What problem are you facing?

We've implemented a function similar to the example functions from docs. If this functions fails, it returns a exit code greater than 0 and prints the error message in STDOUT.

[..] "error": "cannot run Composition Function pipeline: cannot run function \"service-versioning\": cannot run container: rpc error: code = Unknown desc = exit status 1: xfn: error: spark.Command.Run(): OCI runtime error: exit status 1"

Currenty, I cannot debug a composition function that fails to execute. When the function in the OCI container fails, I see the exit code but no additional information printed in STDOUT.

How could Crossplane help solve your problem?

Provide a way to see the STDOUT of functions that failed. That may be behind a flag/option like verbosity level/debug mode, etc.
Perhaps, also STDERR could be used, as it would be the more appropriate place for error messages.

What happened?

Working on crossplane/crossplane#4261 required creating a custom, but simple function image that labels all managed resources with a given label. My first idea was to use yq for that and the initial Dockerfile was just:

FROM mikefarah/yq:4.34.1

COPY labelizer.sh /bin

ENTRYPOINT ["/bin/labelizer.sh"]

with /bin/labelizer.sh being just:

#!/usr/bin/env sh

yq '(.desired.resources[] | .resource.metadata.labels) |= {"labelizer.xfn.crossplane.io/processed": "true"} + .'

Unfortunately, adding this function to a composition resulted with the following error in crossplane-xfn logs:

cannot compose resources: cannot run Composition Function pipeline: cannot run function "labelizer":
cannot run container: rpc error: code = Unknown desc = exit status 1: xfn: error: spark.Command.Run(): 
cannot create OCI runtime bundle: cannot write OCI runtime spec: cannot create new spec: 
cannot apply spec option: cannot resolve user specified by OCI image config: 
cannot resolve UID of user "yq" that doesn't exist in container's /etc/passwd

Modifying the image to use root to run the script resolved the issue.

How can we reproduce it?

• deploy crossplane with enabled composition functions
• build and publish the function image using files stated above
• create a composition referring that function

What environment did it happen in?

The issue is spotted on the latest master, but I am pretty sure that versions containing composition function feature suffer from the same issue.

Expectations

Function containers should be successfully invoked independently if container user exists within crossplane-xfn container/image. We should even encourage function authors to use some arbitrary high/random UID for function.

Bug Report:

When trying to run a function using an OCI Image that contains /bin/busybox, it fails.

Steps to reproduce:

1. Create a function image that contains /bin/busybox, e.g. by using python:3.11-alpine as a base image
2. Execute the function via xfn

cat functionio.yaml | docker run -v $(pwd)/auth.json:/root/.docker/config.json:ro -i --security-opt=seccomp=unconfined crossplane/xfn:v1.13.2 run -c /tmp registry.example/your/image:tag -

This will yield an error:

xfn: error: run.Command.Run(): cannot run function: exit status 1: xfn: error: spark.Command.Run(): cannot create OCI runtime bundle: cannot extract layer tarball: cannot handle tar header for "bin/tar": cannot extract tar header: cannot create symlink: symlink /bin/busybox /tmp/c/319e9a4a-f0a9-46e0-86a1-b887567124b8/rootfs/bin/busybox: file exists

Expected

It executes the function

Additional Infos

FROM python:3.11-alpine AS build
RUN python3 -m venv /venv && \
    /venv/bin/pip install --upgrade pip setuptools wheel

FROM build AS build-venv
COPY requirements.txt /requirements.txt
RUN /venv/bin/pip install --disable-pip-version-check -r /requirements.txt

FROM python:3.11-alpine
COPY --from=build-venv /venv /venv
COPY . /app
WORKDIR /app
ENTRYPOINT ["/venv/bin/python3", "function.py"]

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• Update actions/checkout digest to a5ac7e5
• Update codecov/codecov-action digest to ab904c4
• Update debian:bookworm-slim Docker digest to 804194b
• Update docker/login-action digest to 0d4c9c5
• Update docker/setup-buildx-action digest to d70bba7
• Update fkirc/skip-duplicate-actions action to v5.3.1
• Update module github.com/cyphar/filepath-securejoin to v0.2.5
• Update module kernel.org/pub/linux/libs/security/libcap/cap to v1.2.70
• Update dependency golangci/golangci-lint to v1.59.0
• Update module github.com/alecthomas/kong to v0.9.0
• Update module github.com/crossplane/crossplane-runtime to v1.16.0
• Update module github.com/google/go-containerregistry to v0.19.1
• Update module github.com/google/uuid to v1.6.0
• Update module github.com/opencontainers/runtime-spec to v1.2.0
• Update module google.golang.org/grpc to v1.64.0
• Update actions/setup-go action to v5
• Update codecov/codecov-action action to v4
• Update golangci/golangci-lint-action action to v6
• Update zeebe-io/backport-action action to v3
• 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update module github.com/docker/docker to v24.0.9+incompatible [SECURITY]
• Update module golang.org/x/crypto to v0.17.0 [SECURITY]
• Update module google.golang.org/protobuf to v1.33.0 [SECURITY]
• Update dependency golang to v1.22.3
• Update module github.com/bufbuild/buf to v1.32.2
• Update module github.com/google/go-cmp to v0.6.0
• Update module golang.org/x/sync to v0.7.0
• Update module golang.org/x/sys to v0.20.0
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

What problem are you facing?

We've heard from a few folks that it's hard to determine what's going wrong when their Composition Functions don't work. This is an open-ended issue to capture ideas to improve the situation.

How could Crossplane help solve your problem?

Some things to start with:

• Document how to use xfn run and/or docker run to debug a Composition Function in isolation.
• Have Crossplane or xfn print the FunctionIO objects it sees to debug logs.
• Improve the error message returned when the OCI runtime can't run the function binary for some reason (e.g. wrong architecture)

Can the functions runtime expose metrics for time spent in function run, and if obtainable memory or cpu used by function run?
If so it would be great if the metrics can be scraped at the crossplane pod port 8080/metrics endpoint.

Knowing this information can help provide a signal for day-2 operations teams about potential performance problems related to custom function code.