ECR

• Docker
• Docker Troubleshooting and CLI

ECR - Amazon Elastic Container Registry

• A fully managed private docker container registry service that makes it easy to store, pull, and push docker images securely.
• ECR automatically encrypts images at rest using S3 server-side encryption and transfers your container images over HTTPS.
• ECR uses AWS S3 service in the back-end to host images in a Highly Available, Secured and Scalable storage allowing to reliably deploy containers for your applications.
• ECR integrates with AWS ECS and Docker CLI allowing you to deploy appropriate images for your applications.
• You can configure policies to IAM Users/Roles to control who can access the Images from the repository. With ECR lifecycle policy, you can automate the cleanup of unused or old images.
• No upfront fees, you pay only for the amount of data you store in your repos and data transfers.

ECR Components

Registry

A registry stores and lets you distribute Container Images. Each registry contains one or more image Repositories.

Repository

A repository commonly represents a software component or service. Each repository contains one or more Container Images, each representing a different version of the component.

Authorization Token

Each request must contain an auth token. This token is temporary and must be refreshed periodically.

IAM Policy

Access to registries and repositories is controlled via IAM.

• Note: It might take several minutes for policy changes to propagate before they take effect. It is recommended to allow five minutes to pass before testing policy updates.

Container Image

A container image is a self-contained software package that includes everything needed to run the software.

Lifecycle Policy

A Lifecycle Policy can be used to clean up old Container Images in a Repository.

• It is a set of one or more rules that will be applied to images that contain tags prefixed with given strings.
• After creating lifecycle policy, you should expect the affected images will be expired within 24 hours.
• A lifecycle policy takes the following Policy parameters to create a lifecycle rule:
  • rulePriority - lifecycle rules are executed based on the priority. You must provide a unique rulePriority.
  • description - a friendly description of the rule
  • tagstatus - specifies whether the rule applies to images that are tagged or untagged.
  • tagPrefixList - Prefix string on which you want to take action. Example: If your images are taggeds as prod, prod1, prod2, and so on, you would use the tag prefix prod to specify all of them.
  • countType - Count type to apply to the Images (Image age or number of images)
  • countUnit - Rule will be applied to the Images which older than this number of days.
  • countNumber - Based on the countType parameter, this value refers to Maximum Number of images to retain or Age limit of images.
    • For example, if the countType used is imageCountMoreThan, then the value is Max number of images to retain in your repository. If the counType used is sinceImagePushed, then the value is the max age limit for your images.
  • action - which action to take i.e. delete.

How to create an image of running container and Push Image to ECR

This instructions is to create image of an existing container, and push that image to ECR. If you have a repository created already, follow the steps to Push an Image to ECR.

• This utilizes "docker commit" command, and not the "docker build" command.
  • There will be differences in size. Docker commit is basically taking a "snapshot" of the current state of the "running" container and save it as an image. ... On the other hand, docker build create the image by referring to a script (Dockerfile).
  • Learn more about the differences: https://stackoverflow.com/questions/26110828/should-i-use-dockerfiles-or-image-commits

1) List docker containers and identify the container ID:

$ docker ps -a

2) To create a new image from a container’s changes:

$ docker commit <container-id>

3) List docker images and identify the image ID:

$ docker images

4) Create a tag for the target image to refer to the source image id:

$ docker tag <source-image-id> <aws_account_id>.dkr.ecr.region.amazonaws.com/<repository-name>:<tag>

#Example: 
$ docker tag c4257e433c9e 648818476623.dkr.ecr.us-east-1.amazonaws.com/myimagehello:test

5) From here you simply have to follow the rest of the ECR push commands. To push the image to ECR.

$ aws ecr get-login-password | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com

#Example: 
$ aws ecr get-login-password | docker login --username AWS --password-stdin 648818476623.dkr.ecr.us-east-1.amazonaws.com

6) Push to ECR

$ docker push <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<repository-name>
 
#Example: 
$ docker push 648818476623.dkr.ecr.us-east-1.amazonaws.com/myimagehello 

How to Pull Image from ECR

Once the Docker image is pushed to ECR you can pull the Image whenever required provided you have proper access. ---> Authenticate to ECR registry if not authenticated already. ---> Pull the Image from ECR with the repositoryUri using the Docker CLI.

1) Get Authorization Token:

$ aws ecr get-login --no-include-email

2) Execute the printed command to log in to your registry with Docker:

$ docker login -u AWS -p <password> https://aws_account_id.dkr.ecr.region.amazonaws.com

3) Pull Image:

$ docker pull ImageName:tag aws_account_id.dkr.ecr.region.amazonaws.com/RepoName:tag

Cross Account ECR Image access in ECS

"My ECR Image is in Account A, and want to access the same image in Account B".

By using ECR repository policies you can share image to multiple AWS accounts. To achieve this:

In Account A:
Navigate to Permissions tab of the Repository, under "Principle" section, choose the scope of the users to apply the policy statement to.

• Allow all authenticated AWS users by selecting the Everybody check box.
• Allow all users under specific AWS accounts by listing those accounts in the AWS account number(s) field.
• Allow specific roles or users of other AWS account by passing the ARN of user/role in principal (Currently ot supported in the AWS Management console, use AWS CLI instead).

In Account B:
Navigate to your task defnition and use full registry/repository:tag naming for your ECR images.

Also note that ECS service and ECR can be in a different region.