Docker 推送到 AWS ECR 问题
[英]Docker push to AWS ECR issue
问题描述
for couple of days I am facing an issue with pushing image from jenkins to ECR and restart service.
几天来,我面临将图像从 jenkins 推送到 ECR 并重新启动服务的问题。
My Jenkins instance is hosted on EC2 instance via ECS.我的 Jenkins 实例通过 ECS 托管在 EC2 实例上。 (it's built as docker image too). (它也是作为 docker 镜像构建的)。
What I want to do is to build image, login to ECR, push image there and restart service.我想要做的是构建镜像,登录 ECR,将镜像推送到那里并重启服务。 Login to ECR is problematic:登录 ECR 有问题:
- when I do "unset AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" the "aws ecr get-login --region us-east-1" command is success but push image is stopped by "no basic auth credentials".当我执行“取消设置 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”时,“aws ecr get-login --region us-east-1”命令成功,但推送图像因“无基本身份验证凭证”而停止。
- when I do not invoke "unset AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" I can't even login to ECR.当我不调用“unset AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”时,我什至无法登录 ECR。
I did a lot of googling and analysis but I can not find any answer.我做了很多谷歌搜索和分析,但我找不到任何答案。 Any ideas what may cause the problem?任何可能导致问题的想法? Is it IAM setting or ecs-agent stuff?是 IAM 设置还是 ecs-agent 的东西?
Policy used to run jenkins task:用于运行 jenkins 任务的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "GetAuthorizationToken"
},
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": [
"arn:aws:ecr:*:*:repository/salesiq*",
"arn:aws:ecr:*:*:repository/comhub*",
"arn:aws:ecr:*:*:repository/ssrt*",
"arn:aws:ecr:*:*:repository/reveal*",
"arn:aws:ecr:*:*:repository/se-*"
],
"Effect": "Allow",
"Sid": "EcrManagement"
},
{
"Condition": {
"ArnLike": {
"ecs:cluster": [
"arn:aws:ecs:*:*:cluster/salesiq*",
"arn:aws:ecs:*:*:cluster/comhub*",
"arn:aws:ecs:*:*:cluster/ssrt*",
"arn:aws:ecs:*:*:cluster/reveal*",
"arn:aws:ecs:*:*:cluster/se-*"
]
}
},
"Action": [
"ecs:RunTask",
"ecs:StartTask",
"ecs:StopTask",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:ListClusters",
"ecs:DescribeContainerInstances",
"ecs:StopTask"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EcsManagement"
},
{
"Action": [
"ecs:List*",
"ecs:Describe*",
"ecr:Describe*",
"ecr:Get*",
"ecr:Describe*",
"ecr:List*",
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudwatch:Describe*",
"ecs:UpdateService"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EcsListing"
}
]
} }
1 个解决方案
解决方案1
0 2019-03-03 12:00:43
I think what you might be missing is the command docker login command itself.我认为您可能缺少的是命令docker login命令本身。 Which is not mentioned in your question.你的问题中没有提到。 So you need the following;所以你需要以下内容;
aws ecr get-login --region region --no-include-email
and then you want to execute the output of the above command;然后你想执行上面命令的输出;
docker login -u AWS -p password https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com
Alternatively you can run;或者你可以运行;
$(aws ecr get-login --no-include-email --region eu-west-1)
and then进而
docker push $ecr_repo:latest
Sample of bash scripts I am running in my pipeline;我在管道中运行的 bash 脚本示例;
#!/bin/bash
set -ex
# $branch: current git branch
# $commit: hash of the current git commit
# $ecr_repo: Self explanatory
$(aws ecr get-login --no-include-email --region eu-west-1)
docker pull $ecr_repo:latest
docker build --cache-from $ecr_repo:latest -t image_name .
docker tag image_name:latest $ecr_repo:$commit
if [ "$branch" = "master" ]; then
docker tag image_name:latest $ecr_repo:latest
docker push $ecr_repo:latest
fi
docker push $ecr_repo:$commit
解决方案2
0 2019-10-31 02:51:50
您是否使用其他个人资料?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.