diff --git a/.gitlab/scripts/build_layer.sh b/.gitlab/scripts/build_layer.sh index c8505a9..fdc9f3f 100755 --- a/.gitlab/scripts/build_layer.sh +++ b/.gitlab/scripts/build_layer.sh @@ -41,9 +41,12 @@ function docker_build_zip { # Install datadog ruby in a docker container to avoid the mess from switching # between different ruby runtimes. + # + # NOTE: using the Lambda base image so native extensions (FFI, libddwaf) + # compile against the same libffi available at runtime on Lambda. temp_dir=$(mktemp -d) docker buildx build -t datadog-lambda-ruby-${arch}:$1 . --no-cache \ - --build-arg "image=ruby:${1}" \ + --build-arg "image=public.ecr.aws/lambda/ruby:${1}" \ --build-arg "runtime=${1}.0" \ --build-arg "git_ref=${ref}" \ --platform linux/${arch} \ diff --git a/Dockerfile b/Dockerfile index 432cc5e..cbf0f76 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,26 +6,41 @@ RUN echo "git_ref: $git_ref" # Install dev dependencies COPY . /var/task/datadog-lambda-rb WORKDIR /var/task/datadog-lambda-rb -RUN apt-get update -RUN apt-get install -y gcc zip binutils +# NOTE: AL2 (Ruby 3.2) uses yum, AL2023 (Ruby 3.3+) uses dnf +RUN PKG=$(command -v dnf || command -v yum) && \ + $PKG install -y gcc gcc-c++ make zip binutils libffi-devel # Install this gem RUN gem build datadog-lambda # Install ddtrace gem -RUN gem install datadog-lambda --install-dir "/opt/ruby/gems/$runtime" +RUN MAKEFLAGS="-j$(nproc)" \ + gem install datadog-lambda --install-dir "/opt/ruby/gems/$runtime" --no-document RUN set -eux; \ if [ -z "${git_ref:-}" ]; then \ # NOTE: datadog gem must be >= 2.24 to install on Ruby 4.0.x. - gem install datadog -v 2.30 --install-dir "/opt/ruby/gems/$runtime"; \ + MAKEFLAGS="-j$(nproc)" \ + gem install datadog -v 2.30 --install-dir "/opt/ruby/gems/$runtime" --no-document; \ else \ echo "building tracer from ref: $git_ref\n"; \ git clone https://github.com/DataDog/dd-trace-rb.git --depth 1 --single-branch -b $git_ref /tmp/dd-trace-rb; \ cd /tmp/dd-trace-rb; \ gem build datadog.gemspec; \ - gem install ./datadog-*.gem --install-dir "/opt/ruby/gems/$runtime"; \ + MAKEFLAGS="-j$(nproc)" \ + gem install ./datadog-*.gem --install-dir "/opt/ruby/gems/$runtime" --no-document; \ fi +# Recompile FFI from source — precompiled binaries ship ABI-specific ffi_c.so +# for Ruby 3.3/3.4 only. Ruby 3.2 ABI is missing, causing LoadError at boot +# when AppSec loads libddwaf → ffi → ffi_c. +# +# NOTE: runs after datadog gem as a defensive measure — force-replaces whatever +# transitive FFI variant was pulled, regardless of version resolution. +RUN gem uninstall ffi --all --ignore-dependencies --executables --force \ + --install-dir "/opt/ruby/gems/$runtime" || true +RUN MAKEFLAGS="-j$(nproc)" \ + gem install ffi --platform ruby --install-dir "/opt/ruby/gems/$runtime" --no-document + WORKDIR /opt # Remove native extension debase-ruby_core_source (25MB) runtimes below Ruby 2.6 RUN rm -rf ./ruby/gems/$runtime/gems/debase-ruby_core_source*/ diff --git a/scripts/build_layers.sh b/scripts/build_layers.sh index c0d005c..9cd1b65 100755 --- a/scripts/build_layers.sh +++ b/scripts/build_layers.sh @@ -37,9 +37,12 @@ function docker_build_zip { # Install datadog ruby in a docker container to avoid the mess from switching # between different ruby runtimes. + # + # NOTE: using the Lambda base image so native extensions (FFI, libddwaf) + # compile against the same libffi available at runtime on Lambda. temp_dir=$(mktemp -d) docker buildx build -t datadog-lambda-ruby-${arch}:$1 . --no-cache \ - --build-arg "image=ruby:${1}" \ + --build-arg "image=public.ecr.aws/lambda/ruby:${1}" \ --build-arg "runtime=${1}.0" \ --build-arg "git_ref=${ref}" \ --platform linux/${arch} \