Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I use insecure docker registries with Amazon EC2 Container Service (ECS)?

We use a Docker registry inside our AWS VPC that is not accessible externally. We want to be able to launch tasks in ECS from this registry, however we see that the service is only ever at a PENDING state because the Docker daemon isn't able to access the registry.

I have found a sort of workaround by changing the launch configuration's user data but it doesn't feel like I'm doing this the best way:

#!/bin/bash
echo ECS_CLUSTER=MY_CLUSTER_NAME >> /etc/ecs/ecs.config
echo OPTIONS=--insecure-registry=insecure.registry.hostname:5000 > /etc/sysconfig/docker
service docker restart
docker start ecs-agent

This works perfectly, and I can see my task is running as expected. I just don't think this is necessarily the best way to do it.

AWS pointed me towards this article which discusses authenticating with private registries, but I'm not looking to authenticate, just to have Docker ignore the fact that I'm using an insecure (ie not HTTPS) registry.

Does anyone have a better solution?

Thanks

like image 555
Engineer81 Avatar asked Apr 22 '15 11:04

Engineer81


1 Answers

I've spoken further with AWS and have the following solution:

You can do something like set docker options (including --insecure-registry) with a user-data script that executes on boot. For example, --insecure-registry can be set with a script like the following:

#cloud-config
bootcmd:
 - cloud-init-per instance $(echo "OPTIONS=\"--insecure-registry=hostname:5000\"" > /etc/sysconfig/docker)

This way avoids the previous solution by not having the docker restart.

Regarding the insecure method, if we use a self-signed cert we can leverage this by either adding the certificate to the system CA trust store or to Docker's special trust store.

On the Amazon Linux AMI and ECS-optimized AMI, the system CA trust store is either located at /usr/share/pki/ca-trust-source or /usr/share/pki/ca-trust-source/anchors (depending on the format, see /usr/share/pki/ca-trust-source/README for details) and you will need to run the update-ca-trust command after adding the certificate. Docker's documentation on insecure registries provides more detail on this:

https://docs.docker.com/reference/commandline/cli/#insecure-registries https://github.com/docker/docker/blob/master/docs/sources/articles/certificates.md

I hope that also helps other people

like image 200
Engineer81 Avatar answered Oct 19 '22 18:10

Engineer81