[DOCKER] Create a private repository in Amazon ECR and push/pull the image

1.First of all

Announced at AWS re: Invent 2020, Amazon ECR now has a public registry available. But this time, we'll use the private registry regardless. I haven't touched ECR so far, so I tried using it. ecr005.png

2. Configuration

Uses two Linux servers. Push the image from the first one and pull the image from the second one. ECR is a region service and VPC endpoints are also available. (Not used this time) ecr006.png

3. ECR settings

Creating a repository

Create an ECR repository with the following settings. ** Visibility settings: ** Private ** Repository name: ** test-app-repo ** Tag immutability: ** Disabled ** Scan on push: ** Enabled ** KMS encryption: ** valid ecr003.png

4. Push from EC2 (1st unit)

First, authenticate Docker to the ECR registry. Confirm that "Login Succeeded" is displayed. WARNING is out, but I will proceed as it is. This will be explained in "8. Warnings & Errors" of this article.

$ aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /home/ec2-user/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

This time I would like to push the image "test-app".

$ docker images
REPOSITORY      TAG                 IMAGE ID            CREATED             SIZE
test-app        v1.0                72b199328340        10 days ago         461MB

Set the tag to be pushed with the docker tag command. The format you specify is "AWS Account ID.dkr.ecr. Region.amazonaws.com/Repository Name: Tag". If the tag is omitted, the latest tag will be added automatically.

$ docker tag test-app:v1.0 \
> 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test-app-repo:v1.0

Check the result of tagging.

$ docker images
REPOSITORY                                                        TAG                 IMAGE ID            CREATED             SIZE
123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test-app-repo   v1.0                72b199328340        10 days ago         461MB
test-app                                                          v1.0                72b199328340        10 days ago         461MB

Now let's push the image.

$ docker push 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test-app-repo:v1.0

If you check from the console, you can see that v1.0 has been added to the image tag. ecr007.png

5. Pull from EC2 (2nd unit)

5-1. Creating and attaching IAM policies

Since the second EC2 does not pass the authentication information (access key, secret access key) with aws configure, You cannot access the ECR as it is. Create the following IAM policy to attach to your EC2 IAM role so you can access your ECR. IAM policy name: AmazonECRFullAccess

json


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": "*"
        }
    ]
}

5-2. Pull from EC2

First, authenticate Docker to the ECR registry as you did for the first one.

$ aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com

Pull the image.

$ docker pull 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test-app-repo:v1.0

Check the result. A second Linux server was able to pull the image from ECR.

$ docker images
REPOSITORY                                                        TAG                 IMAGE ID            CREATED             SIZE
123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test-app-repo   v1.0                72b199328340        10 days ago         461MB

6. Push v2.0

Next, I would like to push the image with the tag "v2.0".

$ docker images
REPOSITORY                                                        TAG                 IMAGE ID            CREATED             SIZE
123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test-app-repo   v1.0                72b199328340        10 days ago         461MB
123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test-app-repo   v2.0                72b199328340        10 days ago         461MB

Push the image.

$ docker push 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test-app-repo:v2.0

Checking from the console, v2.0 has been added. rapture_20201218204702.png

7. Delete the image tag

Assuming v2.0 is no longer needed, I would like to remove the image tag. (If region is specified in aws configure, it is not necessary to specify it in the command)

$ aws ecr batch-delete-image --repository-name test-app-repo --image-ids imageTag=v2.0 --region ap-northeast-1
{
    "failures": [],
    "imageIds": [
        {
            "imageTag": "v2.0",
            "imageDigest": "sha256:58d3c26bee377e039c0ce5c2ef92ed2ce10b956bf3dc0cf5dba4b4d6f56aaf94"
        }
    ]
}

Checking from the console again, v2.0 has been removed. ecr007.png If you want to delete an image, you can specify a digest of the image. Reference: https://docs.aws.amazon.com/ja_jp/AmazonECR/latest/userguide/delete_image.html

8. Warning & Error Collection

Warning ①

$ aws ecr get-login --region ap-northeast-1 --no-include-email
$ docker login -u AWS -p {Authentication token} https://123456789012.dkr.ecr.ap-northeast-1.amazonaws.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.

→ If you are using a version earlier than AWS CLI version 1.17.10, you can authenticate with the get-login command. Not recommended due to security risks. It is recommended to upgrade the AWS CLI version and use get-login-password. Reference: https://docs.aws.amazon.com/ja_jp/AmazonECR/latest/userguide/Registries.html

Warning ②

$ aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /home/ec2-user/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

→ The default behavior of Docker is to save the login password in config.json without encryption. The warning is that it is safer to store it in an external credential store. Reference: https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Error ①

$ docker pull 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/test-app-repo:v1.0
Error response from daemon: Get https://123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/v2/test-app-repo/manifests/v1.0: no basic auth credentials

→ This error appears if Docker is not authenticated to the ECR registry.

Error ②

$ aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::123456789012:assumed-role/IAM role name/Instance ID is not authorized to perform: ecr:GetAuthorizationToken on resource: *
Error: Cannot perform an interactive login from a non TTY device

→ You haven't specified credentials in aws configure, or you need EC2 IAM roles to access ECR This error occurs when the IAM policy (Amazon ECRFullAccess in this article) is not attached.

Recommended Posts

Create a private repository in Amazon ECR and push/pull the image
Install Rails in the development environment and create a new application
Create a private key / public key in CentOS8.2 and connect to SSH with VS Code
Display a loading image in JavaFX and then display another image
Click the [rails] button to create a random alphanumeric password and enter it in the password field
Create a Docker image with the Oracle JDK installed (yum
How to create a placeholder part to use in the IN clause
Create a method to return the tax rate in Java
Create more Tabs and Fragments in the Fragment of BottomNavigationView
JavaFX-Load Image in the background
I made a Ruby container image and moved the Lambda function
Get the public URL of a private Flickr file in Java
Let's create a TODO application in Java 5 Switch the display of TODO
Use Jenkins to build inside Docker and then create a Docker image.
Create a Docker Image for redoc-cli and register it on Docker Hub
Create a calendar from the Calendar class by specifying the year and month
Create a lightweight STNS Docker image
Create a database in a production environment
Create a new app in Rails
Create a Servlet program in Eclipse
2. Create Docker image and register Registry
How to test a private method in Java and partially mock that method
Create a Spring Boot project in intellij and exit immediately after launching
Creating a project (and GitHub repository) using Java and Gradle in IntelliJ IDEA
The story of forgetting to close a file in Java and failing
A note on the differences between interfaces and abstract classes in Java
A shell script that builds a Docker image and pushes it to ECR
[Java] Create a jar file with both compressed and uncompressed with the jar command
I thought about the best way to create a ValueObject in Ruby
[Rails] How to create a table, add a column, and change the column type
Copying the repository and getting a mysql2 error on the first bundle install
Have a tool to create and open a new canvas in Mac preview
How to create your own annotation in Java and get the value