? (Edited)

2023/06/30 18:11:39

Bug! good catch

2023/06/30 18:36:01

oops, sorry. if you mean `impl Transition<OneShotSandbox> for EvolveTransition<UninitializedSandbox>`, that is evolving from an uninitialized sandbox to a one-shot sandbox.

2023/06/30 17:42:27

Considering EvolveTransition and DevolveTransition structs look exactly the same – What do you see as the benefit of having two distinct types? (Edited)

2023/06/30 18:46:35

I think the distinct types help force users to define explicitly that they want to move "forward" or "backward" in generations. You're right, though, there's no technical reason to have this. I consider it part of the dev UX though.

Simon Davies

2023/07/03 16:31:01

UnintializedSandbox`

Do we need this in this design? I believe that this was/is poorly named, when we first created this we were trying to model the fact that in C# we enable the host to participate in the creation of the Sandbox by passing a delegate which receives the this pointer to allow adding to the sandbox state before it is initialized (and maybe snapshotted). The purpose of this was that we needed a way to both enable the registration of host functions and binding of guest functions (Edited)

2023/07/03 18:44:55

I think you're right, we don't need this design. I will make it more clear this is (a) the current state and (b) not necessarily the right design, but one you could build using the primitives in this proposal

2023/07/03 16:51:02

## `Sandbox`, `OneShotSandbox`, and `ReusableSandbox`

I dont know if we should enable users of Hyperlight to define the complete set of actions that take place , as they will not understand the relationship between the functions that the sandbox exposes (e.g. registering a host function) and the shared memory state/ registers etc. for the VM, I think that we should enable them to call "safe" functions that we should represent in a trait(s) and then we should take responsibility for ensuring that VM Memory and CPU state are correct. (Edited)

2023/07/03 19:18:34

What I mean by "users" here is Hyperlight-WASM and other code like it. We would be enforcing these safety rules there, rather than trying to enforce them in a generic way in Hyperlight core itself

2023/07/03 19:37:22

I've updated the text to try and clarify that

2023/07/03 16:57:23

I think I need to have this explained so I can understand it , in our previous model Reusability really meant that we had taken a snapshot of the state prior to any guest calls being made (outside of the constructor callback) and that we would reset the state to its constructed state after each call. In this model it would seem we don't need reusable any more as the presence of a prior generation implies reusability? (Edited)

2023/07/03 19:04:29

>In this model it would seem we don't need reusable any more as the presence of a prior generation implies reusability? Yes, exactly. I'll clarify in the text (Edited)

2023/07/05 14:52:47

computation

maybe being a little nitpicky but the guest is initialized so technically we do run computation but no "customer code" (Edited)

2023/07/05 14:58:11

Load the customer's WASM modul

I think we also want to have a third state, where customer code has been run and enable roll back from(3) to (2), we may also want to consider rolling back from (3) to (1) so that we can reuse an instance of a WASM Hyperlight Sandbox without having to start from zero. We also may want to prevent prior states to be rolled back from (i.e. in the case above it may be fine to go from 3 to 1 but not from 3 to 2, perhaps we don't need that now but it might be worth factoring in to thinking (Edited)

2023/07/05 15:07:49

Allow guest functions to be ea

We have the added complication that a single interaction with a guest is the thing that is bound to a restore, rather than a guest function call, in other words if we make 3 guest function calls one after the other we may need to make those whilst only state once (either before the 1st call or after the 3rd call) or we may want to restore before or after each call. We may also want to snapshot after one or more calls but that would be an evolving of the state (Edited)

Current state

UninitializedSandbox

(Initialized) Sandbox

Current design notes

Aside: who's a user of what?

Future requirements

Current limitations

Proposed design

Sandboxes in the new design

Specifying and implementing transitions between states

Implementing states

Sandbox, OneShotSandbox, and ReusableSandbox

EvolvableSandbox and DevolvableSandbox

Final notes

Read more

KEDA HTTP Addon Cluster-Global Design

Multi-tenant KEDA HTTP Addon design

Adding HTTP Scaling & Ingress Functionality to KEDA

`UninitializedSandbox`

(Initialized) `Sandbox`

`Sandbox`, `OneShotSandbox`, and `ReusableSandbox`

`EvolvableSandbox` and `DevolvableSandbox`