禁止通过私有注册表访问AWS EB docker-compose部署 [英] AWS EB docker-compose deployment from private registry access forbidden
问题描述
我正在尝试将docker-compose部署部署到AWS Elastic Beanstalk中,其中docker镜像是从GitLab托管的私有注册表中提取的.
I'm trying to get docker-compose deployment to AWS Elastic Beanstalk working, in which the docker images are pulled from a private registry hosted by GitLab.
奇怪的是,初始部署可以完美地工作;它从私有注册表中提取图像,并使用docker-compose启动容器,并且该网页(由Django服务)可以通过主机访问.
The strange thing is that initial deployment works perfectly; It pulls the image from the private registry and starts the containers using docker-compose, and the webpage (served by Django) is accessible through the host.
使用相同的docker-compose和相同的docker映像部署新版本会在拉取docker映像时导致错误:
Deploying a new version using the same docker-compose and the same docker image will result in an error while pulling the docker image:
2021/03/16 09:28:34.957094 [ERROR] An error occurred during execution of command [app-deploy] - [Run Docker Container]. Stop running the command. Error: failed to run docker containers: Command /bin/sh -c docker-compose up -d failed with error exit status 1. Stderr:Building with native build. Learn about native build in Compose here: https://docs.docker.com/go/compose-native-build/
Creating network "current_default" with the default driver
Pulling redis (redis:alpine)...
Pulling mysql (mysql:5.7)...
Pulling project.dockertest(registry.gitlab.com/company/spikes/dockertest:latest)...
Get https://registry.gitlab.com/v2/company/spikes/dockertest/manifests/latest: denied: access forbidden
2021/03/16 09:28:34.957104 [INFO] Executing cleanup logic
设置
AWS Elastic Beanstalk 64位Amazon Linux 2/3.2
AWS Elastic Beanstalk 64bit Amazon Linux 2/3.2
Gitlab注册表凭据存储在S3存储桶中,文件名为 .dockercfg ,并具有以下内容:
Gitlab registry credentials are stored within a S3 bucket, with the filename .dockercfg and has the following content:
{
"auths": {
"registry.gitlab.com": {
"auth": "base64 encoded username:personal_access_token"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.03.1-ce (linux)"
}
}
存储库包含v3 Dockerrun.aws.json 文件,以引用S3中的凭证文件:
The repository contains a v3 Dockerrun.aws.json file to refer to the credential file in S3:
{
"AWSEBDockerrunVersion": "3",
"Authentication": {
"bucket": "gitlab-dockercfg",
"key": ".dockercfg"
}
}
复制
设置docker-compose.yml,该服务使用带有私有docker映像的服务(并且可以使用S3中的dockercfg中的凭据设置来拉动该服务)
Setup docker-compose.yml that uses a service with a private docker image (and can be pulled with the credentials setup in the dockercfg within S3)
创建一个使用docker-platform的新应用程序.
Create a new applicatoin that uses the docker-platform.
eb init testapplication --platform=docker --region=eu-west-1
注意:区域必须与包含dockercfg的S3存储桶相同.
Note: region must be the same as the S3 bucket containing the dockercfg.
初始部署(此操作将成功)
Initial deployment (this will succeed)
eb create testapplication-test --branch_default --cname testapplication-test --elb-type=application --instance-types=t2.micro --min-instance=1 --max-instances=4
初始部署表明该映像可用并且可以启动:
The initial deployment shows that the image is available and can be started:
2021/03/16 08:58:07.533988 [INFO] save docker tag command: docker tag 5812dfe24a4f redis:alpine
2021/03/16 08:58:07.533993 [INFO] save docker tag command: docker tag f8fcde8b9ae2 mysql:5.7
2021/03/16 08:58:07.533998 [INFO] save docker tag command: docker tag 1dd9b65d6a9f registry.gitlab.com/company/spikes/dockertest:latest
2021/03/16 08:58:07.534010 [INFO] Running command /bin/sh -c docker rm `docker ps -aq`
在不对本地存储库和私有注册表上的远程docker映像进行任何更改的情况下,请进行重新部署,这将触发错误:
Without changing anything to the local repository and the remote docker image on the private registry, lets do a redeployment which will trigger the error:
eb deploy testapplication-test
这将失败,并显示以下输出:
This will fail with the following output:
...
2021-03-16 10:02:28 INFO Command execution completed on all instances. Summary: [Successful: 0, Failed: 1].
2021-03-16 10:02:29 ERROR Unsuccessful command execution on instance id(s) 'i-0dc445d118ac14b80'. Aborting the operation.
2021-03-16 10:02:29 ERROR Failed to deploy application.
ERROR: ServiceError - Failed to deploy application.
实例的日志显示(/var/log/eb-engine.log ):
Pulling redis (redis:alpine)...
Pulling mysql (mysql:5.7)...
Pulling project.dockertest (registry.gitlab.com/company/spikes/dockertest:latest)...
Get https://registry.gitlab.com/v2/company/spikes/dockertest/manifests/latest: denied: access forbidden
2021/03/16 10:02:25.902479 [INFO] Executing cleanup logic
我尝试调试或解决问题的步骤
- 在S3上将dockercfg重命名为.dockercfg(在互联网上某处提到了可能的解决方案)
- 使用旧" docker配置格式,而不是由docker 1.7+生成的格式.但是后来我发现Amazon Linux 2实例与Dockerrun v3一起与新格式兼容.
- 在S3上使用格式错误的dockercfg会导致有关格式错误的文件的部署错误(因此,实际上,它对S3中的dockercfg起作用)
文档
我没有调试选项,而且我不知道在哪里可以进一步调试该问题.也许有人可以看到这里出了什么问题?
I'm out of debug options, and I've no idea where to look any further to debug this problem. Perhaps someone can see what is going wrong here?
推荐答案
首先,上述问题是Amazon确认的错误.为了使部署顺利进行,我们已经联系了Amazon支持.他们有一个应在本月发布的修复程序,因此请密切关注Elastic beanstalk平台的更新日志:
First of all, the issue describe above is a bug confirmed by Amazon. To get the deployment working on our side, we've contacted Amazon support. They've a fix in place which should be released this month, so keep an eye on the changelog of the Elastic beanstalk platform: https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/relnotes.html
尽管即将发布的版本应该具有此修复程序,但是有一种变通方法可以使 docker-compose 部署正常工作.
Although the upcoming release should have the fix, there is a workaround available to get the docker-compose deployment working.
Elastic Beanstalk允许在部署内执行挂钩,可用于从S3存储桶获取 .docker.cfg ,以针对私有注册表进行身份验证.为此,请从项目的根目录创建以下文件和目录:
Elastic Beanstalk allows hook to be executed within the deployment, which can be used to fetch the .docker.cfg from a S3 bucket to authenticate with against the private registry.
To do so, create the following file and directories from the root of the project:
文件位置: .platform/hooks/predeploy/docker_login
#!/bin/bash
aws s3 cp s3://{{bucket_name_to_use}}/.dockercfg ~/.docker/config.json
重要:为此文件添加执行权限(例如: chmod + x .platform/hooks/predeploy/docker_login )
Important: Add execution rights to this file (for example: chmod +x .platform/hooks/predeploy/docker_login)
要支持实例配置更改,请将 hooks 目录符号链接到 confighooks :
To support instance configuration changes, please symlink the hooks directory to confighooks:
ln -s .platform/hooks/ .platform/confighooks/
更新配置也需要获取 .dockercfg 凭据.
Updating configuration requires the .dockercfg credentials to be fetched too.
这应该能够将连续部署部署到相同的EB实例而不会出现身份验证错误,因为该挂钩将在docker映像提取之前执行.
This should enable continuous deployments to the same EB-instance without the authentication errors, because the hook will be execute before the docker image pulling.
一些背景:在传统的Linux系统上,默认情况下,docker守护程序从〜/.docker/config 中读取凭据.在最初部署时,此文件将存在于Elastic Beanstalk实例上.在下一次部署中,将删除此文件.不幸的是,在下一次部署中,未重新获取 .dockercfg ,因此docker守护进程没有正确的身份凭证进行验证.
Some background:
The docker daemon reads credentials from ~/.docker/config by default on traditional linux systems. On the initial deploy this file will exist on the Elastic Beanstalk instance. On the next deployment this file is removed. Unfortunately, on the next deployment the .dockercfg is not refetched, therefor the docker daemon does not have the correct credentials to authenticate with.
这篇关于禁止通过私有注册表访问AWS EB docker-compose部署的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
