我如何使用不安全的码头工人登记与亚马逊EC2集装箱服务（ECS）？ [英] How do I use insecure docker registries with Amazon EC2 Container Service (ECS)?

问题描述

我们使用一个码头工人注册表里面我们的AWS VPC不是外部访问。我们希望能够从这个注册表启动任务ECS，但是我们看到，服务永远都只有在待定状态，因为码头工人守护进程无法访问注册表。

We use a Docker registry inside our AWS VPC that is not accessible externally. We want to be able to launch tasks in ECS from this registry, however we see that the service is only ever at a PENDING state because the Docker daemon isn't able to access the registry.

我已经找到了一种解决方法通过改变启动配置的用户数据，但并不觉得我这样做的最佳方式：

I have found a sort of workaround by changing the launch configuration's user data but it doesn't feel like I'm doing this the best way:

#!/bin/bash
echo ECS_CLUSTER=MY_CLUSTER_NAME >> /etc/ecs/ecs.config
echo OPTIONS=--insecure-registry=insecure.registry.hostname:5000 > /etc/sysconfig/docker
service docker restart
docker start ecs-agent

这完美的作品，我可以看到我的任务按预期运行。我不认为这是一定要做到这一点的最好办法。

This works perfectly, and I can see my task is running as expected. I just don't think this is necessarily the best way to do it.

AWS指着我对<一个href="https://aws.amazon.com/blogs/aws/ec2-container-service-ecs-update-access-private-docker-repos-mount-volumes-in-containers/"相对=nofollow>其中讨论与私有注册验证此的文章，但我不希望进行身份验证，只是为了有泊坞忽略我使用不安全的（即不是HTTPS）注册的事实。

AWS pointed me towards this article which discusses authenticating with private registries, but I'm not looking to authenticate, just to have Docker ignore the fact that I'm using an insecure (ie not HTTPS) registry.

有没有人有一个更好的解决方案？

Does anyone have a better solution?

感谢

推荐答案

我已经与AWS进一步讲，并有以下解决方案：

I've spoken further with AWS and have the following solution:

您可以这样做一套泊坞窗选项（包​​括 - 不安全 - 注册）与上启动时执行的用户数据脚本。例如， - 不安全 - 注册可以使用类似下面的脚本进行设置：

You can do something like set docker options (including --insecure-registry) with a user-data script that executes on boot. For example, --insecure-registry can be set with a script like the following:

#cloud-config
bootcmd:
 - cloud-init-per instance $(echo "OPTIONS=\"--insecure-registry=hostname:5000\"" > /etc/sysconfig/docker)

这种方式避免了不具有泊坞窗重启previous解决方案。

This way avoids the previous solution by not having the docker restart.

对于不安全的方法，如果我们使用自签名的证书，我们可以通过将证书添加到系统CA信任存储或码头工人的特殊信任存储利用这一点。

Regarding the insecure method, if we use a self-signed cert we can leverage this by either adding the certificate to the system CA trust store or to Docker's special trust store.

在亚马逊的Linux AMI和ECS优化AMI，系统CA信任存储要么是位于的/ usr /共享/ PKI / CA-信任源或的/ usr /共享/ PKI / CA-信任源/锚（根据不同的格式，请参阅的/ usr /共享/ PKI / CA-诚取信源/ README 有关详细信息），您将需要添加证书后运行更新-CA-信任命令。码头工人对不安全的登记文件提供了更多的细节，这样的：

On the Amazon Linux AMI and ECS-optimized AMI, the system CA trust store is either located at /usr/share/pki/ca-trust-source or /usr/share/pki/ca-trust-source/anchors (depending on the format, see /usr/share/pki/ca-trust-source/README for details) and you will need to run the update-ca-trust command after adding the certificate. Docker's documentation on insecure registries provides more detail on this:

<一个href="https://docs.docker.com/reference/commandline/cli/#insecure-registries">https://docs.docker.com/reference/commandline/cli/#insecure-registries <一href="https://github.com/docker/docker/blob/master/docs/sources/articles/certificates.md">https://github.com/docker/docker/blob/master/docs/sources/articles/certificates.md

我希望，也帮助别人

这篇关于我如何使用不安全的码头工人登记与亚马逊EC2集装箱服务（ECS）？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！