Compile FFI from source using AWS Lambda image

.gitlab/scripts/build_layer.sh

@@ -41,9 +41,12 @@ function docker_build_zip {
 
     # Install datadog ruby in a docker container to avoid the mess from switching
     # between different ruby runtimes.
+    #
+    # NOTE: using the Lambda base image so native extensions (FFI, libddwaf)
+    #       compile against the same libffi available at runtime on Lambda.
     temp_dir=$(mktemp -d)
     docker buildx build -t datadog-lambda-ruby-${arch}:$1 . --no-cache \
-        --build-arg "image=ruby:${1}" \
+        --build-arg "image=public.ecr.aws/lambda/ruby:${1}" \
         --build-arg "runtime=${1}.0" \
         --build-arg "git_ref=${ref}" \
         --platform linux/${arch} \

Dockerfile

@@ -6,26 +6,41 @@ RUN echo "git_ref: $git_ref"
 # Install dev dependencies
 COPY . /var/task/datadog-lambda-rb
 WORKDIR /var/task/datadog-lambda-rb
-RUN apt-get update
-RUN apt-get install -y gcc zip binutils
+# NOTE: AL2 (Ruby 3.2) uses yum, AL2023 (Ruby 3.3+) uses dnf
+RUN PKG=$(command -v dnf || command -v yum) && \
+    $PKG install -y gcc gcc-c++ make zip binutils libffi-devel
 
 # Install this gem
 RUN gem build datadog-lambda
 
 # Install ddtrace gem
-RUN gem install datadog-lambda --install-dir "/opt/ruby/gems/$runtime"
+RUN MAKEFLAGS="-j$(nproc)" \
+    gem install datadog-lambda --install-dir "/opt/ruby/gems/$runtime" --no-document
 RUN set -eux; \
     if [ -z "${git_ref:-}" ]; then \
         # NOTE: datadog gem must be >= 2.24 to install on Ruby 4.0.x.
-        gem install datadog -v 2.30 --install-dir "/opt/ruby/gems/$runtime"; \
+        MAKEFLAGS="-j$(nproc)" \
+        gem install datadog -v 2.30 --install-dir "/opt/ruby/gems/$runtime" --no-document; \
     else \
         echo "building tracer from ref: $git_ref\n"; \
         git clone https://github.com/DataDog/dd-trace-rb.git --depth 1 --single-branch -b $git_ref /tmp/dd-trace-rb; \
         cd /tmp/dd-trace-rb; \
         gem build datadog.gemspec; \
-        gem install ./datadog-*.gem --install-dir "/opt/ruby/gems/$runtime"; \
+        MAKEFLAGS="-j$(nproc)" \
+        gem install ./datadog-*.gem --install-dir "/opt/ruby/gems/$runtime" --no-document; \
     fi
 
+# Recompile FFI from source — precompiled binaries ship ABI-specific ffi_c.so
+# for Ruby 3.3/3.4 only. Ruby 3.2 ABI is missing, causing LoadError at boot
+# when AppSec loads libddwaf → ffi → ffi_c.
+#
+# NOTE: runs after datadog gem as a defensive measure — force-replaces whatever
+#       transitive FFI variant was pulled, regardless of version resolution.
+RUN gem uninstall ffi --all --ignore-dependencies --executables --force \
+        --install-dir "/opt/ruby/gems/$runtime" || true
+RUN MAKEFLAGS="-j$(nproc)" \
+    gem install ffi --platform ruby --install-dir "/opt/ruby/gems/$runtime" --no-document
+
 WORKDIR /opt
 # Remove native extension debase-ruby_core_source (25MB) runtimes below Ruby 2.6
 RUN rm -rf ./ruby/gems/$runtime/gems/debase-ruby_core_source*/

scripts/build_layers.sh

@@ -37,9 +37,12 @@ function docker_build_zip {
 
     # Install datadog ruby in a docker container to avoid the mess from switching
     # between different ruby runtimes.
+    #
+    # NOTE: using the Lambda base image so native extensions (FFI, libddwaf)
+    #       compile against the same libffi available at runtime on Lambda.
     temp_dir=$(mktemp -d)
     docker buildx build -t datadog-lambda-ruby-${arch}:$1 . --no-cache \
-        --build-arg "image=ruby:${1}" \
+        --build-arg "image=public.ecr.aws/lambda/ruby:${1}" \
         --build-arg "runtime=${1}.0" \
         --build-arg "git_ref=${ref}" \
         --platform linux/${arch} \