Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I use insecure docker registries with Amazon EC2 Container Service (ECS)?

Tags:

amazon-web-services

amazon-ec2

amazon-ecs

We use a Docker registry inside our AWS VPC that is not accessible externally. We want to be able to launch tasks in ECS from this registry, however we see that the service is only ever at a PENDING state because the Docker daemon isn't able to access the registry.

I have found a sort of workaround by changing the launch configuration's user data but it doesn't feel like I'm doing this the best way:

#!/bin/bash
echo ECS_CLUSTER=MY_CLUSTER_NAME >> /etc/ecs/ecs.config
echo OPTIONS=--insecure-registry=insecure.registry.hostname:5000 > /etc/sysconfig/docker
service docker restart
docker start ecs-agent

This works perfectly, and I can see my task is running as expected. I just don't think this is necessarily the best way to do it.

AWS pointed me towards this article which discusses authenticating with private registries, but I'm not looking to authenticate, just to have Docker ignore the fact that I'm using an insecure (ie not HTTPS) registry.

Does anyone have a better solution?

Thanks

like image 555
Engineer81 Avatar asked Apr 22 '15 11:04

Engineer81

1 Answers

I've spoken further with AWS and have the following solution:

You can do something like set docker options (including --insecure-registry) with a user-data script that executes on boot. For example, --insecure-registry can be set with a script like the following:

#cloud-config
bootcmd:
 - cloud-init-per instance $(echo "OPTIONS=\"--insecure-registry=hostname:5000\"" > /etc/sysconfig/docker)

This way avoids the previous solution by not having the docker restart.

Regarding the insecure method, if we use a self-signed cert we can leverage this by either adding the certificate to the system CA trust store or to Docker's special trust store.

On the Amazon Linux AMI and ECS-optimized AMI, the system CA trust store is either located at /usr/share/pki/ca-trust-source or /usr/share/pki/ca-trust-source/anchors (depending on the format, see /usr/share/pki/ca-trust-source/README for details) and you will need to run the update-ca-trust command after adding the certificate. Docker's documentation on insecure registries provides more detail on this:

https://docs.docker.com/reference/commandline/cli/#insecure-registries https://github.com/docker/docker/blob/master/docs/sources/articles/certificates.md

I hope that also helps other people

like image 200
Engineer81 Avatar answered Oct 19 '22 18:10

Engineer81
Sign in to Comment

Related questions

Timeout issues on Google Cloud Functions and AWS Lambda
AWS cli: not authorized to perform: sts:AssumeRole on resource
More than 1 subnet per AZ for AWS Interface Endpoint?
Airflow - Send email with AWS SES
AWS WAF Getting 403 forbidden error while trying to upload an image
Why "AWS Account" tab is missing from https://www.awseducate.com/ in my dashboard?
How to combine JS/CSS for Amazon S3?
How Are Experienced Web Developers Deploying Django Into Production on EC2?
Pydoop on Amazon EMR
Prevent direct download of audio files from amazon s3
Example SNS subscription confirmation using AWS .NET SDK
Amazon S3 bucket naming convention
Python Boto: How do you specify a subnet id AND a security group?
Loading CSV data with NaN into AWS Redshift
AWS s3 api error: specified bucket does not exist
How to avoid GRUB errors after running apt-get upgrade - Ubuntu [closed]
How do I read the content of a file in Amazon S3
How to configure a GlassFish instance running on AWS/ElasticBeanstalk/Docker?
Does AWS cfn-init need a Profile/Role for DescribeStackResource?
Is Amazon's ElastiCache that expensive?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!