search

swift-server / swift-aws-lambda-runtime

Swift implementation of AWS Lambda Runtime
Apache License 2.0
1.12k stars 101 forks source link

Plugin does not work #271

Closed benkeil closed 1 month ago

benkeil commented 1 year ago

Expected behavior

should build the lambdas

Actual behavior

...
.executableTarget(
  name: "HelloWorld",
  dependencies: [
    .product(name: "AWSLambdaRuntime", package: "swift-aws-lambda-runtime"),
  ],
  plugins: [
    .plugin(name: "AWSLambdaPackager", package: "swift-aws-lambda-runtime")
  ]
),
...
swift package archive
No explicit products named, building all executable products: 'SwiftLambda', 'HelloWorld'
-------------------------------------------------------------------------
building "swiftlambda" in docker
-------------------------------------------------------------------------
updating "swift:amazonlinux2" docker image
  time="2022-09-24T21:11:41+02:00" level=error msg="failed to create file hook: unable to create a log file for docker-credential-desktop in directory /Users/ben/Library/Containers/com.docker.docker/Data/log/host: open /Users/ben/Library/Containers/com.docker.docker/Data/log/host/docker-credential-desktop.log: operation not permitted"
  Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=swift&tag=amazonlinux2": dial unix /var/run/docker.sock: connect: operation not permitted

SwiftAWSLambdaRuntime version/commit hash

main

Swift & OS version (output of swift --version && uname -a)

swift-driver version: 1.62.8 Apple Swift version 5.7 (swiftlang-5.7.0.127.4 clang-1400.0.29.50)
Target: arm64-apple-macosx12.0
Darwin MacBook-Pro 21.6.0 Darwin Kernel Version 21.6.0: Wed Aug 10 14:28:23 PDT 2022; root:xnu-8020.141.5~2/RELEASE_ARM64_T6000 arm64
tomerd commented 1 year ago

hi @benkeil the plugin requires elevated permissions to communicate with docker over the local network so should be run with --disable-sandbox. SwiftPM will eventually get nicer constructs for this kind of a grant that will allow to run it in a more streamlined way

p.s.

we are behind on documenting how to use the plugin, sorry about that

benkeil commented 1 year ago

Why does it need this? It is doing nothing special and it sounds like a security issue to do that.

tomerd commented 1 year ago

The packaging plugin used docker on macOS. SwiftPM sandbox doe not permit network communication, and docker is a daemon that exposes its APIs over the local network. as such the sandbox does not allow the plugin to user / communicate with docker. SwiftPM will eventually get more fine grained permission model that would allow plugins to specify network access grant, but right now its a fairly binary option.

tomerd commented 1 year ago

made this PR to document the 1.x API. once merged we can tag a 1.0.0-alpha.1

sebsto commented 1 month ago

Documentation is now up-to-date https://github.com/swift-server/swift-aws-lambda-runtime/blob/main/readme.md?plain=1#L267

Closing this