{"id":17169823,"url":"https://github.com/naftulikay/docker-circleci-lambda-rust","last_synced_at":"2026-05-04T03:37:05.239Z","repository":{"id":142455415,"uuid":"125440153","full_name":"naftulikay/docker-circleci-lambda-rust","owner":"naftulikay","description":"An AWS Lambda build environment for CircleCI and Rust.","archived":false,"fork":false,"pushed_at":"2018-03-23T00:05:27.000Z","size":20,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-29T23:42:55.974Z","etag":null,"topics":["amazonlinux","circleci","lambda","rust"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/naftulikay.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-03-16T00:01:32.000Z","updated_at":"2023-05-16T13:40:55.000Z","dependencies_parsed_at":null,"dependency_job_id":"3ca8384e-f8c9-4a5e-86f7-b311d20daca5","html_url":"https://github.com/naftulikay/docker-circleci-lambda-rust","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/naftulikay%2Fdocker-circleci-lambda-rust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/naftulikay%2Fdocker-circleci-lambda-rust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/naftulikay%2Fdocker-circleci-lambda-rust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/naftulikay%2Fdocker-circleci-lambda-rust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/naftulikay","download_url":"https://codeload.github.com/naftulikay/docker-circleci-lambda-rust/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245334910,"owners_count":20598389,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amazonlinux","circleci","lambda","rust"],"created_at":"2024-10-14T23:27:27.950Z","updated_at":"2026-05-04T03:37:00.197Z","avatar_url":"https://github.com/naftulikay.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# docker-circleci-lambda-rust [![Build Status][travis.svg]][travis] [![Docker Status][docker.svg]][docker]\n\nA Rust development environment in a very restrictive Lambda image.\n\nAvailable on Docker Hub at [`naftulikay/circleci-lambda-rust`][docker].\n\n## Background\n\nUsing [crowbar][crowbar], it's possible to build Rust Lambda functions which simply act a a pseudo-Python native\nlibrary. This enables use of Rust, as it's an otherwise unsupported language for Lambda.\n\nTo make sure that runtime libraries match compile-time libraries, I built\n[`naftulikay/circleci-lambda-rust`][circleci-lambda-rust]. In accordance with [Amazon's documentation][lambda]\n, I pinned the base image to `amazonlinux:2017.03.1.20170812`, the version that Lambda uses at runtime.\n\nPreviously, I was simply building within a CentOS 7 Docker image which actually worked quite well. The environment was\nsimilar enough to make most things work.\n\n### Enter OpenSSL\n\nAs soon as my library started linking against `libssl` and `libcrypto`, I got really strange errors about a linked\nlibrary needing OpenSSL 1.0.2 but the current `libssl` was version 1.0.1. Apparently, during my image build, installing\nor upgrading any packages forced OpenSSL to be upgraded to 1.0.2, which was _not_ the OpenSSL version present in the\nactual Lambda runtime environment. Despite using the exact version of Amazon Linux, the fact that certain upgrades\nwere necessary, my build and runtime environments differed in incompatible ways.\n\n#### Vendoring Shared Libraries\n\nSince Lambda supplied a `LD_LIBRARY_PATH` of `.` and `lib/` of the zip archive, I wrote a recursive Python program\nwhich would find all linked libraries for my `liblambda.so` and vendor them into `lib/`. However, since the priority\nset by Amazon Linux for Lambda is likely something like this:\n\n```shell\nLD_LIBRARY_PATH=\"/lib64:/usr/lib64:/usr/local/lib64:$PWD:$PWD/lib\"\n```\n\n...the linker will first find OpenSSL in `/usr/lib64` and will dynamically link against that rather than my bundled\nOpenSSL shared library.\n\nI will still do this, because if I install, say, `libsodium`, and this library is not present at runtime in the image,\nthe linker _will_ eventually find the library and things will be happy.\n\n#### Pinning the OpenSSL Package\n\nI tried to pin OpenSSL to 1.0.1 using a yum plugin, but this broke everything else: many libraries including Python\nrequired OpenSSL \u003e= 1.0.2, which broke installing packages. To make matters worse, Amazon Linux only retains a fixed\nnumber of revisions for packages in their repository, so installing OpenSSL 1.0.1 was simply not possible.\n\n#### Statically Compiling OpenSSL\n\nAngry at OpenSSL and with some environment variables, I configured Cargo/`openssl` to statically build OpenSSL and\ninclude it directly in the output shared library. The package repositories provide `openssl-static` which contains\n`libssl.a` and other archives for static linking, which meant that I didn't need to rebuild OpenSSL from source :tada:\n\nThe first hangup I ran into was that the Rust [`openssl`][rust-openssl] crate's instructions were wrong for static\ncompilation. They essentially state:\n\n\u003e Set `OPENSSL_STATIC=1` during Cargo execution to statically build OpenSSL into the binary.\n\nUnfortunately, [this was not true][openssl-bug]. Another [brave soul saved the day][openssl-workaround] and dug into\nthe `openssl` `build.rs` build script and found that in order to get static compilation working, _three_ environment\nvariables must be set:\n\n```shell\nOPENSSL_STATIC=1 \\\n  OPENSSL_LIB_DIR=/usr/lib64 \\\n  OPENSSL_INCLUDE_DIR=/usr/include\n    cargo build --release --lib\n```\n\nI assembled [a demo project][rust-openssl-static-example] to prove this out and with a simple test, was able to prove\nit was working:\n\n```shell\nif ldd target/release/liblambda.so | grep -qiP 'lib(ssl|crypto)' ; then\n  (\n    ldd target/release/liblambda.so\n    echo \"ERROR: liblambda.so is linked to libssl and/or libcrypto.\"\n  ) \u003e\u00262\n  exit 1\nfi\n```\n\nFinally, we had static compilation of OpenSSL into the shared library working.\n\nFor this use case, it worked just fine:\n\n```rust\n#[macro_use(lambda)]\nextern crate crowbar;\nextern crate openssl;\n#[macro_use]\nextern crate cpython;\n\nlambda!(|_event, _context| {\n  openssl::init();\n});\n```\n\nEverything was happy under this setup. However, as soon as I brought in [`rusoto`][rusoto], it pulled in other updated\ndependencies and again I was in linking hell:\n\n```shell\n/usr/bin/ld: /home/vagrant/.cache/cargo/target/debug/liblambda.so: version node not found for symbol SSLeay_version@OPENSSL_1.0.1\n/usr/bin/ld: failed to set dynamic section sizes: Bad value\n```\n I then changed my crate type to `staticlib` and aimed to\ntransform it into a pseudo-shared library after the fact. This didn't work and was extremely brittle and deadly\nfrustrating.\n\n### Back to Basics\n\nI couldn't see a way to succeed here and I spent hours in abject despair for the time I had lost on this.\nThen, [a brave and honorable White Knight on the Rust discourse forums][bravery] mentioned another image\nmade from a tarball of the environment at runtime of actual Lambda functions, [`lambci/lambda`][lambda-image].\n\nI spun up one of these Docker images and tested package upgrades and the good news is that the maintainers here seem to\nhave pinned all of the shared libraries without all the madness so that installing packages _do not upgrade OpenSSL_.\n\nI'm now seeking to prove this out by building this container.\n\n## License\n\nLicensed at your discretion under either:\n\n - [MIT](./LICENSE-MIT)\n - [Apache License, Version 2.0](./LICENSE-APACHE)\n\n [docker]: https://hub.docker.com/r/naftulikay/circleci-lambda-rust/\n [docker.svg]: https://img.shields.io/docker/automated/naftulikay/circleci-lambda-rust.svg?maxAge=2592000\n [travis]: https://travis-ci.org/naftulikay/docker-circleci-lambda-rust\n [travis.svg]: https://travis-ci.org/naftulikay/docker-circleci-lambda-rust.svg?branch=master\n [lambda]: https://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html\n [openssl-workaround]: https://stackoverflow.com/a/49268370/128967\n [rust-openssl-static-example]: https://github.com/naftulikay/rust-openssl-static-example\n [openssl-bug]: https://github.com/sfackler/rust-openssl/issues/877\n [rusoto]: https://rusoto.org/\n [circleci-lambda-rust]: https://github.com/naftulikay/docker-circleci-lambda-rust\n [rust-openssl]: https://github.com/sfackler/rust-openssl\n [bravery]: https://users.rust-lang.org/t/statically-linking-parts-of-a-shared-library/16171/23?u=naftulikay\n [lambda-image]: https://github.com/lambci/docker-lambda\n [crowbar]: https://github.com/ilianaw/rust-crowbar/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnaftulikay%2Fdocker-circleci-lambda-rust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnaftulikay%2Fdocker-circleci-lambda-rust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnaftulikay%2Fdocker-circleci-lambda-rust/lists"}