[英]Docker push to AWS ECR issue
for couple of days I am facing an issue with pushing image from jenkins to ECR and restart service.几天来,我面临将图像从 jenkins 推送到 ECR 并重新启动服务的问题。
My Jenkins instance is hosted on EC2 instance via ECS.我的 Jenkins 实例通过 ECS 托管在 EC2 实例上。 (it's built as docker image too). (它也是作为 docker 镜像构建的)。
What I want to do is to build image, login to ECR, push image there and restart service.我想要做的是构建镜像,登录 ECR,将镜像推送到那里并重启服务。 Login to ECR is problematic:登录 ECR 有问题:
I did a lot of googling and analysis but I can not find any answer.我做了很多谷歌搜索和分析,但我找不到任何答案。 Any ideas what may cause the problem?任何可能导致问题的想法? Is it IAM setting or ecs-agent stuff?是 IAM 设置还是 ecs-agent 的东西?
Policy used to run jenkins task:用于运行 jenkins 任务的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "GetAuthorizationToken"
},
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": [
"arn:aws:ecr:*:*:repository/salesiq*",
"arn:aws:ecr:*:*:repository/comhub*",
"arn:aws:ecr:*:*:repository/ssrt*",
"arn:aws:ecr:*:*:repository/reveal*",
"arn:aws:ecr:*:*:repository/se-*"
],
"Effect": "Allow",
"Sid": "EcrManagement"
},
{
"Condition": {
"ArnLike": {
"ecs:cluster": [
"arn:aws:ecs:*:*:cluster/salesiq*",
"arn:aws:ecs:*:*:cluster/comhub*",
"arn:aws:ecs:*:*:cluster/ssrt*",
"arn:aws:ecs:*:*:cluster/reveal*",
"arn:aws:ecs:*:*:cluster/se-*"
]
}
},
"Action": [
"ecs:RunTask",
"ecs:StartTask",
"ecs:StopTask",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:ListClusters",
"ecs:DescribeContainerInstances",
"ecs:StopTask"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EcsManagement"
},
{
"Action": [
"ecs:List*",
"ecs:Describe*",
"ecr:Describe*",
"ecr:Get*",
"ecr:Describe*",
"ecr:List*",
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudwatch:Describe*",
"ecs:UpdateService"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EcsListing"
}
]
} }
I think what you might be missing is the command docker login
command itself.我认为您可能缺少的是命令docker login
命令本身。 Which is not mentioned in your question.你的问题中没有提到。 So you need the following;所以你需要以下内容;
aws ecr get-login --region region --no-include-email
and then you want to execute the output of the above command;然后你想执行上面命令的输出;
docker login -u AWS -p password https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com
Alternatively you can run;或者你可以运行;
$(aws ecr get-login --no-include-email --region eu-west-1)
and then进而
docker push $ecr_repo:latest
Sample of bash scripts I am running in my pipeline;我在管道中运行的 bash 脚本示例;
#!/bin/bash
set -ex
# $branch: current git branch
# $commit: hash of the current git commit
# $ecr_repo: Self explanatory
$(aws ecr get-login --no-include-email --region eu-west-1)
docker pull $ecr_repo:latest
docker build --cache-from $ecr_repo:latest -t image_name .
docker tag image_name:latest $ecr_repo:$commit
if [ "$branch" = "master" ]; then
docker tag image_name:latest $ecr_repo:latest
docker push $ecr_repo:latest
fi
docker push $ecr_repo:$commit
您是否使用其他个人资料?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.