Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-lambda-python: Layer build fails #22012

Closed
varju opened this issue Sep 12, 2022 · 6 comments · Fixed by #22398
Closed

aws-lambda-python: Layer build fails #22012

varju opened this issue Sep 12, 2022 · 6 comments · Fixed by #22398
Assignees
@TheRealAmazonKendra
Labels
@aws-cdk/aws-lambda-python bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1

Comments

@varju
Copy link
Contributor

varju commented Sep 12, 2022
edited

Describe the bug

A Python layer containing a requirements.txt file no longer builds as of CDK 2.41.0.

Expected Behavior

Running cdk synth should have created a Docker image that can be pushed to AWS.

Current Behavior

Sample error:

Building wheels for collected packages: alembic-utils, flupy
  WARNING: Building wheel for alembic-utils failed: [Errno 13] Permission denied: '/tmp/pip-cache/wheels/5c'
  WARNING: Building wheel for flupy failed: [Errno 13] Permission denied: '/tmp/pip-cache/wheels/7c'

In case it's useful, here's the full Docker command I snagged from the environment while cdk synth was running:

/usr/local/bin/com.docker.cli run --rm -u 1403895686:660531311 -v /Users/varju/work/project/layers/libraries:/asset-input:delegated -v /Users/varju/work/project/cdk.out/asset.cd49dd52b6d0648829c959e503645211f06e8fe4b8829a13bc04ce79c5a346f9:/asset-output:delegated -w /asset-input cdk-eeec0c7c31b6b2b6810e2b8cc7a1131f63cccd7d0192f31e96b955107dd58aec bash -c python -m pip install -r requirements.txt -t /asset-output/python && cp -rT /asset-input/ /asset-output/python

Reproduction Steps

Create a PythonLayerVersion containing a requirements.txt file with this package:

alembic-utils==0.7.8

Possible Solution

Reviewing the changes in #21945, I believe the problem is we're leaving a /tmp/pip-cache directory with root-owned files in it. When cdk synth invokes docker run to package the asset, it includes a -u <my-uid> parameter, which means it cannot write to the existing /tmp/pip-cache/wheel directory.

Additional Information/Context

No response

CDK CLI Version

2.41.0 (build 6ad48a3)

Framework Version

No response

Node.js Version

v16.16.0

OS

macOS 12.5.1

Language

Python

Language Version

No response

Other information

No response
@varju varju added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 12, 2022
@peterwoodworth
Copy link
Contributor

I was actually unable to reproduce this @varju, I was able to synth a layer which contains the dependency you specified on the latest version with PythonLayerVersion. Maybe there's more to your layer that could be causing this?

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 12, 2022
@varju
Copy link
Contributor Author

varju commented Sep 12, 2022

Sorry, I shouldn't have been lazy, and should have created a full example of how to reproduce. This repo shows a minimal project that has the problem: https://github.com/varju/cdk-22012-example

Full output during the build:

#1 [internal] load build definition from Dockerfile
#1 sha256:1ea7c52821ac11208b0691526ff452d2c132597737970fb28d77157b1c4d1308
#1 transferring dockerfile: 1.14kB done
#1 DONE 0.0s

#2 [internal] load .dockerignore
#2 sha256:98011004e7cff94f8b5d3a3634061c671017219822f33e3622c21fa691d502cc
#2 transferring context: 2B done
#2 DONE 0.0s

#3 [internal] load metadata for public.ecr.aws/sam/build-python3.9:latest
#3 sha256:fd52b441c9e8b133eec1940bf570e8d9422ed247455f81fcf384094271a97076
#3 DONE 0.0s

#4 [1/6] FROM public.ecr.aws/sam/build-python3.9
#4 sha256:5587284842bc9382c1736701da81b1a1cfcfea00976d671a1376b6d2ee63ea8b
#4 DONE 0.0s

#6 [3/6] RUN python -m venv /usr/app/venv
#6 sha256:72efd4146df20bad11de06c49c0abc8388a6b380f27689a951fb006196ad7820
#6 CACHED

#7 [4/6] RUN pip install --upgrade pip
#7 sha256:9d7141c3f40d05ea0ab51b8b0a94f628bf0f243ca55a8a22ab3119e5f1af7b24
#7 CACHED

#5 [2/6] RUN mkdir /tmp/pip-cache &&     chmod -R 777 /tmp/pip-cache
#5 sha256:4453ea910dc947f006b46450b83d3d225f9951ecf44663045c2f3b7d3745cc68
#5 CACHED

#8 [5/6] RUN pip install pipenv==2022.4.8 poetry
#8 sha256:20e89845d5af22e7998bd332e59171374bb56def583b77996f04cbac9c79b15f
#8 CACHED

#9 [6/6] RUN mkdir /tmp/poetry-cache &&     chmod -R 777 /tmp/poetry-cache
#9 sha256:8346f1bf942304a0c77f98e1068f95593b68ae448e3c3f5ee5cd0484f0a25f01
#9 CACHED

#10 exporting to image
#10 sha256:e8c613e07b0b7ff33893b694f7759a10d42e180f2b4dc349fb57dc6b71dcab00
#10 exporting layers done
#10 writing image sha256:b7bdd0253702008d26db90ca868236b10e7c89ef9525140c2f53c858b2e156c8 done
#10 naming to docker.io/library/cdk-c5ac8e716d74e1c1bd0eb4bbfa922564fef5f4ecd695a284baca1e29f327ffc9 done
#10 DONE 0.0s
Bundling asset example/LibraryLayer/Code/Stage...
Collecting alembic-utils==0.7.8
  Downloading alembic_utils-0.7.8.tar.gz (21 kB)
  Installing build dependencies: started
  Installing build dependencies: finished with status 'done'
  Getting requirements to build wheel: started
  Getting requirements to build wheel: finished with status 'done'
  Preparing metadata (pyproject.toml): started
  Preparing metadata (pyproject.toml): finished with status 'done'
Collecting alembic==1.8.1
  Downloading alembic-1.8.1-py3-none-any.whl (209 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 209.8/209.8 kB 1.1 MB/s eta 0:00:00
Collecting asn1crypto==1.5.1
  Downloading asn1crypto-1.5.1-py2.py3-none-any.whl (105 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 105.0/105.0 kB 8.2 MB/s eta 0:00:00
Collecting boto3==1.24.71
  Downloading boto3-1.24.71-py3-none-any.whl (132 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 132.5/132.5 kB 7.0 MB/s eta 0:00:00
Collecting botocore==1.27.71
  Downloading botocore-1.27.71-py3-none-any.whl (9.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 9.1/9.1 MB 16.5 MB/s eta 0:00:00
Collecting flupy==1.1.9
  Downloading flupy-1.1.9.tar.gz (12 kB)
  Installing build dependencies: started
  Installing build dependencies: finished with status 'done'
  Getting requirements to build wheel: started
  Getting requirements to build wheel: finished with status 'done'
  Preparing metadata (pyproject.toml): started
  Preparing metadata (pyproject.toml): finished with status 'done'
Collecting jmespath==1.0.1
  Downloading jmespath-1.0.1-py3-none-any.whl (20 kB)
Collecting lazy==1.4
  Downloading lazy-1.4-py2.py3-none-any.whl (6.2 kB)
Collecting mako==1.2.2
  Downloading Mako-1.2.2-py3-none-any.whl (78 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 78.7/78.7 kB 2.1 MB/s eta 0:00:00
Collecting markupsafe==2.1.1
  Downloading MarkupSafe-2.1.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (26 kB)
Collecting parse==1.19.0
  Downloading parse-1.19.0.tar.gz (30 kB)
  Preparing metadata (setup.py): started
  Preparing metadata (setup.py): finished with status 'done'
Collecting pg8000==1.29.1
  Downloading pg8000-1.29.1-py3-none-any.whl (34 kB)
Collecting python-dateutil==2.8.2
  Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 247.7/247.7 kB 15.7 MB/s eta 0:00:00
Collecting s3transfer==0.6.0
  Downloading s3transfer-0.6.0-py3-none-any.whl (79 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 79.6/79.6 kB 93.0 MB/s eta 0:00:00
Collecting scramp==1.4.1
  Downloading scramp-1.4.1-py3-none-any.whl (8.5 kB)
Collecting six==1.16.0
  Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting sqlalchemy==1.4.41
  Downloading SQLAlchemy-1.4.41-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (1.6 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.6/1.6 MB 29.1 MB/s eta 0:00:00
Collecting typing-extensions==4.3.0
  Downloading typing_extensions-4.3.0-py3-none-any.whl (25 kB)
Collecting urllib3==1.26.12
  Downloading urllib3-1.26.12-py2.py3-none-any.whl (140 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 140.4/140.4 kB 80.9 MB/s eta 0:00:00
Collecting greenlet!=0.4.17
  Downloading greenlet-1.1.3-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (155 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 155.3/155.3 kB 29.6 MB/s eta 0:00:00
Using legacy 'setup.py install' for parse, since package 'wheel' is not installed.
Building wheels for collected packages: alembic-utils, flupy
  WARNING: Building wheel for alembic-utils failed: [Errno 13] Permission denied: '/tmp/pip-cache/wheels/72'
  WARNING: Building wheel for flupy failed: [Errno 13] Permission denied: '/tmp/pip-cache/wheels/7c'
Failed to build alembic-utils flupy
ERROR: Could not build wheels for alembic-utils, flupy, which is required to install pyproject.toml-based projects
jsii.errors.JavaScriptError:
  Error: Failed to bundle asset example/LibraryLayer/Code/Stage, bundle output is located at /Users/varju/work/tmp/cdk-22012/cdk.out/asset.5fc106c8aa8f7980c020ac7f4a348a599cfccbbfcf6f0cdeb32a60a602db80d4-error: Error: docker exited with status 1
      at AssetStaging.bundle (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/jsii-kernel-nug7qK/node_modules/aws-cdk-lib/core/lib/asset-staging.js:2:614)
      at AssetStaging.stageByBundling (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/jsii-kernel-nug7qK/node_modules/aws-cdk-lib/core/lib/asset-staging.js:1:4314)
      at stageThisAsset (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/jsii-kernel-nug7qK/node_modules/aws-cdk-lib/core/lib/asset-staging.js:1:1675)
      at Cache.obtain (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/jsii-kernel-nug7qK/node_modules/aws-cdk-lib/core/lib/private/cache.js:1:242)
      at new AssetStaging (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/jsii-kernel-nug7qK/node_modules/aws-cdk-lib/core/lib/asset-staging.js:1:2070)
      at new Asset (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/jsii-kernel-nug7qK/node_modules/aws-cdk-lib/aws-s3-assets/lib/asset.js:1:736)
      at AssetCode.bind (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/jsii-kernel-nug7qK/node_modules/aws-cdk-lib/aws-lambda/lib/code.js:1:4628)
      at new LayerVersion (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/jsii-kernel-nug7qK/node_modules/aws-cdk-lib/aws-lambda/lib/layers.js:1:1277)
      at new PythonLayerVersion (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/jsii-kernel-nug7qK/node_modules/@aws-cdk/aws-lambda-python-alpha/lib/layer.js:39:9)
      at exports.Kernel._create (/private/var/folders/_f/pvz1p9m11c3g33pznmkx5t159tvgw6/T/tmpo1v30x08/lib/program.js:5592:179)

The above exception was the direct cause of the following exception:

Possibly of note: I'm on an M1 Mac.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 13, 2022
@peterwoodworth
Copy link
Contributor

I've been able to reproduce this @varju, thanks for providing a repo to help test this.

I've found that if you add these two lines to your construct, synth will fail in 2.41.0 whereas it will succeed in 2.40.0

compatible_runtimes=[lambdas.Runtime.PYTHON_3_9],
compatible_architectures=[lambdas.Architecture.ARM_64],

@corymhall could you take a look at this?

@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort and removed needs-reproduction This issue needs reproduction. labels Sep 13, 2022
@corymhall
Copy link
Contributor

It looks like it is somehow related to running on ARM because I can't reproduce when using X86. But we should be able to fix it by moving

aws-cdk/packages/@aws-cdk/aws-lambda-python/lib/Dockerfile

Line 13 in c0255f6

chmod -R 777 /tmp/pip-cache
to line 24.

@corymhall corymhall removed their assignment Sep 14, 2022
@peterwoodworth peterwoodworth added the good first issue Related to contributions. See CONTRIBUTING.md label Sep 14, 2022
@TheRealAmazonKendra TheRealAmazonKendra self-assigned this Oct 5, 2022
@mmaeng mmaeng mentioned this issue Oct 6, 2022
Merged
3 tasks
@mergify mergify bot closed this as completed in #22398 Oct 12, 2022
mergify bot pushed a commit that referenced this issue Oct 12, 2022
@mmaeng
fix(lambda-python): commands run non-sequentially on Graviton when bu…
e427fd6 
…ilding container image (#22398)

fixes #22012

There were reports that Dockerfile RUN commands are done out of order when building the container image on Graviton.  I combined all the separate RUN commands into a single command and using the shell to explicitly enforce the sequence.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
* [] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@varju varju mentioned this issue Oct 15, 2022
Merged
4 tasks
mergify bot pushed a commit that referenced this issue Oct 19, 2022
@varju
fix(lambda-python): root-owned cache items not cleaned up after insta…
5ef65e0 
…ll (#22512)

This is another attempt at fixing #22012. #22398 intended to fix it, but the issue still occurs when building on arm64 machines with both `compatible_runtimes=[lambdas.Runtime.PYTHON_3_9]` and `compatible_architectures=[lambdas.Architecture.ARM_64]`

The core problem is that the build leaves root-owned files under `/tmp/pip-cache`, which then cause permission problems when subsequent layers calling `pip install` are unable to create temporary directories. Example error:

```
WARNING: Building wheel for alembic-utils failed: [Errno 13] Permission denied: '/tmp/pip-cache/wheels/5c'
```

Expanding on the idea within #22398, this PR adds one more step to the chain of operations, removing any temporary files from the cache that are no longer needed (because the packages are now installed), and ensuring that subsequent layers are able to create temporary files inside the cache directories.

Comparing the contents of the Docker image before and after this change...

Before:
```
$ ls -aFl /tmp/*cache
/tmp/pip-cache:
total 16
drwxrwxrwx  4 root root 4096 Oct 15 00:57 ./
drwxrwxrwt  1 root root 4096 Oct 15 00:58 ../
drwxr-xr-x 18 root root 4096 Oct 15 00:57 http/
drwxr-xr-x  2 root root 4096 Oct 15 00:57 selfcheck/

/tmp/poetry-cache:
total 8
drwxrwxrwx 2 root root 4096 Oct 15 00:57 ./
drwxrwxrwt 1 root root 4096 Oct 15 00:58 ../
```

After:
```
$ ls -aFl /tmp/*cache
/tmp/pip-cache:
total 8
drwxrwxrwx 2 root root 4096 Oct 15 01:00 ./
drwxrwxrwt 1 root root 4096 Oct 15 01:00 ../

/tmp/poetry-cache:
total 8
drwxrwxrwx 2 root root 4096 Oct 15 00:59 ./
drwxrwxrwt 1 root root 4096 Oct 15 01:00 ../
```

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mrgrain pushed a commit to mrgrain/aws-cdk that referenced this issue Oct 24, 2022
@varju @mrgrain
fix(lambda-python): root-owned cache items not cleaned up after insta…
0096f47 
…ll (aws#22512)

This is another attempt at fixing aws#22012. aws#22398 intended to fix it, but the issue still occurs when building on arm64 machines with both `compatible_runtimes=[lambdas.Runtime.PYTHON_3_9]` and `compatible_architectures=[lambdas.Architecture.ARM_64]`

The core problem is that the build leaves root-owned files under `/tmp/pip-cache`, which then cause permission problems when subsequent layers calling `pip install` are unable to create temporary directories. Example error:

```
WARNING: Building wheel for alembic-utils failed: [Errno 13] Permission denied: '/tmp/pip-cache/wheels/5c'
```

Expanding on the idea within aws#22398, this PR adds one more step to the chain of operations, removing any temporary files from the cache that are no longer needed (because the packages are now installed), and ensuring that subsequent layers are able to create temporary files inside the cache directories.

Comparing the contents of the Docker image before and after this change...

Before:
```
$ ls -aFl /tmp/*cache
/tmp/pip-cache:
total 16
drwxrwxrwx  4 root root 4096 Oct 15 00:57 ./
drwxrwxrwt  1 root root 4096 Oct 15 00:58 ../
drwxr-xr-x 18 root root 4096 Oct 15 00:57 http/
drwxr-xr-x  2 root root 4096 Oct 15 00:57 selfcheck/

/tmp/poetry-cache:
total 8
drwxrwxrwx 2 root root 4096 Oct 15 00:57 ./
drwxrwxrwt 1 root root 4096 Oct 15 00:58 ../
```

After:
```
$ ls -aFl /tmp/*cache
/tmp/pip-cache:
total 8
drwxrwxrwx 2 root root 4096 Oct 15 01:00 ./
drwxrwxrwt 1 root root 4096 Oct 15 01:00 ../

/tmp/poetry-cache:
total 8
drwxrwxrwx 2 root root 4096 Oct 15 00:59 ./
drwxrwxrwt 1 root root 4096 Oct 15 01:00 ../
```

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@arash-cid
Copy link

arash-cid commented Oct 12, 2023
edited

Not working please open it up

I'm facing this issue on latest versions:

   "@aws-cdk/aws-lambda-python-alpha": "^2.100.0-alpha.0",
    "aws-cdk-lib": "2.100.0",
RUNS  test/datalake-integration.test.ts
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
sending incremental file list
rsync: mkdir "/asset-output/python" failed: Permission denied (13)
rsync error: error in file IO (code 11) at main.c(583) [receiver=3.0.6]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheRealAmazonKendra TheRealAmazonKendra

Labels
@aws-cdk/aws-lambda-python bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1
Projects
None yet
Milestone
No milestone
5 participants
@varju @corymhall @peterwoodworth @TheRealAmazonKendra @arash-cid