Cloudflare open source Workerd Nanoservice runtime is now in beta

The recently open-sourced Cloudflare workerd is a new web runtime for JavaScript/Wasm applications that shares most of its code with the runtime used by Cloudflare Workers. According to Cloudflare, Workerd is based on a standardized web API and is designed to enable a new approach to microservices that removes its inherent latency.

The new building model, called Nano Services, while maintaining the advantages microservices offer in terms of deployability and scalability, while reducing the request overhead close to library calls. This is achieved by configuring multiple workers to run in the same process, and shows that nanoservices architectures can reach a finer granularity than microservices typically stop to prevent their associated latency and management costs from outweighing the benefits.

Each Worker runs in a separate “isolation”, which gives the appearance of being run independently of the others: each isolate loads separate code and has its own global scope. However, when one worker explicitly sends a request to another worker, the target worker actually runs in the same thread with zero latency.

To achieve this, Cloudflare engineer Kenton Varda explained that workerd is designed differently than most other runtimes, including node and deno.Running multiple nano services in the same process is done by relying heavily on V8 isolate, each nanoservice resides in its own isolate to ensure separate code loading and a private global space. Additionally, the workerd built-in APIs are all native and shared in isolation by all V8s hosted in the same process. This is the key to ensuring that nanoservices grow in volume without increasing operating costs.

Therefore, workers promote Isomorphic deploymentThis is another big difference from the microservices model, where you can deploy hundreds or even thousands of nanoservices on a single machine, Cloudflare said.

Homogeneous deployment means you don’t have to worry about scaling a single service. Instead, you can simply load balance requests across the cluster and scale the cluster as needed. Overall, this can greatly reduce the amount of administrative effort required.

That’s exactly how Cloudflare edge servers work, and Varda commented that by running the entire software stack on each server, this enables any server to respond to any request, which is great for scalability.

Another way workerd differs from other runtimes is the way it handles access to external resources. By default, instead of granting access to all resources, a worker application is required to specify exactly which capabilities it needs, such as authentication, and access them through environment objects. This approach makes working applications completely immune to SSRF attacks, Varda said. Other advantages are that all internal services used by the application can be listed or easily replaced, for testing or other purposes.

In a comment to Hacker News, Varda confirmed some low-level details about workerd’s implementation. Specifically, workerd uses a fork of V8 with several patches to customize isolation abstractions, most of which are implemented in C++ using Bazel as the build system. For schema definitions, workerd relies on a mix between CapNProto and Protocol Buffers.

It must be noted that unlike Cloudflare Workers, workerd is not a full-fledged computing platform, and while it allows developers to locally test their Cloudflare Workers in an environment similar to what they use in production, this is only a fraction of the whole system. This means that to use workers effectively in production, you should also focus on security sandboxing, deployment mechanisms, orchestration, etc. Anyway, while it’s true that Cloudflare doesn’t open source the rest of their Workers platform, in principle you should be able to use workerd with any other server/VM/container hosting and orchestration system from hosting your app or moving it to a different supplier.

fbq(‘init’, ‘842388869148196’);
fbq(‘track’, ‘PageView’);

Leave a Reply

Your email address will not be published. Required fields are marked *