amazon-web-services - Docker 推送到 AWS ECR 问题
问题描述
几天来,我面临将图像从詹金斯推送到 ECR 并重新启动服务的问题。
我的 Jenkins 实例通过 ECS 托管在 EC2 实例上。(它也被构建为 docker 镜像)。
我想做的是构建映像,登录到 ECR,将映像推送到那里并重新启动服务。登录 ECR 有问题:
- 当我执行“取消设置 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”时,“aws ecr get-login --region us-east-1”命令成功,但推送图像因“没有基本身份验证凭据”而停止。
- 当我不调用“未设置 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”时,我什至无法登录 ECR。
我做了很多谷歌搜索和分析,但找不到任何答案。任何想法可能导致问题?是 IAM 设置还是 ecs-agent 的东西?
用于运行 jenkins 任务的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "GetAuthorizationToken"
},
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": [
"arn:aws:ecr:*:*:repository/salesiq*",
"arn:aws:ecr:*:*:repository/comhub*",
"arn:aws:ecr:*:*:repository/ssrt*",
"arn:aws:ecr:*:*:repository/reveal*",
"arn:aws:ecr:*:*:repository/se-*"
],
"Effect": "Allow",
"Sid": "EcrManagement"
},
{
"Condition": {
"ArnLike": {
"ecs:cluster": [
"arn:aws:ecs:*:*:cluster/salesiq*",
"arn:aws:ecs:*:*:cluster/comhub*",
"arn:aws:ecs:*:*:cluster/ssrt*",
"arn:aws:ecs:*:*:cluster/reveal*",
"arn:aws:ecs:*:*:cluster/se-*"
]
}
},
"Action": [
"ecs:RunTask",
"ecs:StartTask",
"ecs:StopTask",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:ListClusters",
"ecs:DescribeContainerInstances",
"ecs:StopTask"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EcsManagement"
},
{
"Action": [
"ecs:List*",
"ecs:Describe*",
"ecr:Describe*",
"ecr:Get*",
"ecr:Describe*",
"ecr:List*",
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudwatch:Describe*",
"ecs:UpdateService"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EcsListing"
}
]
}
解决方案
我认为您可能缺少的是命令docker login
命令本身。您的问题中没有提到。所以你需要以下内容;
aws ecr get-login --region region --no-include-email
然后你想执行上述命令的输出;
docker login -u AWS -p password https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com
或者,您可以运行;
$(aws ecr get-login --no-include-email --region eu-west-1)
接着
docker push $ecr_repo:latest
我在管道中运行的 bash 脚本示例;
#!/bin/bash
set -ex
# $branch: current git branch
# $commit: hash of the current git commit
# $ecr_repo: Self explanatory
$(aws ecr get-login --no-include-email --region eu-west-1)
docker pull $ecr_repo:latest
docker build --cache-from $ecr_repo:latest -t image_name .
docker tag image_name:latest $ecr_repo:$commit
if [ "$branch" = "master" ]; then
docker tag image_name:latest $ecr_repo:latest
docker push $ecr_repo:latest
fi
docker push $ecr_repo:$commit
推荐阅读
- jquery - getJSON 调用 Struts 动作类中的方法进行自动完成
- kotlin - Kotlin DSL 自动添加/生成到 MutableList
- c# - Ef Core HasConversion 无法使用 CosmosDb 提供程序
- javascript - 'data' 和 'end' 事件如何从 cURL 发送到 nodejs 的 HTTP 服务器?
- tensorflow - 构建一个深度神经网络,产生分布为多元标准正态分布的输出
- php - 如果验证具有空值的 Laravel 数组,则需要
- firebase - Flutter - 使用提供者和 Firestore 返回空列表
- python - 使用 pandas 以加权方式计算 value_counts
- reactjs - 将表格添加到 Quill 编辑器
- icon-language - Icon 中的成功/失败与其他语言中的布尔值有何不同?