I have an aws lambda function(nodejs) right now that writes some data to a test kafka cluster. The one thats in production use's kerberos for auth so I was wondering if there was a way to setup my lambda function to authenticate with kerberos. I wasn't able to find much online regarding this...
There are two ways to handle this.
Call out to CLI utilities
This requires that you supply the contents of the krb5-workstation and its dependency, libkadm5, in your deployment package or via a Layer.
Launch an EC2 instance from the Lambda execution environment's AMI
Update all packages: sudo yum update
Install the MIT Kerberos utilities: sudo yum install krb5-workstation
Make the Layer skeleton: mkdir bin lib
Populate the binaries: rpm -ql krb5-workstation | grep bin | xargs -I %% cp -a %% bin
Populate their libraries: rpm -ql libkadm5 | xargs -I %% cp -a %% lib
Prepare the Layer: zip -r9 krb5-workstation-layer.zip bin lib
Create the Layer and reference it from your Lambda function.
Invoke (e.g.) /opt/bin/kinit from inside your function.
Do it natively
It turns out that if your code calls gss_acquire_cred, which most code does, usually through bindings and an abstraction layer, you don't need the CLI utilities.
Supply a client keytab file to your function, either by bundling it with the deployment package or (probably better) fetching it from S3 + KMS.
Set the KRB5_CLIENT_KTNAME environment variable to the location of the keytab file.
Requested addendum
In either case, if you find you have a need to specify additional Kerberos configuration, see the krb5.conf docs for details. If /etc is off the table, then "Multiple colon-separated filenames may be specified in [the] KRB5_CONFIG [environment variable]; all files which are present will be read."
Surprisingly seems that this issue was not addressed by Amazon.
I have scenario which is restricted to use Kerberos authentication to DB servers.
Since there's no way to run kinit on Lambda instance when it starts it seems impossible.
Looks like it can be achieved in Azure Functions.
What neirbowj said will get you most of the way (And I don't know if this is my particular use case but it got me over the finish line):
You'll need an env var like this : KRB5CCNAME=FILE:/tmp/tgt. See : https://blog.tomecek.net/post/kerberos-in-a-container/ for a better explanation than I have.
Related
I have developed an eBPF code that needs to be compiled with kernel headers.
My code is working properly on top of AKS however on an EKS cluster I couldn't find the kernel headers.
The kernel version of my vms on EKS is: "5.4.117-58.216.amzn2.x86_64".
Running "apt install linux-headers-$(uname -r)" result:
What is the right way to get kernel headers in case they don't exist in apt?
You can find kernel headers for Amazon Linux 2 kernels by searching into their packages' SQLite databases.
In your case, following procedure too:
Download the mirror list
wget amazonlinux.us-east-1.amazonaws.com/2/extras/kernel-5.4/latest/x86_64/mirror.list
Notice that for other kernel versions you may want to substitute "extras/kernel-5.4/latest" with "core/latest" or "core/2.0".
It should contain one (or more) URL(s) like this one:
http://amazonlinux.us-east-1.amazonaws.com/2/extras/kernel-5.4/stable/x86_64/be95e4ca87d6c3b5eb71edeaded5b3b9b216d7cdd330d44f1489008dc4039789
Append the suffix repodata/primary.sqlite.gz to the URL(s) and download the SQLite database(s)
wget "$(head -1 mirror.list)/repodata/primary.sqlite.gz"
Notice the URL(s) may contain the placeholder "$basearch". If that's the case, substitute it with the target architecture (eg., x86_64).
Unarchive it
gzip -d primary.sqlite.gz
Query it for finding where to download your kernel-headers package.
sqlite3 primary.sqlite \
"SELECT location_href FROM packages WHERE name LIKE 'kernel%' AND name NOT LIKE '%tools%' AND name NOT LIKE '%doc%' AND version='5.4.117' AND release='58.216.amzn2'" | \
sed 's#\.\./##g'
You'll obtain these:
blobstore/e12d27ecb4df92edc6bf25936a732c93f55291f7c732b83f4f37dd2aeaad5dd4/kernel-headers-5.4.117-58.216.amzn2.x86_64.rpm
blobstore/248b2b078145c4cc7c925850fc56ec0e3f0da141fb1b269fd0c2ebadfd8d41cd/kernel-devel-5.4.117-58.216.amzn2.x86_64.rpm
blobstore/7d82d21a61fa03af4b3afd5fcf2309d5b6a1f5a01909a1b6190e8ddae8a67b89/kernel-5.4.117-58.216.amzn2.x86_64.rpm
Download the package you want by appending its segment to the initial base URL
Like so:
wget amazonlinux.us-east-1.amazonaws.com/blobstore/e12d27ecb4df92edc6bf25936a732c93f55291f7c732b83f4f37dd2aeaad5dd4/kernel-headers-5.4.117-58.216.amzn2.x86_64.rpm
A similar procedure can be used for Amazon Linux 1 kernel headers.
I don't know if it's an ideal solution, but you could always download the kernel sources and install the headers from there.
$ git clone --depth 1 -b v5.4.117 \
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
$ cd linux
# make headers_install
The headers you get from the stable branch are likely close enough to those of your kernel for your eBPF program to work. I don't know if there's a way to retrieve the header files used for building EKS' kernel.
Steps:
Installed coverity
Configured compiler
cov-configure --javascript
cov-configure --cs
I am stuck at the build step of cov-build. Yarn is used to run and configure the service. But I am not sure what coverity wants here.
I tried a couple of npm run commands, every time end up getting this:
[WARNING] No files were emitted. This may be due to a problem with your configuration
or because no files were actually compiled by your build command.
Please make sure you have configured the compilers actually used in the compilation.
I also tried different compilers, but no luck.
What should be done in this case?
You need to do a file system capture for Javascript files. You can accomplish this by running cov-build with the --no-command flag.
cov-build --dir CoverityIntermedediateDir --no-command --fs-capture-list list.txt
Lets break down these commands:
--dir: intermediate directory to store the emitted results (used for cov-analyze later).
--no-command: Do not run a build command and to look for certain file types
--fs-capture-list: Use the file that is provided to specify which files to look at and possibly emit to the intermediate directory.
A recommended way to generate the list.txt file is to grab it from your source control. If using git run:
git ls-files > list.txt
I want to also point out that if you don't have a convenient way to get a file listing in order to use the --fs-capture-list command you can use --fs-capture-search command and pair that with a filter to exclude the node_modules directory.
The coverity forums have some useful questions and answers:
Node.js File system capture
Really, the best place to look is at the documentation. There are several examples of what you want to do in their guides.
I am trying to use Google Cloud Platform (specifically, the Vision API) for Python with AWS Lambda. Thus, I have to create a deployment package for my dependencies. However, when I try to create this deployment package, I get several compilation errors, regardless of the version of Python (3.6 or 2.7). Considering the version 3.6, I get the issue "Cannot import name 'cygrpc'". For 2.7, I get some unknown error with the .path file. I am following the AWS Lambda Deployment Package instructions here. They recommend two options, and both do not work / result in the same issue. Is GCP just not compatible with AWS Lambda for some reason? What's the deal?
Neither Python 3.6 nor 2.7 work for me.
NOTE: I am posting this question here to answer it myself because it took me quite a while to find a solution, and I would like to share my solution.
TL;DR: You cannot compile the deployment package on your Mac or whatever pc you use. You have to do it using a specific OS/"setup", the same one that AWS Lambda uses to run your code. To do this, you have to use EC2.
I will provide here an answer on how to get Google Cloud Vision working on AWS Lambda for Python 2.7. This answer is potentially extendable for other other APIs and other programming languages on AWS Lambda.
So the my journey to a solution began with this initial posting on Github with others who have the same issue. One solution someone posted was
I had the same issue " cannot import name 'cygrpc' " while running
the lambda. Solved it with pip install google-cloud-vision in the AMI
amzn-ami-hvm-2017.03.1.20170812-x86_64-gp2 instance and exported the
lib/python3.6/site-packages to aws lambda Thank you #tseaver
This is partially correct, unless I read it wrong, but regardless it led me on the right path. You will have to use EC2. Here are the steps I took:
Set up an EC2 instance by going to EC2 on Amazon. Do a quick read about AWS EC2 if you have not already. Set one up for amzn-ami-hvm-2018.03.0.20180811-x86_64-gp2 or something along those lines (i.e. the most updated one).
Get your EC2 .pem file. Go to your Terminal. cd into your folder where your .pem file is. ssh into your instance using
ssh -i "your-file-name-here.pem" ec2-user#ec2-ip-address-here.compute-1.amazonaws.com
Create the following folders on your instance using mkdir: google-cloud-vision, protobuf, google-api-python-client, httplib2, uritemplate, google-auth-httplib2.
On your EC2 instance, cd into google-cloud-vision. Run the command:
pip install google-cloud-vision -t .
Note If you get "bash: pip: command not found", then enter "sudo easy_install pip" source.
Repeat step 4 with the following packages, while cd'ing into the respective folder: protobuf, google-api-python-client, httplib2, uritemplate, google-auth-httplib2.
Copy each folder on your computer. You can do this using the scp command. Again, in your Terminal, not your EC2 instance and not the Terminal window you used to access your EC2 instance, run the command (below is an example for your "google-cloud-vision" folder, but repeat this with every folder):
sudo scp -r -i your-pem-file-name.pem ec2-user#ec2-ip-address-here.compute-1.amazonaws.com:~/google-cloud-vision ~/Documents/your-local-directory/
Stop your EC2 instance from the AWS console so you don't get overcharged.
For your deployment package, you will need a single folder containing all your modules and your Python scripts. To begin combining all of the modules, create an empty folder titled "modules." Copy and paste all of the contents of the "google-cloud-vision" folder into the "modules" folder. Now place only the folder titled "protobuf" from the "protobuf" (sic) main folder in the "Google" folder of the "modules" folder. Also from the "protobuf" main folder, paste the Protobuf .pth file and the -info folder in the Google folder.
For each module after protobuf, copy and paste in the "modules" folder the folder titled with the module name, the .pth file, and the "-info" folder.
You now have all of your modules properly combined (almost). To finish combination, remove these two files from your "modules" folder: googleapis_common_protos-1.5.3-nspkg.pth and google_cloud_vision-0.34.0-py3.6-nspkg.pth. Copy and paste everything in the "modules" folder into your deployment package folder. Also, if you're using GCP, paste in your .json file for your credentials as well.
Finally, put your Python scripts in this folder, zip the contents (not the folder), upload to S3, and paste the link in your AWS Lambda function and get going!
If something here doesn't work as described, please forgive me and either message me or feel free to edit my answer. Hope this helps.
Building off the answer from #Josh Wolff (thanks a lot, btw!), this can be streamlined a bit by using a Docker image for Lambdas that Amazon makes available.
You can either bundle the libraries with your project source or, as I did below in a Makefile script, upload it as an AWS layer.
layer:
set -e ;\
docker run -v "$(PWD)/src":/var/task "lambci/lambda:build-python3.6" /bin/sh -c "rm -R python; pip install -r requirements.txt -t python/lib/python3.6/site-packages/; exit" ;\
pushd src ;\
zip -r my_lambda_layer.zip python > /dev/null ;\
rm -R python ;\
aws lambda publish-layer-version --layer-name my_lambda_layer --description "Lambda layer" --zip-file fileb://my_lambda_layer.zip --compatible-runtimes "python3.6" ;\
rm my_lambda_layer.zip ;\
popd ;
The above script will:
Pull the Docker image if you don't have it yet (above uses Python 3.6)
Delete the python directory (only useful for running a second
time)
Install all requirements to the python directory, created in your projects /src directory
ZIP the python directory
Upload the AWS layer
Delete the python directory and zip file
Make sure your requirements.txt file includes the modules listed above by Josh: google-cloud-vision, protobuf, google-api-python-client, httplib2, uritemplate, google-auth-httplib2
There's a fast solution that doesn't require much coding.
Cloud9 uses AMI so using pip on their virtual environment should make it work.
I created a Lambda from the Cloud9 UI and from the console activated the venv for the EC2 machine. I proceeded to install google-cloud-speech with pip.That was enough to fix the issue.
I was facing same error using goolge-ads API.
{
"errorMessage": "Unable to import module 'lambda_function': cannot import name'cygrpc' from 'grpc._cython' (/var/task/grpc/_cython/init.py)","errorType": "Runtime.ImportModuleError","stackTrace": []}
My Lambda runtime was Python 3.9 and architecture x86_64.
If somebody encounter similar ImportModuleError then see my answer here : Cannot import name 'cygrpc' from 'grpc._cython' - Google Ads API
I am trying to deploy a python Lambda package with watson_developer_cloud sdk. Cryptography is one of many dependencies this package have. I have build this package on Linux machine. My package includes .libffi-d78936b1.so.6.0.4 hidden file too. But it is still not accessible to my lambda function. I am still getting 'libffi-d78936b1.so.6.0.4: cannot open shared object file' Error.
I have built my packages on Vagrant server, using instructions from here: https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example-deployment-pkg.html#with-s3-example-deployment-pkg-python
Exact error:
Unable to import module 'test_translation': libffi-d78936b1.so.6.0.4: cannot open shared object file: No such file or directory
On a note, as explained in this solution, I have already created my package using zip -r9 $DIR/lambda_function.zip . instead of *. But it is still not working for me.
Any direction is highly appreciable.
The libffi-d78936b1.so.6.0.4 is in a hidden folder named .libs_cffi_backend.
So to add this hidden folder in your lambda zip, you should do something like:
zip -r ../lambda_function.zip * .[^.]*
That will create a zip file in the directory above with the name lambda_function.zip, containing all files in the current directory (first *) and every thing starting with .* but not ..* ([^.])
In a situation like this, I would invest some time setting up a local SAM environment so you can:
1 - Debug your Lambda
2 - Check what is being packaged and the files hierarchy
https://docs.aws.amazon.com/lambda/latest/dg/test-sam-cli.html
Alternatively you can remove this import and instrument your lambda function to print some of the files and directories it "sees".
I strongly recommend you giving SAM a try though, since it will make not only this debugging way easier but any further test you need to perform down the road. Lambdas are tricky to debug.
A little late, and I would comment on Frank's answer but not enough reputation.
I was including the the hidden directory .libs_cffi_backend in my deployment package, but for some reason Lambda could not find the libffi-d78936b1.so.6.0.4 file located within.
After copying this file into the same 'root' level directory as my lambda handler it was able to load the dependency and execute.
Also, make sure all the files in the deployment package are readable chmod -R 644 .
I am trying to identify the installed software on Centos servers, until now I 'came up' with the following two basic solutions
Parse the file system for executables and libs
Run something like rpm -qa
The first one is time consuming, while the second does not apply to all my cases. For example I want to 'search' for packages even if the server is not running and I can access only its file system as a remote Volume, a Snapshot or an Image.
What I am thinking is to try and parse the same database / files that rpm -qa reads the data from.
After running strace -o /tmp/rpm-strace.out rpm -qa I found (without being sure) that /var/lib/rpm/Packages and /var/lib/rpm/Names are some possible locations for that 'database' but I can not parse any of those 2 files.
Does anyone know how to parse these files? Is there any alternative to achieve what I want?
Note: The whole idea is feasible under Ubuntu as this 'Unix & Linux' question describes.
Disclaimer: This question may be more suitable for serverfault site.
You really need to use rpm to parse the rpm database. If you have access to the filesystem, you could simply use chroot to run rpm inside the appropriate root context:
chroot /my/server/filesystem rpm -qa
Those files are various sorts of BerkeleyDB database files. Assuming that your runtime environment has the same version of BerkeleyDB available, you can use something like Python's bsddb module to read them:
>>> import bsddb
>>> name = bsddb.btopen('/var/lib/rpm/Name')
>>> for pkg in name.keys():
... print pkg
...
GConf2
GeoIP
GeoIP-GeoLite-data
GeoIP-GeoLite-data-extra
GitPython
GraphicsMagick
[...]
But this is a terrible idea and you shouldn't do it, because who knows if the Name database has exactly what you're looking for? Maybe it includes deleted packages that are somehow marked deleted, so rpm -qa would ignore them. You would probably need to look at the rpm sources to figure out exactly how things are stored.
my (fedora) rpm command accepts a --dbpath option to specify a different
directory with the database. There is also a rpm-python package to manipulate the database from python.