What is the best practice to pull a Docker image located in a repository in ECS from an EC2 instance?
I am used to take advantage of the ECS task. To just run a Docker container for 5min, I need to go to Auto-Scale
, set the minimum at 1
, go to the ECS page, wait for an instance to be up and run my task. Too annoying for my personal use. I'd like to run it quickly and stop it quickly.
I wanted to simply run my Docker container but ok, that's not possible, then I am thinking of creating an EC2 template that will directly run my Docker container inside an EC2 instance.
User Data
of an EC2 instance/template)I think my need is very basic and I couldn't find the best way to do it. Blog articles mainly explain how to run Docker on Linux, not the best way to do it on AWS.
You can run Docker containers on AWS EC2 by installing Docker. You need to install Docker CLI, AWS account setup and you need to create an IAM user as an administrator. You can pull Docker images from Docker Hub and when you run those containers you should expose on port 80.
Amazon ECS supports Docker, which enables AWS users to manage Docker containers across clusters of Amazon EC2 instances. Each EC2 instance in a cluster runs a Docker daemon that deploys and runs any application packaged as a container locally on Amazon ECS without the need to make any changes to the container.
To connect to your container instanceOpen the Amazon ECS console at https://console.aws.amazon.com/ecs/ . Select the cluster that hosts your container instance. On the Cluster page, choose ECS Instances. On the Container Instance column, select the container instance to connect to.
This can be accomplished with a combination of the EC2 instance role, and a script that performs docker login followed by a docker pull
for your pushed image.
Pre-requisites: An EC2 instance with the AWS CLI and Docker installed.
First, you'll have to add the inbuilt AmazonEC2ContainerRegistryReadOnly
IAM policy to your EC2 instance's IAM role (this grants read access to all pushed images). If you'd like things to be more restrictive, you can use the following policy instead:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantSingleImageReadOnlyAccess",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage"
],
"Resource": "<aws-account-id>.dkr.ecr.<region>.amazonaws.com/<image-name>"
},
{
"Sid": "GrantECRAuthAccess",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
Next, you'll have to create a script to perform login and image pull for you. A typical script would look something like this:
$(aws ecr get-login --no-include-email --region <region>);
docker pull <aws-account-id>.dkr.ecr.<region>.amazonaws.com/<image-name>:<optional-tag>;
Note that this script will have to run as the root user for proper Docker daemon access.
Another way of solving this all together would be to look into automation options for ECS tasks.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With