Java Lambda Containers

art_wolf

John Doyle

Posted on December 13, 2020

Java Lambda Containers

AWS Re:Invent 2020 held a number of great announcements for AWS Lambda! One of these included the support for Docker Containers - previously the only supported packaging was Zip that was stored in S3 behind the scenes.

At the same time, Lambda also saw the memory configuration expand - from the 3GB limit initially, all the way up to 10GBs! This is especially useful as Lambda will also support Docker images that reach 10GB in size - though this size increase is only for Docker containers, ZIP packages remain at a maximum of 250MB.

AWS provides two ways to support docker lambda

  1. Use an AWS base docker image, all the support run times:
  • amazon/nodejs12.x-base
  • amazon/nodejs10.x-base
  • amazon/python3.8-base
  • amazon/python3.7-base
  • amazon/python3.6-base
  • amazon/python2.7-base
  • amazon/ruby2.7-base
  • amazon/ruby2.5-base
  • amazon/go1.x-base
  • amazon/java11-base
  • amazon/java8.al2-base
  • amazon/java8-base
  • amazon/dotnetcore3.1-base
  • amazon/dotnetcore2.1-base
  1. Use your own base docker image and you import the AWS runtime interface client and the lambda talks to the interface client which then talks to your code.

Apparently, Lambda is not actually running the container, rather it will build a function from the container image. I have noticed when running the Java 11 Base Lambda image a pretty significant cold start penalty - up to 20 seconds.

To test out the docker containers, I'll utilize AWS Serverless Application Model to generate, build, and deploy the lambda!

Build & Deploy Docker Lambda

Initialization

To simplify some of these commands, I'll create some environment variables to hold the default region and AWS Account ID:

export AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
export AWS_REGION=$(aws configure get default.region)
Enter fullscreen mode Exit fullscreen mode

Since we will be building out an image for the lambda, we want to store it in an Elastic Container Registry. We can create one with the following command:

aws ecr create-repository --repository-name gizmo-lambda-container | jq '.repository.repositoryUri'
Enter fullscreen mode Exit fullscreen mode

Which should output the container registry url, similar to: 196295636944.dkr.ecr.us-east-1.amazonaws.com/gizmo-lambda-container

We can then authenticate with the AWS ECR repo:

aws ecr get-login-password | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGIO
N}.amazonaws.com
Enter fullscreen mode Exit fullscreen mode

Now we will use the AWS Serverless Application Model to build and deploy our application. In an empty directory we will create our project:

sam init
Enter fullscreen mode Exit fullscreen mode

You will be prompted to select several options:

Which template source would you like to use?
    1 - AWS Quick Start Templates
    2 - Custom Template Location
Enter fullscreen mode Exit fullscreen mode

We want to use AWS Quick Start Templates.

What package type would you like to use?
    1 - Zip (artifact is a zip uploaded to S3)
    2 - Image (artifact is an image uploaded to an ECR image repository)
Enter fullscreen mode Exit fullscreen mode

And here we want to use Image! For this example, I went with the amazon/java11-base base image. Since it is Java we are prompted about the dependency manager, which I recommend gradle.

Build

The skeleton project that is generated has our Dockerfile and application code already setup. The AWS SAM command will build the Docker image for us!

sam build
Enter fullscreen mode Exit fullscreen mode

And we can see the Docker build steps in the output:

Building codeuri: . runtime: None metadata: {'DockerTag': 'java11-gradle-v1', 'DockerContext': './HelloWorldFunction', 'Dockerfile': 'Dockerfile'} functions: ['HelloWorldFunction']
Building image for HelloWorldFunction function
Setting DockerBuildArgs: {} for HelloWorldFunction function
Step 1/16 : FROM public.ecr.aws/lambda/java:11 as build-image
 ---> 9d9f8f6bbeea
Step 2/16 : ARG SCRATCH_DIR=/var/task/build
 ---> Running in 3f077f57a99f
 ---> 1790443364e1
Step 3/16 : COPY src/ src/
 ---> 6357ad3066ed
Step 4/16 : COPY gradle/ gradle/
 ---> 86b36578535b
Step 5/16 : COPY build.gradle gradlew ./
 ---> 7a0e366bbda5
Step 6/16 : RUN mkdir build
 ---> Running in 57ceac09d965
 ---> 6d547fcbb584
Step 7/16 : COPY gradle/lambda-build-init.gradle ./build
 ---> ee1fb2ece820
Step 8/16 : RUN ./gradlew --project-cache-dir $SCRATCH_DIR/gradle-cache -Dsoftware.amazon.aws.lambdabuilders.scratch-dir=$SCRATCH_DIR --init-script $SCRATCH_DIR/lambda-build-init.gradle build
 ---> Running in 06116e2de319
Downloading https://services.gradle.org/distributions/gradle-5.1.1-bin.zip
.................................................................................

Welcome to Gradle 5.1.1!

Here are the highlights of this release:
 - Control which dependencies can be retrieved from which repositories
 - Production-ready configuration avoidance APIs

For more details see https://docs.gradle.org/5.1.1/release-notes.html

Starting a Gradle Daemon (subsequent builds will be faster)
> Task :compileJava
> Task :processResources NO-SOURCE
> Task :classes
> Task :jar
> Task :assemble
> Task :compileTestJava
> Task :processTestResources NO-SOURCE
> Task :testClasses
> Task :test
> Task :check
> Task :build

BUILD SUCCESSFUL in 17s
4 actionable tasks: 4 executed
 ---> f394216fbb70
Step 9/16 : RUN rm -r $SCRATCH_DIR/gradle-cache
 ---> Running in 0b8e94e2670c
 ---> 7f9033989b1a
Step 10/16 : RUN rm -r $SCRATCH_DIR/lambda-build-init.gradle
 ---> Running in 4965d01c3455
 ---> fd5e12377577
Step 11/16 : RUN cp -r $SCRATCH_DIR/*/build/distributions/lambda-build/* .
 ---> Running in 9c29934509fe
 ---> 434e1178004e
Step 12/16 : FROM public.ecr.aws/lambda/java:11
 ---> 9d9f8f6bbeea
Step 13/16 : COPY --from=build-image /var/task/META-INF ./
 ---> af6f91bce6e5
Step 14/16 : COPY --from=build-image /var/task/helloworld ./helloworld
 ---> 9a7cea4f8cbd
Step 15/16 : COPY --from=build-image /var/task/lib/ ./lib
 ---> 09a9974d2dec
Step 16/16 : CMD ["helloworld.App::handleRequest"]
 ---> Running in 11e9683c59dc
 ---> c9fbfd205cd4
Successfully built c9fbfd205cd4
Successfully tagged helloworldfunction:java11-gradle-v1

Build Succeeded

Built Artifacts  : .aws-sam/build
Built Template   : .aws-sam/build/template.yaml

Commands you can use next
=========================
[*] Invoke Function: sam local invoke
[*] Deploy: sam deploy --guided
Enter fullscreen mode Exit fullscreen mode

A very nice aspect of the AWS SAM is the ability to run the container locally!

sam local invoke
Enter fullscreen mode Exit fullscreen mode

With the output matching what we would normally see in the Cloudwatch logs:

Invoking Container created from helloworldfunction:java11-gradle-v1
Image was not found.
Building image..........
Skip pulling image and use local one: helloworldfunction:rapid-1.13.2.

START RequestId: 22cd82ae-e042-4863-9447-4831faf9490a Version: $LATEST
END RequestId: 22cd82ae-e042-4863-9447-4831faf9490a
REPORT RequestId: 22cd82ae-e042-4863-9447-4831faf9490a  Init Duration: 1.02 ms  Duration: 1262.58 ms    Billed Duration: 1300 ms    Memory Size: 128 MB Max Memory Used: 128 MB
{"statusCode":200,"headers":{"X-Custom-Header":"application/json","Content-Type":"application/json"},"body":"{ \"message\": \"hello world\", \"location\": \"71.174.101.210\" }"}%
Enter fullscreen mode Exit fullscreen mode

Deployment

Finally, we can have AWS SAM create our Lambda and connect it to a REST API for us!

sam deploy --guided
Enter fullscreen mode Exit fullscreen mode

And we get the image being pushed to the ECR repository along with the Cloudformation stack deploying the REST API and Lambda.

Configuring SAM deploy
======================

    Looking for config file [samconfig.toml] :  Not found

    Setting default arguments for 'sam deploy'
    =========================================
    Stack Name [sam-app]: gizmo-example
    AWS Region [us-east-1]:
    Image Repository []: 196295636944.dkr.ecr.us-east-1.amazonaws.com/gizmo-lambda-container
    Images that will be pushed:
      helloworldfunction:java11-gradle-v1 to 196295636944.dkr.ecr.us-east-1.amazonaws.com/gizmo-lambda-container:helloworldfunction-c9fbfd205cd4-java11-gradle-v1

    #Shows you resources changes to be deployed and require a 'Y' to initiate deploy
    Confirm changes before deploy [y/N]: y
    #SAM needs permission to be able to create roles to connect to the resources in your template
    Allow SAM CLI IAM role creation [Y/n]: Y
    HelloWorldFunction may not have authorization defined, Is this okay? [y/N]: y
    Save arguments to configuration file [Y/n]: Y
    SAM configuration file [samconfig.toml]:
    SAM configuration environment [default]:

    Looking for resources needed for deployment: Not found.
    Creating the required resources...
        Successfully created!

        Managed S3 bucket: aws-sam-cli-managed-default-samclisourcebucket-1owsb6dv8zl8j
        A different default S3 bucket can be set in samconfig.toml

    Saved arguments to config file
    Running 'sam deploy' for future deployments will use the parameters saved above.
    The above parameters can be changed by modifying samconfig.toml
    Learn more about samconfig.toml syntax at
    https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-config.html
The push refers to repository [196295636944.dkr.ecr.us-east-1.amazonaws.com/gizmo-lambda-container]
0bd0a3c72bc7: Pushed
11bc4c037913: Pushed
e3d7108f2c0b: Pushed
d1d758bc3380: Pushed
577ed33a1f65: Pushed
d6fa53d6caa6: Pushed
016e6d3f9722: Pushed
898f760e15c4: Pushed
af6d16f2417e: Pushed
helloworldfunction-c9fbfd205cd4-java11-gradle-v1: digest: sha256:507124a3f49f85a91a97508c50acc1b66be3731d1cfeb187a245a44cefb5979e size: 2205


    Deploying with following values
    ===============================
    Stack name                   : gizmo-example
    Region                       : us-east-1
    Confirm changeset            : True
    Deployment image repository  : 196295636944.dkr.ecr.us-east-1.amazonaws.com/gizmo-lambda-container
    Deployment s3 bucket         : aws-sam-cli-managed-default-samclisourcebucket-1owsb6dv8zl8j
    Capabilities                 : ["CAPABILITY_IAM"]
    Parameter overrides          : {}
    Signing Profiles           : {}

Initiating deployment
=====================
HelloWorldFunction may not have authorization defined.
Uploading to gizmo-example/40514ed797d174c979e4a5a29672a62a.template  1199 / 1199.0  (100.00%)

Waiting for changeset to be created..

CloudFormation stack changeset
-------------------------------------------------------------------------------------------------------------------------------------
Operation                         LogicalResourceId                 ResourceType                      Replacement
-------------------------------------------------------------------------------------------------------------------------------------
+ Add                             HelloWorldFunctionHelloWorldPer   AWS::Lambda::Permission           N/A
                                  missionProd
+ Add                             HelloWorldFunctionRole            AWS::IAM::Role                    N/A
+ Add                             HelloWorldFunction                AWS::Lambda::Function             N/A
+ Add                             ServerlessRestApiDeployment47fc   AWS::ApiGateway::Deployment       N/A
                                  2d5f9d
+ Add                             ServerlessRestApiProdStage        AWS::ApiGateway::Stage            N/A
+ Add                             ServerlessRestApi                 AWS::ApiGateway::RestApi          N/A
-------------------------------------------------------------------------------------------------------------------------------------

Changeset created successfully. arn:aws:cloudformation:us-east-1:196295636944:changeSet/samcli-deploy1607463634/9467a1b3-b809-4a57-aecb-8638ec49f4ca


Previewing CloudFormation changeset before deployment
======================================================
Deploy this changeset? [y/N]: y

2020-12-08 16:41:12 - Waiting for stack create/update to complete

CloudFormation events from changeset
-------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus                    ResourceType                      LogicalResourceId                 ResourceStatusReason
-------------------------------------------------------------------------------------------------------------------------------------
CREATE_IN_PROGRESS                AWS::IAM::Role                    HelloWorldFunctionRole            -
CREATE_IN_PROGRESS                AWS::IAM::Role                    HelloWorldFunctionRole            Resource creation Initiated
CREATE_COMPLETE                   AWS::IAM::Role                    HelloWorldFunctionRole            -
CREATE_IN_PROGRESS                AWS::Lambda::Function             HelloWorldFunction                -
CREATE_IN_PROGRESS                AWS::Lambda::Function             HelloWorldFunction                Resource creation Initiated
CREATE_COMPLETE                   AWS::Lambda::Function             HelloWorldFunction                -
CREATE_IN_PROGRESS                AWS::ApiGateway::RestApi          ServerlessRestApi                 Resource creation Initiated
CREATE_IN_PROGRESS                AWS::ApiGateway::RestApi          ServerlessRestApi                 -
CREATE_COMPLETE                   AWS::ApiGateway::RestApi          ServerlessRestApi                 -
CREATE_IN_PROGRESS                AWS::Lambda::Permission           HelloWorldFunctionHelloWorldPer   -
                                                                    missionProd
CREATE_IN_PROGRESS                AWS::ApiGateway::Deployment       ServerlessRestApiDeployment47fc   -
                                                                    2d5f9d
CREATE_IN_PROGRESS                AWS::ApiGateway::Deployment       ServerlessRestApiDeployment47fc   Resource creation Initiated
                                                                    2d5f9d
CREATE_IN_PROGRESS                AWS::Lambda::Permission           HelloWorldFunctionHelloWorldPer   Resource creation Initiated
                                                                    missionProd
CREATE_COMPLETE                   AWS::ApiGateway::Deployment       ServerlessRestApiDeployment47fc   -
                                                                    2d5f9d
CREATE_IN_PROGRESS                AWS::ApiGateway::Stage            ServerlessRestApiProdStage        -
CREATE_IN_PROGRESS                AWS::ApiGateway::Stage            ServerlessRestApiProdStage        Resource creation Initiated
CREATE_COMPLETE                   AWS::ApiGateway::Stage            ServerlessRestApiProdStage        -
CREATE_COMPLETE                   AWS::Lambda::Permission           HelloWorldFunctionHelloWorldPer   -
                                                                    missionProd
CREATE_COMPLETE                   AWS::CloudFormation::Stack        gizmo-example                     -
-------------------------------------------------------------------------------------------------------------------------------------

CloudFormation outputs from deployed stack
----------------------------------------------------------------------------------------------------------------------------------------
Outputs
----------------------------------------------------------------------------------------------------------------------------------------
Key                 HelloWorldFunctionIamRole
Description         Implicit IAM Role created for Hello World function
Value               arn:aws:iam::196295636944:role/gizmo-example-HelloWorldFunctionRole-13AV2P47KN805

Key                 HelloWorldApi
Description         API Gateway endpoint URL for Prod stage for Hello World function
Value               https://uwuy5qpvmg.execute-api.us-east-1.amazonaws.com/Prod/hello/

Key                 HelloWorldFunction
Description         Hello World Lambda Function ARN
Value               arn:aws:lambda:us-east-1:196295636944:function:gizmo-example-HelloWorldFunction-LX0IVO85A1CM
----------------------------------------------------------------------------------------------------------------------------------------

Successfully created/updated stack - gizmo-example in us-east-1
Enter fullscreen mode Exit fullscreen mode

We ended up with a REST API endpoint: https://uwuy5qpvmg.execute-api.us-east-1.amazonaws.com/Prod/hello/:

> curl https://uwuy5qpvmg.execute-api.us-east-1.amazonaws.com/Prod/hello/
{ "message": "hello world", "location": "3.239.84.207" }%
Enter fullscreen mode Exit fullscreen mode

If we curl this, we should get the output - note back to the beginning of the blog post, that I often see a long delay in the first request as the lambda is experiencing the cold start penalty.

đź’– đź’Ş đź™… đźš©
art_wolf
John Doyle

Posted on December 13, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related