Storing, Managing, and Deploying Docker Container Images with Amazon ECR
1. AWS ECR
pg. 1 By: chanaka.lasantha@gmail.com
STORING, MANAGING, AND DEPLOYING DOCKER
CONTAINER IMAGES WITH AMAZON ELASTIC
CONTAINER REGISTRY(ECR).
Wednesday, April 22, 2020
2. AWS ECR
pg. 2 By: chanaka.lasantha@gmail.com
AWS ELASTIC CONTAINER REGISTRY (ECR) AND LEARN HOW TO DO THE FOLLOWING:
• Create an Amazon ECR repository
• Connect to AWS ECR using Azure CLI
• Push and pull Docker images to ECR
• Manage ECR lifecycle policies
Amazon Elastic Container Registry is a fully managed Docker container registry hosted on the Amazon AWS data centers. The ECR
service is secure, reliable, and scalable, allowing you to grow your applications and services without worrying about capacity and
security.
ECR COMPONENTS:
Components Description
Registry The registry is the primary logical resource that holds all the images.
Authorization token The registry authentication mechanism secures the registry and allows access to authenticated users only.
Repository The repository contains the Docker images.
Repository policy Policies control access and lifecycles.
Images Container images are used with the Docker push and pull commands.
Using these five components, AWS gives you the tools and policies to manage your registry while keeping the images safe and
accessible 24/7 from any location.
Amazon ECR comes with a few limits you should know about in case you are planning to hyperscale the service. Currently, ECR has a
limit of 1,000 repositories per region and 1,000 images per repository, which is very high and probably enough for 99.9 percent of
AWS customers. Make sure you understand these limitations. Based on these two numbers, you can host 1 million container images
per region in AWS.
The next number you should know about is the number of pull and push requests you can run per second, per region, and per account,
which is 200 sustained requests and a burst of 400. AWS uses the same maximum number of layers per image, which is 127 layers
and 100 tags per image.
ECR PRICING:
The Amazon ECR pricing structure is straightforward and based on usage; it doesn’t have any up-front costs. Specifically, the ECR
pricing is based on storage usage, meaning that you pay only for the amount of data that is stored in your repositories and the data
transfer out to the Internet.
FREE TIER ACCOUNT AND ECR:
If you are using a Free Tier AWS account, you get 500MB of free storage for your repositories and 1GB of data transfer over the
Internet. I usually use the data transfer to download my images using the docker pull command. Please note that all uploads using
docker push are free.
3. AWS ECR
pg. 3 By: chanaka.lasantha@gmail.com
SETTING UP AMAZON ECR:
Amazon AWS best practices recommend that you create a new user account using the AWS Identity and Access Management (IAM)
console for ECR management and administration. Because ECR requires authentication to the service every time you use it, you should
not use your AWS root account to do it. Instead, use a less privileged account.
CREATING AN IAM ACCOUNT:
The first step in the ECR setup process is to create an account that you will use for AWS container management that is separate from
your AWS root account. AWS recommends you create an IAM account for each user and never give your root account details to
anyone.
WHEN YOU CREATE IAM ACCOUNTS AND GROUPS, PLEASE FOLLOW THESE RECOMMENDATIONS:
• When creating new users, make sure you give them access only to the resources they need to do their work and not more.
• When users no longer need access to resources on AWS, revoke their access or reduce their permissions level.
• Use groups when assigning permissions and reduce the need to set up permissions for each user.
• When assigning permissions to groups, try to align the groups with the job role; for example, developers need access to ECR
and ECS but not to billing.
• Try always to grant the least privilege and grant only the required permissions groups need to perform their tasks.
If you are not sure how to get started with groups and permissions, start with AWS managed policies, which are stand-alone policies
created by AWS that define permissions based on common roles that fit many use cases and job functions.
11. AWS ECR
pg. 11 By:
chanaka.lasantha@gmail.com
aws ec2 describe-regions --output table
vim Dockerfile
FROM ubuntu
ENV DEBIAN_FRONTEND non-interactive
ADD supervisor.conf /etc/supervisor.conf
RUN apt-get -q -y update; apt-get -q -y upgrade &&
apt-get -q -y install sudo openssh-server supervisor vim iputils-ping net-tools &&
apt-get clean all &&
mkdir /var/run/sshd
RUN mkdir -p /app/scripts
WORKDIR /app
RUN useradd -d /home/erp2 -m erp2 > /dev/null 2>&1
RUN echo "/sbin/nologin" >> /etc/shells
RUN usermod -s /sbin/nologin erp2
RUN usermod -u 502 erp2 > /dev/null 2>&1
RUN groupmod -g 504 erp2 > /dev/null 2>&1
RUN echo 'erp2:ccl@123' >> /root/passwdfile
RUN chpasswd -c SHA512 < /root/passwdfile
RUN rm -rf /root/passwdfile
RUN groupadd app
RUN usermod -a -G app erp2
RUN grep 'app' /etc/group
RUN id erp2
RUN echo 'root:z80cpu' >> /root/passwdfile
RUN useradd -m -G sudo chanakan
RUN echo 'chanakan:z80cpu' >> /root/passwdfile
RUN chpasswd -c SHA512 < /root/passwdfile
RUN rm -rf /root/passwdfile
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
EXPOSE 22
VOLUME ["/data"]
12. AWS ECR
pg. 12 By:
chanaka.lasantha@gmail.com
CMD ["supervisord", "-c", "/etc/supervisor.conf"]
USER root
vim supervisor.conf
[supervisord]
nodaemon=true
[program:sshd]
directory=/usr/local/
command=/usr/sbin/sshd -D
autostart=true
autorestart=true
redirect_stderr=true
Retrieve an authentication token and authenticate your Docker client to your registry.
Use the AWS CLI: