Script works on AWS EC2, but not on AWS Lambda after zipping

Question

I am creating a simple AWS Lambda function using M2Crypto library. I followed the steps for creating deployment package from here. The lambda function works perfectly on an EC2 Linux instance (AMI).

This is my Function definition:

CloudOAuth.py

from M2Crypto import BIO, RSA, EVP
def verify(event, context):
  pem = "-----BEGIN PUBLIC KEY-----\n{0}\n-----END PUBLIC KEY-----".format("hello")
  bio = BIO.MemoryBuffer(str.encode(pem))
  print(bio)
  return

Deployment Package structure:

When I run the Lambda, I get the following issue and I also tried including libcrypto.so.10 from /lib64 directory, but didn't help.

Issue when running Lambda

/var/task/M2Crypto/_m2crypto.so: symbol sk_deep_copy, version libcrypto.so.10 not defined in file libcrypto.so.10 with link time reference`

Python: 2.7
M2Crypto: 0.27.0

Could you please mark my answer as accepted, if it is so, please? — mcepl, Dec 13 '17 at 10:18
Sure, thanks! and I added some more detail for a novice like myself. — Tenzin Chemi, Dec 14 '17 at 14:07
yeah, I have no clue about EC2, so it is very helpful. Thank you. — mcepl, Dec 15 '17 at 15:46

score 1 · Accepted Answer · answered Dec 06 '17 at 10:01

1

I would guess that the M2Crypto was built with different version of OpenSSL than what's on Lambda. See the relevant code. If not (the upstream maintainer speaking here), please, file a bug at https://gitlab.com/m2crypto/m2crypto/issues

answered Dec 06 '17 at 10:01

mcepl

2,688
1
23
38

score 1 · Answer 2 · answered Dec 14 '17 at 14:05

I just want to add some more details on to @mcepl's answer. The most important is that OpenSSL version on AWS Lambda and the environment (in my case ec2) where you build your M2Crypto library should match.

To check openssl version on Lambda, use print in your handler:

print(ssl.OPENSSL_VERSION)

To check openssl version on your build environment, use:

$ openssl version

Once they match, it works.

Don't hesitate to downgrade or upgrade OpenSSL on your build environment to match the Lambda environment. I had to downgrade my openssl on ec2 to match lambda runtime environment.

sudo yum -y downgrade openssl-devel-1.0.1k openssl-1.0.1k

Hope it will help anyone trying to use M2Crypto :)

score 0 · Answer 3 · answered Apr 04 '19 at 17:41

copying my answer for a similar question here:

AWS lambda runs code on an old version of amazon linux (amzn-ami-hvm-2017.03.1.20170812-x86_64-gp2) as mentioned in the official documentation https://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html

So to run a code that depends on shared libraries, it needs to be compiled in the same environment so it can link correctly.

What I usually do in such cases is that I create virtualenv using docker container. The virtualenv can than be packaged with lambda code.

Please note that if you need install anything using yum (in the docker container), you must use same release server as the amazon linux version:
yum --releasever=2017.03 install ...
virtualenv can be built using an EC2 instance as well instead of docker container (though, I find docker method easier). Just make sure that the AMI used for EC2 is same as the one used by lambda.

Script works on AWS EC2, but not on AWS Lambda after zipping

CloudOAuth.py

Deployment Package structure:

Issue when running Lambda

3 Answers3

Linked