ec2-image-builder-roadmap icon indicating copy to clipboard operation
ec2-image-builder-roadmap copied to clipboard
verified publisher icon aws

[Bug] Component Validation fails when creating a python file (failed to compute hash - operation not permitted)

Open jpSimkins opened this issue 1 year ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

For some reason, when I create a python script in a component, the validation always fails for the component.

If I remove the script, then the component works as expected. As soon as I add it back in, then component fails.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

This is the component part that causes it to fail:


              - name: createClamAvServerScript
                action: CreateFile
                inputs:
                  - path: /opt/example-server/server.py
                    content: |-
                      import os
                      from flask import Flask, request, jsonify

                      # Create the Flask app
                      app = Flask(__name__)

                      if __name__ == "__main__":
                          app.run(host='127.0.0.1', port=5000)

I removed most code to get to this as a minimal example. This seems to be due to using : in the code. If I remove if __name__ == "__main__": then it will build as expected. This doesnt' seem to handle YAML properly. Even trying to escape the : this will not work.

This is a major flaw in the system.

I have not found a work-a-round yet but have been struggling for 2 days on this now. This works fine when I deploy this in an EC2 using userData. Trying to create an EC2 Image builder for this and this is the only part that I cannot get to work.

I even tried creating the file with ExecuteBash and the same error happens.

This fails with:

Image ARN: arn:aws-us-gov:imagebuilder:us-gov-west-1:1172554XXXXX:image/clamav-file-scanner/0.0.22/1 failed with error: Workflow Execution ID: 'wf-d7eff014-6864-449f-8322-d42754215aaa' failed with reason: failed to compute hash for file /var/lib/amazon/toe/TOE_2024-12-04_00-14-07_UTC-0_ad5591d5-b1d4-11ef-b4c9-02c89485f559/D1__imagebuilder-clamavfilescanner-configure-clamav-server__0.0.22_1.yml, open /var/lib/amazon/toe/TOE_2024-12-04_00-14-07_UTC-0_ad5591d5-b1d4-11ef-b4c9-02c89485f559/D1__imagebuilder-clamavfilescanner-configure-clamav-server__0.0.22_1.yml: operation not permitted.

This does not run any parts of the component. This is failing validation of the component before it even attempts to run anything. This happens at the start of the ApplyBuildComponents stage

I am using a custom working directory:

WorkingDirectory: "/opt/ec2-image-builder-ssm-working-dir"

Are you currently working around this issue? How are you currently solving this problem?

Still trying to figure this out...

jpSimkins avatar Dec 04 '24 14:12 jpSimkins

I've opened a duplicate of this internally with our team to track and troubleshoot. We'll circle back here as required and to provide updates.

austoonz avatar Dec 04 '24 17:12 austoonz

This is not entirely due to using : but instead seems due to combinations of using double quotes and :.

I was able to get the example code above to work by doing one of two things:

  1. Use single quotes instead of double
  2. Escape the double quotes

This doesn't appear to be documented (that I could find) and this also doesn't seem proper. I do not have this issue with other files the use both : and ".

I have not been able to identify what exactly causes this. It should be noted that I have other CreateFile and ExecuteBash that work just fine with both : and ".

I made these changes on my actual python script but I still have the same issue with the validation failing for the component. It seems that using : within a functions is then causing these issues. try/catch also causes this error to happen.

I have tired many varients of ExecuteBash and CreateFile to no success. I didn't test escaping everything as I noticed that the escapes were written to the actual file and this makes it unusable and not worth the headache this has become.

My current solution is to just place the files with EC2 Image Builder then add the content of these files in the instance userdata as this has no issues with the code.

It is very clear there are some serious issues with this. I hope this gets the attention it needs.

jpSimkins avatar Dec 10 '24 02:12 jpSimkins

My work-a-round for this was to replace all : with a template variable TEMPLATE_VAR_COLON and then do a find/replace on the file after it is created. That seemed to solve the issue for me but still a hacky way to do this.

jpSimkins avatar Dec 16 '24 19:12 jpSimkins