Docker推出AWS ECR问题

时间:2019-03-03 11:22:41

标签: amazon-web-services docker

几天来,我一直面临着将图像从詹金斯推送到ECR并重新启动服务的问题。

我的Jenkins实例通过ECS托管在EC2实例上。 (它也被构建为docker映像)。

我要做的是构建映像,登录到ECR,将映像推送到该位置,然后重新启动服务。登录到ECR是有问题的:

  1. 当我“取消设置AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”时, “ aws ecr get-login --region us-east-1”命令成功但已推送 通过“没有基本的身份验证凭据”来停止图像。
  2. 当我不调用“未设置AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”时 甚至无法登录ECR。

我做了很多谷歌搜索和分析,但找不到任何答案。 有什么想法可能导致问题吗?是IAM设置还是ecs-agent内容?

用于运行詹金斯任务的策略:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "ecr:GetAuthorizationToken"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "GetAuthorizationToken"
    },
    {
        "Action": [
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability",
            "ecr:PutImage",
            "ecr:InitiateLayerUpload",
            "ecr:UploadLayerPart",
            "ecr:CompleteLayerUpload"
        ],
        "Resource": [
            "arn:aws:ecr:*:*:repository/salesiq*",
            "arn:aws:ecr:*:*:repository/comhub*",
            "arn:aws:ecr:*:*:repository/ssrt*",
            "arn:aws:ecr:*:*:repository/reveal*",
            "arn:aws:ecr:*:*:repository/se-*"
        ],
        "Effect": "Allow",
        "Sid": "EcrManagement"
    },
    {
        "Condition": {
            "ArnLike": {
                "ecs:cluster": [
                    "arn:aws:ecs:*:*:cluster/salesiq*",
                    "arn:aws:ecs:*:*:cluster/comhub*",
                    "arn:aws:ecs:*:*:cluster/ssrt*",
                    "arn:aws:ecs:*:*:cluster/reveal*",
                    "arn:aws:ecs:*:*:cluster/se-*"
                ]
            }
        },
        "Action": [
            "ecs:RunTask",
            "ecs:StartTask",
            "ecs:StopTask",
            "ecs:DescribeClusters",
            "ecs:DescribeServices",
            "ecs:ListClusters",
            "ecs:DescribeContainerInstances",
            "ecs:StopTask"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "EcsManagement"
    },
    {
        "Action": [
            "ecs:List*",
            "ecs:Describe*",
            "ecr:Describe*",
            "ecr:Get*",
            "ecr:Describe*",
            "ecr:List*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "cloudwatch:Describe*",
            "ecs:UpdateService"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "EcsListing"
    }
]

}

1 个答案:

答案 0 :(得分:0)

我认为您可能缺少的是命令docker login命令本身。您的问题中没有提到。因此,您需要以下内容; 

    aws ecr get-login --region region --no-include-email

然后您要执行上述命令的输出; 

    docker login -u AWS -p password https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com

或者您可以运行; 

    $(aws ecr get-login --no-include-email --region eu-west-1)

然后

    docker push $ecr_repo:latest

我在管道中运行的bash脚本示例; 

    #!/bin/bash
    set -ex

    # $branch: current git branch
    # $commit: hash of the current git commit
    # $ecr_repo: Self explanatory

    $(aws ecr get-login --no-include-email --region eu-west-1)
    docker pull $ecr_repo:latest
    docker build --cache-from $ecr_repo:latest -t image_name .
    docker tag image_name:latest $ecr_repo:$commit
    if [ "$branch" = "master" ]; then
      docker tag image_name:latest $ecr_repo:latest
      docker push $ecr_repo:latest
    fi
    docker push $ecr_repo:$commit
相关问题
最新问题