From fbab40177ea7cfd2be74c7c950bf165af1ac24b4 Mon Sep 17 00:00:00 2001 From: Bo Xiong <94585875+xiongbo-sjtu@users.noreply.github.com> Date: Mon, 23 Dec 2024 02:49:52 -0800 Subject: [PATCH] feat: Add support to explicitly specify a CPU architecture for the to-be-copied image instead of relying on auto-detection (#961) ### What's the problem? It's observed that when copying a multi-arch source image from location A to B in ECR, we always end up with `amd64` in the destination image at location B. The hypothesis is that the underlying lambda function used to auto-detect the architecture is backed up by Dockerfile with [a hard-coded runtime.GOARCH](https://github.com/cdklabs/cdk-ecr-deployment/blob/dcd74cdfc394d6a43a5517cb5cce1843e1fe3111/lambda/Dockerfile#L11). ### Proposed Solution Instead of solely relying on an auto-detection mechanism, this PR is meant to add a feature to allow users to explicitly specify a CPU architecture for the to-be-copied image, by triggering the underlying logic [here](https://github.com/containers/image/blob/5263462aa97ae23d3a620b4dcdbbc557665a42c8/internal/pkg/platform/platform_matcher.go#L164). This will unblock the usage of Graviton instances for [Amazon SageMaker](https://aws.amazon.com/sagemaker/) and other computing platforms. As a side note, I've run `npm run release` on my dev box to refresh `API.md` --------- Co-authored-by: Bo Xiong Co-authored-by: Rico Huijbers --- .gitignore | 1 + .projenrc.ts | 1 + API.md | 20 +++++++++++ lambda/main.go | 10 ++++-- lambda/main_test.go | 13 ++++++-- lambda/utils.go | 9 +++-- src/index.ts | 20 +++++++++++ test/ecr-deployment.test.ts | 61 ++++++++++++++++++++++++++++++++++ test/example.ecr-deployment.ts | 18 ++++++++++ 9 files changed, 145 insertions(+), 8 deletions(-) create mode 100644 test/ecr-deployment.test.ts diff --git a/.gitignore b/.gitignore index 4dff9450..43fbe58f 100644 --- a/.gitignore +++ b/.gitignore @@ -32,6 +32,7 @@ jspm_packages/ .yarn-integrity .cache cdk.out/ +lambda/out/bootstrap /test-reports/ junit.xml /coverage/ diff --git a/.projenrc.ts b/.projenrc.ts index 7f273041..22bddb9a 100644 --- a/.projenrc.ts +++ b/.projenrc.ts @@ -36,6 +36,7 @@ const project = new CdklabsConstructLibrary({ repositoryUrl: 'https://github.com/cdklabs/cdk-ecr-deployment', /* The repository is the location where the actual code for your package lives. */ gitignore: [ 'cdk.out/', + 'lambda/out/bootstrap', ], /* Additional entries to .gitignore. */ npmignore: [ '/cdk.out', diff --git a/API.md b/API.md index 397cdbd0..5488b851 100644 --- a/API.md +++ b/API.md @@ -148,6 +148,7 @@ const eCRDeploymentProps: ECRDeploymentProps = { ... } | src | IImageName | The source of the docker image. | | buildImage | string | Image to use to build Golang lambda for custom resource, if download fails or is not wanted. | | environment | {[ key: string ]: string} | The environment variable to set. | +| imageArch | string[] | The image architecture to be copied. | | lambdaHandler | string | The name of the lambda handler. | | lambdaRuntime | aws-cdk-lib.aws_lambda.Runtime | The lambda function runtime environment. | | memoryLimit | number | The amount of memory (in MiB) to allocate to the AWS Lambda function which replicates the files from the CDK bucket to the destination bucket. | @@ -211,6 +212,25 @@ The environment variable to set. --- +##### `imageArch`Optional + +```typescript +public readonly imageArch: string[]; +``` + +- *Type:* string[] +- *Default:* ['amd64'] + +The image architecture to be copied. + +The 'amd64' architecture will be copied by default. Specify the +architecture or architectures to copy here. + +It is currently not possible to copy more than one architecture +at a time: the array you specify must contain exactly one string. + +--- + ##### `lambdaHandler`Optional ```typescript diff --git a/lambda/main.go b/lambda/main.go index 639d52c6..803ff736 100644 --- a/lambda/main.go +++ b/lambda/main.go @@ -53,6 +53,10 @@ func handler(ctx context.Context, event cfn.Event) (physicalResourceID string, d if err != nil { return physicalResourceID, data, err } + imageArch, err := getStrPropsDefault(event.ResourceProperties, IMAGE_ARCH, "") + if err != nil { + return physicalResourceID, data, err + } srcCreds, err := getStrPropsDefault(event.ResourceProperties, SRC_CREDS, "") if err != nil { return physicalResourceID, data, err @@ -71,7 +75,7 @@ func handler(ctx context.Context, event cfn.Event) (physicalResourceID string, d return physicalResourceID, data, err } - log.Printf("SrcImage: %v DestImage: %v", srcImage, destImage) + log.Printf("SrcImage: %v DestImage: %v ImageArch: %v", srcImage, destImage, imageArch) srcRef, err := alltransports.ParseImageName(srcImage) if err != nil { @@ -82,13 +86,13 @@ func handler(ctx context.Context, event cfn.Event) (physicalResourceID string, d return physicalResourceID, data, err } - srcOpts := NewImageOpts(srcImage) + srcOpts := NewImageOpts(srcImage, imageArch) srcOpts.SetCreds(srcCreds) srcCtx, err := srcOpts.NewSystemContext() if err != nil { return physicalResourceID, data, err } - destOpts := NewImageOpts(destImage) + destOpts := NewImageOpts(destImage, imageArch) destOpts.SetCreds(destCreds) destCtx, err := destOpts.NewSystemContext() if err != nil { diff --git a/lambda/main_test.go b/lambda/main_test.go index a28b323f..46dd0345 100644 --- a/lambda/main_test.go +++ b/lambda/main_test.go @@ -33,10 +33,10 @@ func TestMain(t *testing.T) { destRef, err := alltransports.ParseImageName(destImage) assert.NoError(t, err) - srcOpts := NewImageOpts(srcImage) + srcOpts := NewImageOpts(srcImage, "") srcCtx, err := srcOpts.NewSystemContext() assert.NoError(t, err) - destOpts := NewImageOpts(destImage) + destOpts := NewImageOpts(destImage, "") destCtx, err := destOpts.NewSystemContext() assert.NoError(t, err) @@ -53,3 +53,12 @@ func TestMain(t *testing.T) { }) assert.NoError(t, err) } + +func TestNewImageOpts(t *testing.T) { + srcOpts := NewImageOpts("s3://cdk-ecr-deployment/nginx.tar:nginx:latest", "arm64") + _, err := srcOpts.NewSystemContext() + assert.NoError(t, err) + destOpts := NewImageOpts("dir:/tmp/nginx.dir", "arm64") + _, err = destOpts.NewSystemContext() + assert.NoError(t, err) +} diff --git a/lambda/utils.go b/lambda/utils.go index 461c3807..9d0311d8 100644 --- a/lambda/utils.go +++ b/lambda/utils.go @@ -23,6 +23,7 @@ import ( const ( SRC_IMAGE string = "SrcImage" DEST_IMAGE string = "DestImage" + IMAGE_ARCH string = "ImageArch" SRC_CREDS string = "SrcCreds" DEST_CREDS string = "DestCreds" ) @@ -86,14 +87,15 @@ type ImageOpts struct { requireECRLogin bool region string creds string + arch string } -func NewImageOpts(uri string) *ImageOpts { +func NewImageOpts(uri string, arch string) *ImageOpts { requireECRLogin := strings.Contains(uri, "dkr.ecr") if requireECRLogin { - return &ImageOpts{uri, requireECRLogin, GetECRRegion(uri), ""} + return &ImageOpts{uri, requireECRLogin, GetECRRegion(uri), "", arch} } else { - return &ImageOpts{uri, requireECRLogin, "", ""} + return &ImageOpts{uri, requireECRLogin, "", "", arch} } } @@ -109,6 +111,7 @@ func (s *ImageOpts) NewSystemContext() (*types.SystemContext, error) { ctx := &types.SystemContext{ DockerRegistryUserAgent: "ecr-deployment", DockerAuthConfig: &types.DockerAuthConfig{}, + ArchitectureChoice: s.arch, } if s.creds != "" { diff --git a/src/index.ts b/src/index.ts index 9ab65116..85cbbbba 100644 --- a/src/index.ts +++ b/src/index.ts @@ -32,6 +32,19 @@ export interface ECRDeploymentProps { */ readonly dest: IImageName; + /** + * The image architecture to be copied. + * + * The 'amd64' architecture will be copied by default. Specify the + * architecture or architectures to copy here. + * + * It is currently not possible to copy more than one architecture + * at a time: the array you specify must contain exactly one string. + * + * @default ['amd64'] + */ + readonly imageArch?: string[]; + /** * The amount of memory (in MiB) to allocate to the AWS Lambda function which * replicates the files from the CDK bucket to the destination bucket. @@ -199,14 +212,21 @@ export class ECRDeployment extends Construct { resources: ['*'], })); + if (props.imageArch && props.imageArch.length !== 1) { + throw new Error(`imageArch must contain exactly 1 element, got ${JSON.stringify(props.imageArch)}`); + } + const imageArch = props.imageArch ? props.imageArch[0] : ''; + new CustomResource(this, 'CustomResource', { serviceToken: this.handler.functionArn, + // This has been copy/pasted and is a pure lie, but changing it is going to change people's infra!! X( resourceType: 'Custom::CDKBucketDeployment', properties: { SrcImage: props.src.uri, SrcCreds: props.src.creds, DestImage: props.dest.uri, DestCreds: props.dest.creds, + ...imageArch ? { ImageArch: imageArch } : {}, }, }); } diff --git a/test/ecr-deployment.test.ts b/test/ecr-deployment.test.ts new file mode 100644 index 00000000..bcc19473 --- /dev/null +++ b/test/ecr-deployment.test.ts @@ -0,0 +1,61 @@ +import { Stack, App, aws_ecr as ecr, assertions } from 'aws-cdk-lib'; +import { DockerImageName, ECRDeployment } from '../src'; + +// Yes, it's a lie. It's also the truth. +const CUSTOM_RESOURCE_TYPE = 'Custom::CDKBucketDeployment'; + +let app: App; +let stack: Stack; + +const src = new DockerImageName('javacs3/javacs3:latest', 'dockerhub'); +let dest: DockerImageName; +beforeEach(() => { + app = new App(); + stack = new Stack(app, 'Stack'); + + const repo = new ecr.Repository(stack, 'Repo', { + repositoryName: 'repo', + }); + dest = new DockerImageName(`${repo.repositoryUri}:copied`); + + // Otherwise we do a Docker build :x + process.env.FORCE_PREBUILT_LAMBDA = 'true'; +}); + +test('ImageArch is missing from custom resource if argument not specified', () => { + // WHEN + new ECRDeployment(stack, 'ECR', { + src, + dest, + }); + + // THEN + const template = assertions.Template.fromStack(stack); + template.hasResourceProperties(CUSTOM_RESOURCE_TYPE, { + ImageArch: assertions.Match.absent(), + }); +}); + +test('ImageArch is in custom resource properties if specified', () => { + // WHEN + new ECRDeployment(stack, 'ECR', { + src, + dest, + imageArch: ['banana'], + }); + + // THEN + const template = assertions.Template.fromStack(stack); + template.hasResourceProperties(CUSTOM_RESOURCE_TYPE, { + ImageArch: 'banana', + }); +}); + +test('Cannot specify more or fewer than 1 elements in imageArch', () => { + // WHEN + expect(() => new ECRDeployment(stack, 'ECR', { + src, + dest, + imageArch: ['banana', 'pear'], + })).toThrow(/imageArch must contain exactly 1 element/); +}); \ No newline at end of file diff --git a/test/example.ecr-deployment.ts b/test/example.ecr-deployment.ts index 2d5bd7c8..079aa95f 100644 --- a/test/example.ecr-deployment.ts +++ b/test/example.ecr-deployment.ts @@ -34,9 +34,27 @@ class TestECRDeployment extends Stack { dest: new ecrDeploy.DockerImageName(`${repo.repositoryUri}:latest`), }); + new ecrDeploy.ECRDeployment(this, 'DeployECRImage', { + src: new ecrDeploy.DockerImageName(image.imageUri), + dest: new ecrDeploy.DockerImageName(`${repo.repositoryUri}:latest`), + imageArch: ['arm64'], + }); + + new ecrDeploy.ECRDeployment(this, 'DeployDockerImage', { + src: new ecrDeploy.DockerImageName('javacs3/javacs3:latest', 'dockerhub'), + dest: new ecrDeploy.DockerImageName(`${repo.repositoryUri}:dockerhub`), + }).addToPrincipalPolicy(new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'secretsmanager:GetSecretValue', + ], + resources: ['*'], + })); + new ecrDeploy.ECRDeployment(this, 'DeployDockerImage', { src: new ecrDeploy.DockerImageName('javacs3/javacs3:latest', 'dockerhub'), dest: new ecrDeploy.DockerImageName(`${repo.repositoryUri}:dockerhub`), + imageArch: ['amd64'], }).addToPrincipalPolicy(new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: [