Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to pull ECS docker image from an EC2 instance?

What is the best practice to pull a Docker image located in a repository in ECS from an EC2 instance?

  • I pushed Docker images into my repository located under ECS.
  • I would like to launch an EC2 instance and pull these images from it.

I am used to take advantage of the ECS task. To just run a Docker container for 5min, I need to go to Auto-Scale, set the minimum at 1, go to the ECS page, wait for an instance to be up and run my task. Too annoying for my personal use. I'd like to run it quickly and stop it quickly.

I wanted to simply run my Docker container but ok, that's not possible, then I am thinking of creating an EC2 template that will directly run my Docker container inside an EC2 instance.

  • How to do it?
  • How can I handle the keys/users and the AWS CLI inside my EC2? (Access/Secret Access Key are limited to 30min, I can't write it clearly in the User Data of an EC2 instance/template)

I think my need is very basic and I couldn't find the best way to do it. Blog articles mainly explain how to run Docker on Linux, not the best way to do it on AWS.

like image 918
Alexis Avatar asked Nov 01 '18 05:11

Alexis


People also ask

Can we run Docker image on EC2 instance?

You can run Docker containers on AWS EC2 by installing Docker. You need to install Docker CLI, AWS account setup and you need to create an IAM user as an administrator. You can pull Docker images from Docker Hub and when you run those containers you should expose on port 80.

How does ECS work with EC2 and Docker?

Amazon ECS supports Docker, which enables AWS users to manage Docker containers across clusters of Amazon EC2 instances. Each EC2 instance in a cluster runs a Docker daemon that deploys and runs any application packaged as a container locally on Amazon ECS without the need to make any changes to the container.

How do I access ECS Docker?

To connect to your container instanceOpen the Amazon ECS console at https://console.aws.amazon.com/ecs/ . Select the cluster that hosts your container instance. On the Cluster page, choose ECS Instances. On the Container Instance column, select the container instance to connect to.


1 Answers

This can be accomplished with a combination of the EC2 instance role, and a script that performs docker login followed by a docker pull for your pushed image.

Pre-requisites: An EC2 instance with the AWS CLI and Docker installed.

First, you'll have to add the inbuilt AmazonEC2ContainerRegistryReadOnly IAM policy to your EC2 instance's IAM role (this grants read access to all pushed images). If you'd like things to be more restrictive, you can use the following policy instead:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GrantSingleImageReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
        "ecr:BatchGetImage"
      ],
      "Resource": "<aws-account-id>.dkr.ecr.<region>.amazonaws.com/<image-name>"
    },
    {
      "Sid": "GrantECRAuthAccess",
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    }
  ]
}

Next, you'll have to create a script to perform login and image pull for you. A typical script would look something like this:

$(aws ecr get-login --no-include-email --region <region>);
docker pull <aws-account-id>.dkr.ecr.<region>.amazonaws.com/<image-name>:<optional-tag>;

Note that this script will have to run as the root user for proper Docker daemon access.

Another way of solving this all together would be to look into automation options for ECS tasks.

like image 73
Kunal Nagpal Avatar answered Oct 17 '22 01:10

Kunal Nagpal