Skip to content

(lambda): lambda.DockerImageFunction can not be used alongside containerd to utilize cache storage backends #31548

New issue
New issue
Open
Open
(lambda): lambda.DockerImageFunction can not be used alongside containerd to utilize cache storage backends#31548
Labels
@aws-cdk/aws-lambdaRelated to AWS LambdabugThis issue is a bug.effort/mediumMedium work item – several days of effortp2
@neilferreira

Description

@neilferreira
neilferreira
opened on Sep 25, 2024

Describe the bug

Context:

CDK provides the ability to utilize Docker cache storage backends as per the docs.

In order to make use of cache storage backends such as a local directory or external registry, it is a requirement to enable containerd image store in Docker.

Once containerd has been enabled, you are able to populate the build cache parameters within CDK, and subsequent builds on different CI runners would all utilise the same backend cache, drastically improving the CDK build and deployment process.

Bug

Once containerd has been enabled, any Lambda function utilizing the Docker runtime fails to deploy.

Lambda code:

new lambda.DockerImageFunction(
  this,
  "LambdaFn",
  {
    functionName: "containerd-function",
    code: lambda.DockerImageCode.fromImageAsset(__dirname + "/lambda"),
  }
);

Errror message:

UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "The image manifest or layer media type for the source image ... is not supported. (Service: Lambda, Status Code: 400, Request ID: ...)"

A likely resolution:

As per a similar issue noted on #30258 - The only workaround for this is to currently use BUILDX_NO_DEFAULT_ATTESTATIONS=1 cdk deploy

It would be better if CDK explicitly adds --provenance=false in its calls to docker buildx, or provides the ability to do so.

See https://docs.docker.com/reference/cli/docker/buildx/build/#provenance and https://docs.docker.com/build/attestations/attestation-storage/

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

n/a

Expected Behavior

I would expect to be able to utilize the documented cache backends feature within CDK when deploying Lambda functions that utilises a container image. These two CDK features are not able to work together.

Current Behavior

Lambda fails to create or update the Lambda function with the following error message:

The image manifest or layer media type for the source image is not supported

Reproduction Steps

  1. Enable containerd in Docker
  2. Create a Lambda function in CDK using:
new lambda.DockerImageFunction(
  this,
  "LambdaFn",
  {
    functionName: "containerd-function",
    code: lambda.DockerImageCode.fromImageAsset(__dirname + "/lambda"),
  }
);
  1. Create a Dockerfile using:
FROM --platform=linux/amd64 public.ecr.aws/lambda/python:3.12

COPY handler.py ./

CMD [ "handler.handler" ]
  1. Create a handler.py using:
def handler(event, context):
    return {"success": True}

Run cdk deploy to deploy the function.

Possible Solution

Prefixing BUILDX_NO_DEFAULT_ATTESTATIONS=1 to cdk deploy works around this issue.

Additional Information/Context

No response

CDK CLI Version

2.160.0 (build 7a8ae02)

Framework Version

No response

Node.js Version

v18.17.1

OS

MacOS 14.6

Language

TypeScript

Language Version

No response

Other information

No response

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-lambdaRelated to AWS LambdabugThis issue is a bug.effort/mediumMedium work item – several days of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions