JPLABOUT ECS
ECS - Elastic Container Service is to containers what EC2 is to virtual machines. ECS have to modes:
EC2 mode which uses EC2 instances as container hosts (you can see this inside your aws account).
FARGATE MODE - this is serverless way of running docker containers where AWS manage the container host part, you can architect your environment using containers. You don't need to provision the infrastructure (you don't need to manage EC2 instances,everything is serverless).
In Fragate mode(launch type) user need just to create a task definition to define own ECS tasks. Then AWS will run these ECS tasks for us based on how many CPU and RAM you need for task.
ECR - Elastic Container Registry is managed Container image registry service, it’s like Docker Hub but this is for AWS, this mean that this is a service which AWS provide which hosts and manages container images.
Every user which have AWS account has a PUBLIC and PRIVATE REGISTRY, EACH AWS account is provided with one of each. Every registry (PUBLIC or PRIVATE) can have many REPOSITORIES.
This is something like GitHub, Bitbucket where you can have so many repositories which are public or private. Just like on GitHub where you can have so many folders inside of repository, in ECR each repository can contain MANY CONTAINER IMAGES.
IMAGES can have several tags and IMPORTANT IS THAT THESE TAGS ARE UNIQUE within your repository in ECR.
PUBLIC means that anyone can have only READ-ONLY ACCESS to anything within that registry, but to have more power over repoistory, user will need to have read-write permissions for public repository. Just like in Docker hub, if the repository is public you or other user can pull the image, but to push in this repository or make changes you need to have permissions.
PRIVATE ECS REPOSITORY means that for anything READ-ONLY, READ-WRITE user will need permissions. Just like the name PRIVATE, it is private for anything and for anything you need permissions.
- Setup own your own private container image registry using AWS ECR and publish images to it
- BEFORE STARTING it’s important that you have AWS CLI installed and you are logged in AWS
ECR is integrated with IAM (Permissions) . IAM is controlling permissions for access to ECS, anything within the product. This is similar for other products in AWS just like EC2, S3 etc..
One of the cool features which ECR have is that offers security scanning on images, so we have:
- Image scanning BASIC
- Image scanning ENHANCED → using inspector product
Amazon Inspector automatically discover workloads and scans them for software vulnerabilities and unintended network exposure. Support compliance requirements and best practices for NIST, CSF, PCI, DSS and other regulations with Amazon Inspector scans.
Leave visibility settings to private since we don’t want our images public for the world to be used.
DOCKER IMAGES ON AWS ECR AND REPOSITORY
When you launch Docker containers on AWS, you are launching what's called and ECS TASK on ECS Cluster.
If you want to have more images on AWS ECR, you need to create a single repository for every image that you want to publish up into AWS Elastic Container Registry.
IF you have three different docker images you want to publish, you will need to create three separate containers for each. Why? Well, because the repository name here is actually going to line up directly with URL forward slash the image name that we’re going to use when we build and tag our images.
CREATING REPOSITORY ON AWS ECR
Login on your AWS account and in the console bar type AWS ECS. Click on the button below "Create a repository". In the new view you will need to fill data and create new repository for docker image. In the part "General settings" leave like on the picture "Private" and give your name to repository, it can be whatever you want or nodejs-repo or similar.
Other settings in “Create Repository” can be default, scroll down and click on “Create repository”.
After creating repository, click on repository name and in the right corner you will see button “VIEW PUSH COMMANDS”. It will walk you how to push image on different OS, macOS/Linux, WIndows, which commands you need to type in terminal and push it.
On this window you will see something like(in your account it will be different): 34235252452452332.dkr.ecr.us-east-1.amazonaws.com, copy it somewhere on safe because you will need it in next steps.
PUSHING DOCKER IMAGE ON ECR USING TERMINAL
IMPORTANT: YOU WILL NEED TO HAVE ALREADY INSTALLED AWS CLI. If you don't have installed, you can use this this tutorial to install AWS CLI v2.0.
In terminal we need to write some commands to:
Retrieve an authentication token and authenticate your Docker client to your registry. Use the AWS CLI:
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 5723528375274520.[dkr.ecr.us-east-1.amazonaws.com]
aws ecr get-login-password --region us-east-1 ->>> this will going to generate a login password for the actual Docker client and connect to ECR and it’s ging to PIPE that into the docker login command.
It will take the password (stdin) that was created from aws ecr get-login-password and it’s going to pipe that into the docker login.
After this command HIT enter, if the login was successful you will have message:
IMPORTANT: This login HAS NOTHING TO DO WITH YOUR IAM PERMISSIONS IN AWS.
If you try to push this image on your ECR, you will probably get error, because your IAM permissions/credetionals are not configured properly.
DOCKER BUILD IMAGE and PUSH ON ECR
Build your Docker image using the following command:
$ docker build . -t sun-repo-html-app
After the build completes, tag your image so you can push the image to this repository:
docker tag sun-repo-html-app:latest 5723528375274520[.dkr.ecr.us-east-1.amazonaws.com/sun-repo-html-app:latest](http://637423384432.dkr.ecr.us-east-1.amazonaws.com/sun-repo-html-app:latest)
Run the following command to push this image to your newly created AWS repository:
docker push 5723528375274520[.dkr.ecr.us-east-1.amazonaws.com/sun-repo-html-app:latest](http://637423384432.dkr.ecr.us-east-1.amazonaws.com/sun-repo-html-app:latest)
After pushing image on ECR, go to AWS console in ECR registry to check your image in your created repository on AWS.
If you go inside of latest folder, you can get more info:
DELETING LOCALLY DOCKER IMAGE AND PULL FROM ECR
We will delete locally created docker image, so we can PULL it from AWS ECR.
In terminal type:
$docker images
$ docker image rm your_image_id
For example:
$docker image 8e1d12601bcc
or using command
docker image ls | grep sun-repo-html-app
DOcker message that docker file is deleted locally:
PULLING IMAGE FROM ECR
Checking with command docker images, that image is pulled from ECR:
AWS FREE TIER
As a new Amazon ECR customer, you get 500 MB per month of storage for your private repositories for one year as part of the AWS Free Tier.
Both new and existing customers get 50 GB per month of always-free storage for their public repositories. You can anonymously (without using an AWS account) transfer 500 GB of data to the Internet from a public repository each month for free. If you sign up for an AWS account, or authenticate to Amazon ECR with an existing AWS account, you can transfer 5 TB of data to the Internet from a public repository each month for free. You also get unlimited bandwidth at no cost when transferring data from a public repository to AWS compute resources in any AWS Region.
With Amazon ECR, there are no upfront fees or commitments. You pay only for the amount of data you store in your public or private repositories, and data transferred to the internet.
Amazon ECR automatically encrypts images at rest using Amazon S3 server-side encryption or AWS KMS encryption and transfers your container images over HTTPS. You can configure policies to manage permissions and control access to your images using AWS Identity and Access Management (IAM) users and roles without having to manage credentials directly on your EC2 instances.
