git-lambda-layer icon indicating copy to clipboard operation
git-lambda-layer copied to clipboard

Published 20 hours ago verified publisher icon lambci

How can I create my own layer?

Open ThompsonNJ opened this issue 2 years ago • 4 comments

I love this layer. However, due to security concerns, we cannot use your layer for our production environment; similarly, we cannot simply download your layer and reupload it to a new layer on our account.

Can you please tell me how you went about creating the binary files so I can follow that process? I tried downloading them from git directly, but those files are heavily bloated compared to yours. Also, is there a way to remove the ssh binaries entirely?

ThompsonNJ avatar Apr 01 '22 23:04 ThompsonNJ

As an update to this, it seems like we might be able to download your layer and reupload it, but since our account does not have cross-account permissions, we would have to do this in a roundabout way. If we end up being able to go that route, would we just upload this zip file to a layer ourselves? https://github.com/lambci/git-lambda-layer/blob/master/lambda2/layer.zip

I think our preferred route is still what I posted in the original question though. Ideally, we would like to download the binarys ourselves.

ThompsonNJ avatar Apr 02 '22 00:04 ThompsonNJ

As an update to this, it seems like we might be able to download your layer and reupload it, but since our account does not have cross-account permissions, we would have to do this in a roundabout way.

Did a test for this and I was able to use your layer but was having VPC issues with the git clone. To learn more about how the layer worked, I used awscli to download your layer and reupload it. However, it seems to work completely differently than referencing your layer directly by arn.

I keep getting an error saying "git" is not recognized as a command. I could eventually fix this by into /opts/bin, but I don't understand how you are able to just access /tmp in this way and it works without issues. Do you know why your layer is being put into /tmp?

ThompsonNJ avatar Apr 03 '22 19:04 ThompsonNJ

Did a test for this and I was able to use your layer but was having VPC issues with the git clone. To learn more about how the layer worked, I used awscli to download your layer and reupload it. However, it seems to work completely differently than referencing your layer directly by arn.

I was able to get the git clone working just by providing a proxy config to the git command and was able to get the same functionality as your layer just by uploading the zip file exactly as it was downloaded.

I keep getting an error saying "git" is not recognized as a command. I could eventually fix this by into /opts/bin, but I don't understand how you are able to just access /tmp in this way and it works without issues. Do you know why your layer is being put into /tmp?

I misunderstood what your code was doing. After looking into the defaults /opts/bin and /opts/lib, I realized my layer extracted to a subfolder. It looks like even unzipping and zipping without any edits causes some of the files to be corrupted due to Windows so I had some issues around there. I ended up figuring all the above out except for how you are creating the original layer.

Is this the only thing you're doing to get the git files? yum install -y git Zipping them up, then uploading them?

ThompsonNJ avatar Apr 03 '22 21:04 ThompsonNJ

I did this successfully some time ago, it's not difficult to do so.

I believe the image that I used was amd64/amazonlinux(uname -m needs to say x86_64, not aarch64 or whatever it is)

Start the docker container with the image above and run the commands below.

Here are the commands I ran, though if you execute them 1 by 1 they might not work, but regardless, you can see what the goal is from the commands:

  • yum install -y git zip which
  • mkdir myfolder
  • cd myfolder
  • mkdir bin etc lib libexec share
  • cd ..
  • cp -r /usr/bin/git* /usr/bin/fips* /usr/bin/scp /usr/bin/sftp /usr/bin/slogin /usr/bin/ssh* /usr/bin/xmlwf myfolder/bin/
  • cp -r /etc/alternatives/ /etc/pki /etc/prelink.conf.d/ /etc/ssh/ /etc/libaudit.conf myfolder/etc/
  • cp -r /usr/libexec/git-core/ /usr/libexec/openssh/ myfolder/libexec/
  • cp -r /usr/share/git-core/ /usr/share/licenses/ myfolder/share/
  • cp -r /usr/lib64/fipscheck/ /usr/lib64/nss/ /usr/lib64/lib* myfolder/lib
  • cd myfolder
  • mkdir lib64
  • cd ..
  • cp -r /usr/lib64/libpcre2-8.so.0 /myfolder/lib64/
  • cd myfolder
  • zip -yr ../layer.zip .

You can now copy the layer.zip file from the container to your host (google how to do that).

Now the lambda itself needs an env var: GIT_EXEC_PATH: /opt/libexec/git-core (this tells git where to look for the binary or something like that)

When you do git clone, you need to specify a template, --template=/opt/share/git-core/templates Example: git clone --template=/opt/share/git-core/templates https://github.com/aneagoie/background-generator.git

If you're pushing, you need to setup the git config stuff yourself Note: I didn't setup the git config to be global because I got the error: fatal: $HOME not set

nenadn-arnica avatar Aug 24 '22 08:08 nenadn-arnica