All geek questions in one place

How to use unsafe docker registries with Amazon EC2 Container Service (ECS)?

We use the Docker registry inside our VPC VPC, which is not accessible from the outside. We want to be able to run tasks in ECS from this registry, however we see that the service works only in the PENDING state, because the Docker daemon cannot access the registry.

I found a kind of workaround by modifying the user-specific startup configuration data, but it doesn't seem to me that I am doing this in the best way:

#!/bin/bash echo ECS_CLUSTER=MY_CLUSTER_NAME >> /etc/ecs/ecs.config echo OPTIONS=--insecure-registry=insecure.registry.hostname:5000 > /etc/sysconfig/docker service docker restart docker start ecs-agent

This works fine, and I see that my task is working as expected. I just don't think that this is by far the best way to do this.

AWS pointed me to this article , which discusses authentication with private registries, but I'm not looking for authentication, just for Docker to ignore the fact that I'm using an insecure (i.e. not HTTPS) registry.

Does anyone have a better solution?

thanks

+6
source share
1 answer

I have already spoken with AWS and have the following solution:

You can do something like docker settings (including --insecure-registry ) with user script data that executes at boot time. For example, --insecure-registry can be installed using a script as follows:

 #cloud-config bootcmd: - cloud-init-per instance $(echo "OPTIONS=\"--insecure-registry=hostname:5000\"" > /etc/sysconfig/docker)

This method allows you to avoid the previous solution without restarting the docker.

As for the unsafe method, if we use a self-signed certificate, we can use it by adding the certificate to the CA system trust store or to the special Docker trust store.

In Amazon Linux AMI AMI and ECS-optimized AMI, the CA system trust store is located in either /usr/share/pki/ca-trust-source or /usr/share/pki/ca-trust-source/anchors (depending on format , see /usr/share/pki/ca-trust-source/README for details), and you will need to run update-ca-trust after adding the certificate. The Docker documentation on unsafe registries provides more details on this:

https://docs.docker.com/reference/commandline/cli/#insecure-registries https://github.com/docker/docker/blob/master/docs/sources/articles/certificates.md

I hope this also helps other people.

+7
source

Source: https://habr.com/ru/post/985673/

More articles:


All Articles