[AWS ECR] Save and get Docker images
Goal
Save and get the Dokcer image on the Docker container registry using AWS ECR.
Introduction
Below, the results of hands-on implementation along with the Youtube video (by Mr. Kohei Kurokawa) are listed as output. You can learn the basics about AWS ECR from the link below.
Premise
-The EC2 instance (Amazon Linux2) on which the Docker daemon is running has already been built (*).
- If you complete step 1 "Start Docker daemon" in the following article, the premise is complete. [Docker] Build an Apache container on EC2 using dockerfile (start Docker daemon)
Workflow
| Item number | title |
|---|---|
| 1 | Build ECR |
| 2 | IAM roll attach for ECR access |
| 3 | Save the Docker image to ECR |
| 4 | Get a Docker image from ECR |
procedure
1. Build ECR
Start creating the repository from the ECR Console (https://ap-northeast-1.console.aws.amazon.com/ecr/get-started?region=ap-northeast-1). 
Enter the repository name (referred to as testrepo in this article) and click the repository creation execution button at the bottom.
The repository was successfully built.
2. IAM roll attach for ECR access
Create an IAM role and attach it to the target EC2 instance in order to grant the authority to access ECR from EC2.
Click Create Role from IAM Role Console (https://console.aws.amazon.com/iam/home?region=ap-northeast-1#/roles)
This time we're attaching an IAM role to EC2, so we'll set EC2 as a trusted entity.
Embed the IAM policy AmazonEC2ContainerRegistryFullAccess, which grants full access to the ECR, into your IAM role.
Enter the IAM role name (set as ecr-access in this article) and create the role.
Attach the created IAM role to the target EC2 instance.
3. Save the Docker image in ECR
OS login to the target EC2 instance (described as the root user premise) and describe the dockerfile.
As a sample, describe the process of installing httpd and creating a Docker image that automatically starts httpd when the container starts.
dockerfile
FROM centos:centos7
RUN yum -y install httpd
CMD ["/usr/sbin/httpd","-DFOREGROUND"]
Then return to the ECR console, select the ECR repository you created and click `Show Push Commands``.
You will then see a series of commands to push to the target ECR repository. It will be a flow to execute these in order.
First, copy the first of the above push commands and execute it.
The content is to get the login password to the ECR repository and execute docker login with that password as standard input.
If Login Succeeded is displayed, it is OK. (If the IAM role settings are incorrect, a credential error will be displayed.)
[root@ip-172-31-35-94 ~]# aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 932699493995.dkr.ecr.ap-northeast-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
The second command is the regular docker build command.
docker build -t testrepo .
The third command uses the docker tag to perform the tagging required for the ECR repository push.
[root@ip-172-31-35-94 ~]# docker tag testrepo:latest 932699493995.dkr.ecr.ap-northeast-1.amazonaws.com/testrepo:latest
[root@ip-172-31-35-94 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
932699493995.dkr.ecr.ap-northeast-1.amazonaws.com/testrepo latest 306adf672fc7 10 minutes ago 330MB
testrepo latest 306adf672fc7 10 minutes ago 330MB
centos centos7 8652b9f0cb4c 2 months ago 204MB
Actually execute docker push with the 4th command.
[root@ip-172-31-35-94 ~]# docker push 932699493995.dkr.ecr.ap-northeast-1.amazonaws.com/testrepo:latest
The push refers to repository [932699493995.dkr.ecr.ap-northeast-1.amazonaws.com/testrepo]
9cdaef33df63: Pushed
174f56854903: Pushed
latest: digest: sha256:33f3b20422ea489ca61be9a5b4334b0a68572989b4143bca3cb6d55825c2c07c size: 741
Execute aws ecr describe-images --repository-name repository name --region ap-northeast-1, and it is OK if you can confirm the pushed image.
[root@ip-172-31-35-94 ~]# aws ecr describe-images --repository-name testrepo --region ap-northeast-1
{
"imageDetails": [
{
"artifactMediaType": "application/vnd.docker.container.image.v1+json",
"imageSizeInBytes": 135861914,
"imageDigest": "sha256:33f3b20422ea489ca61be9a5b4334b0a68572989b4143bca3cb6d55825c2c07c",
"imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json",
"imageTags": [
"latest"
],
"registryId": "932699493995",
"repositoryName": "testrepo",
"imagePushedAt": 1610607670.0
}
]
}
4. Get the Docker image from ECR
From the ECR console, copy the URL of the Docker image stored in the ECR.
Execute the copied URL as an argument of the docker pull command.
[root@ip-172-31-35-94 ~]# docker pull 932699493995.dkr.ecr.ap-northeast-1.amazonaws.com/testrepo:latest
latest: Pulling from testrepo
Digest: sha256:33f3b20422ea489ca61be9a5b4334b0a68572989b4143bca3cb6d55825c2c07c
Status: Downloaded newer image for 932699493995.dkr.ecr.ap-northeast-1.amazonaws.com/testrepo:latest
932699493995.dkr.ecr.ap-northeast-1.amazonaws.com/testrepo:latest
Recommended Posts