avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3333

Abstract

ed.</p><p id="8435"><i>Dockerfile</i></p><figure id="135c"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1PCwMZmnh02VPxiCh5cBPQ.png"><figcaption></figcaption></figure><p id="0c04">Recall from our prior attempt to use the RIE that it was located here after installing it on the container:</p><div id="fff6"><pre>/usr/<span class="hljs-built_in">bin</span>/aws-<span class="hljs-keyword">lambda</span>-rie</pre></div><p id="b9cb">So the first thing I had my entry point do is run this command to see what’s in that directory and if the RIE exists there.</p><div id="573c"><pre><span class="hljs-built_in">ls</span> -al /usr/bin</pre></div><p id="3e0f">I built and ran the container using the local test script I created in an earlier post. The contents of the directory got displayed but no sign of the RIE. I do wonder what that random bracket is at the top of the list, but that’s beside the point.</p><figure id="706f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*S_hIOphYkrVFX85kNG_xuw.png"><figcaption></figcaption></figure><p id="755a">Hmmm. If I were a Lambda Runtime Interface Emulator where would I be on Amazon Linux 2023? I asked Google that question and it said:</p><div id="d9ab"><pre>/usr/<span class="hljs-keyword">local</span>/bin</pre></div><p id="7eba">Yes. There it is.</p><figure id="0597"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*ELC6K9tgYr8I15w_uznn6Q.png"><figcaption></figcaption></figure><p id="956e">OK here’s where I realize what I was doing wrong before. The blog post I was reading wasn’t that clear to me or I just didn’t read it carefully enough. When you use the RIE here’s what happens:</p><ol><li>You start up an API server that acts as your Lambda function would if it was running on Lambda on your localhost when you run the command that executes your container with the RIE. That’s what entry.sh does.</li><li>Next, open a new terminal window and make a request to your Lambda function running via the RIE and it responds.</li></ol><figure id="6f4b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*a8hiTPVLb-TP5Xxyd-8duA.png"><figcaption></figcaption></figure><p id="7b71">Here’s what that looks like.</p><p id="f3d3">I have <i>localtest.sh</i> file that I use to run the container as if it were running in Lambda hat includes the following code:</p><figure id="847c"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*xFwnhdO_Ae_LQ5ow7ouUfw.png"><figcaption></figcaption></figure><p id="65e9">When I execute that it starts the local API server that is listening for requests to the Lambda function and processes them with the custom runtime script (rie-bash.sh) and the function script (functions/handler.sh)</p><figure id="697d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*jssTConkXt7l8i76KwisuQ.png"><figcaption></figcaption></figure><p id="5549">Open a new terminal window.</p><p id="7ffb">Call the local version of your Lambda function using localhost and the port specified when you ran the container. Pass in whatever payload is appropriate. In my case, it doesn’t matter what I pass in because my function simply echoes out whatever I pass into it in the response.</p><div id="3853"><pre>curl <span class="hljs-string">"http://localhost:9000/2015-03-31/functions/functi

Options

on/invocations"</span> -d <span class="hljs-string">'{"</span>payload<span class="hljs-string">":"</span>hello world!<span class="hljs-string">"}'</span></pre></div><p id="fd7f">Here you can see I’m running the curl request and my function is echoing the results out just as it did when I ran it from within Lambda.</p><figure id="7022"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*U-cEjpClT0uO_XelNWpPvQ.png"><figcaption></figcaption></figure><p id="b55f">One more test. I want to make sure this still runs in Lambda. Push it to ECR using the push.sh file I created in a prior post.</p><div id="8a65"><pre>./<span class="hljs-built_in">push</span>.sh</pre></div><p id="fef2">Deploy the new image using the button in the Lambda console.</p><figure id="fd80"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5IT0qr8gDS1reAZ8IUlowg.png"><figcaption></figcaption></figure><p id="a266">Test. Good to go.</p><figure id="57dc"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*0jlcTJzDt-qm1Y_XbPYjjw.png"><figcaption></figcaption></figure><p id="5bec">Alright, we have a Lambda function that we can test locally or within Lambda and it can run a bash script. Let’s see what we can do about cloning a repo within the image now that we can run command line scripts.</p><p id="2e09">Follow for updates.</p><p id="01f7">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2024</i></p><div id="8334"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity for Executives in the Age of Cloud
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="46f6"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Appication Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presenation</pre></div><div id="5a42"><pre><span class="hljs-attribute">Follow for more stories like this</span><span class="hljs-punctuation">:</span>
<span class="hljs-attribute">~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Medium</span><span class="hljs-punctuation">:</span> <span class="hljs-string">Teri Radichel</span>
<span class="hljs-attribute">❤️ Sign Up For Email
❤️ Twitter</span><span class="hljs-punctuation">:</span> <span class="hljs-string">@teriradichel</span>
<span class="hljs-attribute">❤️ Mastodon</span><span class="hljs-punctuation">:</span> <span class="hljs-string">@[email protected]</span>
<span class="hljs-attribute">❤️ Facebook</span><span class="hljs-punctuation">:</span> <span class="hljs-string">2nd Sight Lab</span>
<span class="hljs-attribute">❤️ YouTube</span><span class="hljs-punctuation">:</span> <span class="hljs-string">@2ndsightlab</span></pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Using the Lambda Runtime Interface Emulator With a Custom Bash Runtime

ACM.307 Revisiting the RIE with a revamped Arm container for Lambda

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Lambda | Container Security | Application Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post, I fixed the error handling in my custom Bash runtime in the container I’m testing with Lambda.

Now I want to revisit the Lambda Runtime Interface Emulator (RIE) and see if we can get it working with this container. Recall that we built this container using an AWS base image that should have the Lambda Runtime Interface Emulator built into it.

So the first thing I tried to do was to move the RIE code to a separate script and create a separate entry.sh script.

entry.sh

I moved the runtime code to rie-bash.sh and changed it to use the Handler variable for the function that gets called. Note that I am *not* going to let someone override the work directory for the reasons in the comment.

rie-bash.sh

Allowing a user to specify and execute any file inside the container would be a security risk I’m unwilling to take.

I have to copy those to the Docker image and set the permissions and I renamed the function directory to functions everywhere it is referenced.

Dockerfile

Recall from our prior attempt to use the RIE that it was located here after installing it on the container:

/usr/bin/aws-lambda-rie

So the first thing I had my entry point do is run this command to see what’s in that directory and if the RIE exists there.

ls -al /usr/bin

I built and ran the container using the local test script I created in an earlier post. The contents of the directory got displayed but no sign of the RIE. I do wonder what that random bracket is at the top of the list, but that’s beside the point.

Hmmm. If I were a Lambda Runtime Interface Emulator where would I be on Amazon Linux 2023? I asked Google that question and it said:

/usr/local/bin

Yes. There it is.

OK here’s where I realize what I was doing wrong before. The blog post I was reading wasn’t that clear to me or I just didn’t read it carefully enough. When you use the RIE here’s what happens:

  1. You start up an API server that acts as your Lambda function would if it was running on Lambda on your localhost when you run the command that executes your container with the RIE. That’s what entry.sh does.
  2. Next, open a new terminal window and make a request to your Lambda function running via the RIE and it responds.

Here’s what that looks like.

I have localtest.sh file that I use to run the container as if it were running in Lambda hat includes the following code:

When I execute that it starts the local API server that is listening for requests to the Lambda function and processes them with the custom runtime script (rie-bash.sh) and the function script (functions/handler.sh)

Open a new terminal window.

Call the local version of your Lambda function using localhost and the port specified when you ran the container. Pass in whatever payload is appropriate. In my case, it doesn’t matter what I pass in because my function simply echoes out whatever I pass into it in the response.

curl "http://localhost:9000/2015-03-31/functions/function/invocations" -d '{"payload":"hello world!"}'

Here you can see I’m running the curl request and my function is echoing the results out just as it did when I ran it from within Lambda.

One more test. I want to make sure this still runs in Lambda. Push it to ECR using the push.sh file I created in a prior post.

./push.sh

Deploy the new image using the button in the Lambda console.

Test. Good to go.

Alright, we have a Lambda function that we can test locally or within Lambda and it can run a bash script. Let’s see what we can do about cloning a repo within the image now that we can run command line scripts.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity for Executives in the Age of Cloud
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Appication Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presenation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Medium: Teri Radichel
❤️ Sign Up For Email
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Lambda
Runtime
Interface
Emulator
Bash
Recommended from ReadMedium