禁止来自私有注册表访问的 AWS EB docker-compose 部署 [英] AWS EB docker-compose deployment from private registry access forbidden
问题描述
我正在尝试让 docker-compose 部署到 AWS Elastic Beanstalk 工作,其中 docker 映像是从 GitLab 托管的私有注册表中提取的.
I'm trying to get docker-compose deployment to AWS Elastic Beanstalk working, in which the docker images are pulled from a private registry hosted by GitLab.
奇怪的是,初始部署完美无缺;它从私有注册表中拉取镜像并使用 docker-compose 启动容器,并且可以通过主机访问网页(由 Django 提供服务).
The strange thing is that initial deployment works perfectly; It pulls the image from the private registry and starts the containers using docker-compose, and the webpage (served by Django) is accessible through the host.
使用相同的docker-compose和相同的docker镜像部署新版本会导致在拉取docker镜像时出错:
Deploying a new version using the same docker-compose and the same docker image will result in an error while pulling the docker image:
2021/03/16 09:28:34.957094 [ERROR] An error occurred during execution of command [app-deploy] - [Run Docker Container]. Stop running the command. Error: failed to run docker containers: Command /bin/sh -c docker-compose up -d failed with error exit status 1. Stderr:Building with native build. Learn about native build in Compose here: https://docs.docker.com/go/compose-native-build/
Creating network "current_default" with the default driver
Pulling redis (redis:alpine)...
Pulling mysql (mysql:5.7)...
Pulling project.dockertest(registry.gitlab.com/company/spikes/dockertest:latest)...
Get https://registry.gitlab.com/v2/company/spikes/dockertest/manifests/latest: denied: access forbidden
2021/03/16 09:28:34.957104 [INFO] Executing cleanup logic
设置
AWS Elastic Beanstalk 64 位 Amazon Linux 2/3.2
AWS Elastic Beanstalk 64bit Amazon Linux 2/3.2
Gitlab 注册表凭证存储在 S3 存储桶中,文件名为 .dockercfg,内容如下:
Gitlab registry credentials are stored within a S3 bucket, with the filename .dockercfg and has the following content:
{
"auths": {
"registry.gitlab.com": {
"auth": "base64 encoded username:personal_access_token"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.03.1-ce (linux)"
}
}
存储库包含一个 v3 Dockerrun.aws.json 文件以引用 S3 中的凭证文件:
The repository contains a v3 Dockerrun.aws.json file to refer to the credential file in S3:
{
"AWSEBDockerrunVersion": "3",
"Authentication": {
"bucket": "gitlab-dockercfg",
"key": ".dockercfg"
}
}
复制
设置 docker-compose.yml 使用具有私有 docker 映像的服务(并且可以使用 S3 中 dockercfg 中的凭据设置来拉取)
Setup docker-compose.yml that uses a service with a private docker image (and can be pulled with the credentials setup in the dockercfg within S3)
创建一个使用 docker-platform 的新应用程序.
Create a new applicatoin that uses the docker-platform.
eb init testapplication --platform=docker --region=eu-west-1
注意:区域必须与包含 dockercfg 的 S3 存储桶相同.
Note: region must be the same as the S3 bucket containing the dockercfg.
初始部署(这会成功)
eb create testapplication-test --branch_default --cname testapplication-test --elb-type=application --instance-types=t2.micro --min-instance=1 --max-instances=4
初始部署显示镜像可用,可以启动:
The initial deployment shows that the image is available and can be started:
2021/03/16 08:58:07.533988 [INFO] save docker tag command: docker tag 5812dfe24a4f redis:alpine
2021/03/16 08:58:07.533993 [INFO] save docker tag command: docker tag f8fcde8b9ae2 mysql:5.7
2021/03/16 08:58:07.533998 [INFO] save docker tag command: docker tag 1dd9b65d6a9f registry.gitlab.com/company/spikes/dockertest:latest
2021/03/16 08:58:07.534010 [INFO] Running command /bin/sh -c docker rm `docker ps -aq`
在不对本地存储库和私有注册表上的远程 docker 映像进行任何更改的情况下,让我们进行重新部署,这将触发错误:
Without changing anything to the local repository and the remote docker image on the private registry, lets do a redeployment which will trigger the error:
eb deploy testapplication-test
这将失败并显示以下输出:
This will fail with the following output:
...
2021-03-16 10:02:28 INFO Command execution completed on all instances. Summary: [Successful: 0, Failed: 1].
2021-03-16 10:02:29 ERROR Unsuccessful command execution on instance id(s) 'i-0dc445d118ac14b80'. Aborting the operation.
2021-03-16 10:02:29 ERROR Failed to deploy application.
ERROR: ServiceError - Failed to deploy application.
并且实例的日志显示(/var/log/eb-engine.log):
And logs of the instance show (/var/log/eb-engine.log):
Pulling redis (redis:alpine)...
Pulling mysql (mysql:5.7)...
Pulling project.dockertest (registry.gitlab.com/company/spikes/dockertest:latest)...
Get https://registry.gitlab.com/v2/company/spikes/dockertest/manifests/latest: denied: access forbidden
2021/03/16 10:02:25.902479 [INFO] Executing cleanup logic
我尝试调试或解决问题的步骤
- 在 S3 上将 dockercfg 重命名为 .dockercfg(互联网上提到的可能解决方案)
- 使用旧"的 docker 配置格式,而不是 docker 1.7+ 生成的格式.但后来我发现 Amazon Linux 2-instances 与新格式以及 Dockerrun v3 兼容
- 在 S3 上使用格式不正确的 dockercfg 会导致错误部署有关格式错误的文件(因此它实际上对 S3 中的 dockercfg 进行了某些操作)
文档
我没有调试选项,我不知道在哪里可以进一步调试这个问题.也许有人可以看到这里出了什么问题?
I'm out of debug options, and I've no idea where to look any further to debug this problem. Perhaps someone can see what is going wrong here?
推荐答案
首先,上面描述的问题是亚马逊确认的一个错误.为了让部署在我们这边工作,我们已经联系了 Amazon 支持.他们有一个应该在本月发布的修复程序,所以请留意 Elastic beanstalk 平台的更新日志:https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/relnotes.html
First of all, the issue describe above is a bug confirmed by Amazon. To get the deployment working on our side, we've contacted Amazon support. They've a fix in place which should be released this month, so keep an eye on the changelog of the Elastic beanstalk platform: https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/relnotes.html
虽然即将发布的版本应该有修复,但有一个解决方法可以让 docker-compose 部署工作.
Although the upcoming release should have the fix, there is a workaround available to get the docker-compose deployment working.
Elastic Beanstalk 允许在部署中执行挂钩,可用于从 S3 存储桶获取 .docker.cfg 以针对私有注册表进行身份验证.为此,请从项目的根目录创建以下文件和目录:
Elastic Beanstalk allows hook to be executed within the deployment, which can be used to fetch the .docker.cfg from a S3 bucket to authenticate with against the private registry.
To do so, create the following file and directories from the root of the project:
文件位置:.platform/hooks/predeploy/docker_login
#!/bin/bash
aws s3 cp s3://{{bucket_name_to_use}}/.dockercfg ~/.docker/config.json
重要:给这个文件添加执行权限(例如:chmod +x .platform/hooks/predeploy/docker_login)
Important: Add execution rights to this file (for example: chmod +x .platform/hooks/predeploy/docker_login)
要支持实例配置更改,请将 hooks 目录符号链接到 confighooks:
To support instance configuration changes, please symlink the hooks directory to confighooks:
ln -s .platform/hooks/ .platform/confighooks/
更新配置也需要获取 .dockercfg 凭据.
Updating configuration requires the .dockercfg credentials to be fetched too.
这应该能够持续部署到同一个 EB 实例而不会出现身份验证错误,因为挂钩将在 docker 镜像拉取之前执行.
This should enable continuous deployments to the same EB-instance without the authentication errors, because the hook will be execute before the docker image pulling.
一些背景:在传统的 linux 系统上,docker 守护进程默认从 ~/.docker/config 读取凭据.在初始部署时,此文件将存在于 Elastic Beanstalk 实例上.在下一次部署中,此文件将被删除.不幸的是,在下一次部署中 .dockercfg 没有重新获取,因此 docker 守护进程没有正确的凭据来进行身份验证.
Some background:
The docker daemon reads credentials from ~/.docker/config by default on traditional linux systems. On the initial deploy this file will exist on the Elastic Beanstalk instance. On the next deployment this file is removed. Unfortunately, on the next deployment the .dockercfg is not refetched, therefor the docker daemon does not have the correct credentials to authenticate with.
这篇关于禁止来自私有注册表访问的 AWS EB docker-compose 部署的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
