Bootstrapped hardware founder built Badwater, a self-hosted multi-tenant WASM sandbox on an $8 VPS, using Wasmtime, bubblewrap, and WASI Preview 2 to replace cloud signing services.
Key Takeaways
Wasmtime component model requires wasmtime::component::Linker, not Func::wrap; most tutorials only show the core module API.
Tokio/Axum async handlers panic with nested runtimes; fix is tokio::task::spawn_blocking for all Wasmtime execution.
bubblewrap namespaces require explicit --dev /dev and --ro-bind /etc/resolv.conf flags; Docker’s seccomp blocks CLONE_NEWUSER by default.
Pre-compiling .wasm to .cwasm dropped cold starts from ~2500ms to ~100ms; target x86_64-unknown-linux-musl to avoid CPU-feature mismatches across cloud fleet heterogeneity.
Two-process architecture (dispatcher + per-request runner via Unix socketpair) isolates crashes and limits blast radius per the embedded security mental model.
Hacker News Comment Review
Commenters are skeptical about authorship: multiple replies flag the writing style as LLM-generated vibe-coding output rather than a first-person engineering narrative, undermining credibility.
The title claims building a “runtime” but the implementation wraps Wasmtime; commenters note this is embedding a runtime, not building one from scratch.
Notable Comments
@_alphageek: flags that bwrap processes should be single-use per tenant since host-side allocator and namespace state accumulates and cannot be proven clean.
