avatarTeri Radichel

Summary

The provided content discusses the resolution of errors due to architecture mismatches between Lambda functions and container images in AWS, emphasizing the importance of aligning the architecture types (x86_64 vs. arm64) for optimal performance and compatibility.

Abstract

The article "Lambda Architecture vs. Container Architecture" addresses a common issue faced by developers when deploying AWS Lambda functions with mismatched architectures to their container images. The author, Teri Radichel, illustrates this problem through a personal experience of encountering an error message indicating an architecture mismatch. The error occurred while testing a Lambda function using the Lambda Runtime Interface Emulator (RIE) and deploying it on AWS. The post delves into the significance of selecting the correct architecture type, either x86_64 or arm64, for both the Lambda function and the container image. Radichel highlights the default architecture settings for AWS Lambda and CloudFormation properties, and the need to specify the architecture when building Docker containers to ensure compatibility with the target AWS environment. The article also touches on the performance and cost considerations between Intel (x86) and Arm architectures, suggesting that while Intel may have an edge in some use cases, Arm is rapidly becoming a cost-effective alternative on AWS. The author concludes by successfully resolving the initial error by aligning the Lambda function and container image architectures and hints at further exploring the benefits and risks of deploying with containers in subsequent posts.

Opinions

  • The author believes that AWS could improve the error messaging for architecture mismatches to make troubleshooting more straightforward.
  • There is an opinion that Intel architecture may still offer better performance for certain use cases compared to Arm, although Arm is noted to be catching up and may be more cost-effective in many scenarios.
  • The author suggests that developers and security teams should be aware of the risks associated with deploying containers, implying that while containers offer significant benefits, they also introduce complexities that need to be managed carefully.
  • The article implies that understanding the architecture of the underlying hardware (x86_64 vs. arm64) is crucial for developers working with cloud services like AWS Lambda.
  • The author seems to advocate for the use of multi-platform Docker images to support various architectures, which can simplify deployment across different environments.

Lambda Architecture vs. Container Architecture

ACM.300 Resolving errors caused by architecture mismatch

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Lambda | Container Security | Application Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~In the last post I showed you how to enable CloudWatch logging for Lambda.

In the process I got the following error:

"errorType*: "Runtime.InvalidEntrypoint,
"errorMessage": "Requestld: [id] Error: fork/exec /entry.sh: exec format error"

What’s that all about? I’m going to tell your up front that I think this error could be better. It seems like when running the Lambda AWS could determine the problem and present a better error message, but I figured it out based on the pain others have faced.

I got a clue from a comment on Twitter that I might have an architecture mismatch when I was trying to test a Lambda function with the Lambda Runtime Interface Emulator (RIE). Now I’m getting this error when deployed as a Lambda function and this post says basically the same thing:

https://stackoverflow.com/questions/68247643/aws-lambda-alpine-python-container-shows-image-launch-error-exec-format-error

Let’s take a look at what architectures we are using for the container and the Lambda function and see if they align.

Head over to the Lambda console where we deployed the Lambda function. On the Image tab you can see that the architecture is x86_64. Makes sense. If you recall the post where I created the CloudFormation template, I did not specify the architecture as that property is not required. The default is x86 (Intel hardware). That means AWS is executing this function on x86 hardware and that hardware and operating systems running on it need to interface in a certain way.

Take a look at our options for the CloudFormation property. We can use arm64 or x86_64 and the default is x86_64.

So I was sitting next to one of my AWS heroes at an event in Seattle, Ed Miller. He said he worked for Arm and I mistakenly thought he worked with Arm for AWS. I asked him which is better, Arm or x86 and he said, “You’re asking the Arm guy?” 😆 Oops. But he offered some insight anyway.

Basically from what I have read and been told, Intel may still have an edge and have better performance for some use cases at this time, but Arm is catching up fast. In many cases, Arm may be more cost-effective on AWS. It all depends on your use case so if you want to know which is really better or cheaper, you’ll have to do some performance testing and cost analysis for your particular architecture and application.

If you’re running a container or software on a particular platform, it has to be compatible with that platform. So on which architecture is the container that I built design to run? Recall that I pulled it from this blog post:

I built this image on my EC2 instance. Head over to the EC2 dashboard.

Click on the EC2 instance. Scroll down to AMI ID under the details.

Click on the AMI ID.

On the list of AMIs click on the AMI ID link again.

The Amazon Machine Image is essentially the definition of the EC2 instance configuration, including the EC2 instance architecture.

I built my docker container on an EC2 instance with the arm64 architecture, but I’m trying to run the container on a Lambda function with an x86_64 configuration.

If you built the docker file on your local laptop or some other machine, you would need to know if that machine is running x86_64 or arm64. There are also older 32 bit architectures but most machines are using 64 bit (the 64 in x86_64 and arm64.) I’ll leave it as an exercise to the reader to research the difference between 32 and 64 bit architectures. You might need to understand something about bits and the math I covered in these posts.

Anyway, let’s see if I can alter my template to specify the architecture and set it to arm64 and then test the Lambda function again.

For now I’m going to set the default to arm64 so I don’t have to go back and modify the deployment script.

Note the type is a list since you can create multiple architecture containers, but this container only supports arm. You can read about multiple-architecture containers here:

Reference the parameter.

Redeploy using the deploy script we created a few posts back for the dockertest Lambda function.

Verify the architecture is updated to arm64.

Test the Lambda as we did in the last post. Success. Kind of.

We have another error, but this error is inside the container.

In the next post I’ll fix that and explain why deploying with containers is even cooler than what I’ve covered so far — and has some risks of which developers and security teams need to be aware.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity for Executives in the Age of Cloud
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Appication Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presenation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Medium: Teri Radichel
❤️ Sign Up For Email
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Lambda
Architecture
X86
Arm64
Recommended from ReadMedium