1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
1
There are a bunch of operating system permissions not given to Lambda functions. For example, sending an ICMP packet is one network function that you can't access (or at least you couldn't the last time I tried). I would suspect that capturing packets is also one of those things because it requires your process to be able to access packets at the kernel level and see traffic for other process.
There's a very strict process separation mechanism in Lambda. This has nothing to do with whatever packaging method is being used.
Why are you trying to capture packets in Lambda?
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años
Hi brettski, thanks for your reply!
I am capturing packets for troubleshooting. Most often, this will occur at the application layer protocols (HTTP, FTP, etc) but sometimes requires troubleshooting TLS handshakes. I also prefer capturing traffic at the lower level for non-intrusive logging that doesn't require in-band protocol parsing/negotiation. For this reason, I am trying to move away from the current proxy-based solution, which also turns out to be better for performance
I have tried a couple of other solutions for capturing packets outside the Lambda, notably:
I've started reading up on Firecracker, but I fear your response is correct in that there is no possible way to capture outbound traffic during function execution at the lower layers of the virtualized network interface. I don't 100% understand why - since it's my user space application generating the traffic, I should technically be able to read it?
Can you suggest any other approaches? Thanks!
If I understand the way packet capture works in Linux; it's all done at kernel level (not userspace) even when you're only trying to capture your own traffic. Caveat: I haven't looked at this too deeply recently; historical knowledge only. And Firecracker was specifically designed to vastly reduce the number of kernel entry points to reduce attack footprint of malicious code. So if the Lambda designers don't think it's necessary it isn't there or it's not available from a security perspective.