swift-aws-lambda-runtime icon indicating copy to clipboard operation
swift-aws-lambda-runtime copied to clipboard

Published 20 hours ago verified publisher icon swift-server

Plugin does not work

Open benkeil opened this issue 3 years ago • 4 comments

Expected behavior

should build the lambdas

Actual behavior

...
.executableTarget(
  name: "HelloWorld",
  dependencies: [
    .product(name: "AWSLambdaRuntime", package: "swift-aws-lambda-runtime"),
  ],
  plugins: [
    .plugin(name: "AWSLambdaPackager", package: "swift-aws-lambda-runtime")
  ]
),
...

swift package archive
No explicit products named, building all executable products: 'SwiftLambda', 'HelloWorld'
-------------------------------------------------------------------------
building "swiftlambda" in docker
-------------------------------------------------------------------------
updating "swift:amazonlinux2" docker image
  time="2022-09-24T21:11:41+02:00" level=error msg="failed to create file hook: unable to create a log file for docker-credential-desktop in directory /Users/ben/Library/Containers/com.docker.docker/Data/log/host: open /Users/ben/Library/Containers/com.docker.docker/Data/log/host/docker-credential-desktop.log: operation not permitted"
  Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=swift&tag=amazonlinux2": dial unix /var/run/docker.sock: connect: operation not permitted

SwiftAWSLambdaRuntime version/commit hash

main

Swift & OS version (output of swift --version && uname -a)

swift-driver version: 1.62.8 Apple Swift version 5.7 (swiftlang-5.7.0.127.4 clang-1400.0.29.50)
Target: arm64-apple-macosx12.0
Darwin MacBook-Pro 21.6.0 Darwin Kernel Version 21.6.0: Wed Aug 10 14:28:23 PDT 2022; root:xnu-8020.141.5~2/RELEASE_ARM64_T6000 arm64

benkeil avatar Sep 24 '22 19:09 benkeil

hi @benkeil the plugin requires elevated permissions to communicate with docker over the local network so should be run with --disable-sandbox. SwiftPM will eventually get nicer constructs for this kind of a grant that will allow to run it in a more streamlined way

p.s.

we are behind on documenting how to use the plugin, sorry about that

tomerd avatar Sep 26 '22 17:09 tomerd

Why does it need this? It is doing nothing special and it sounds like a security issue to do that.

benkeil avatar Oct 03 '22 18:10 benkeil

The packaging plugin used docker on macOS. SwiftPM sandbox doe not permit network communication, and docker is a daemon that exposes its APIs over the local network. as such the sandbox does not allow the plugin to user / communicate with docker. SwiftPM will eventually get more fine grained permission model that would allow plugins to specify network access grant, but right now its a fairly binary option.

tomerd avatar Oct 03 '22 21:10 tomerd

made this PR to document the 1.x API. once merged we can tag a 1.0.0-alpha.1

tomerd avatar Jan 10 '23 00:01 tomerd

Documentation is now up-to-date https://github.com/swift-server/swift-aws-lambda-runtime/blob/main/readme.md?plain=1#L267

Closing this

sebsto avatar May 29 '24 09:05 sebsto