In this blog I will briefly cover ECS and ECR, the Docker-based AWS solution for automated Docker containers deployment.
Both services are tightly related, as ECR stores the images and manages the deployment and permissions on the Docker repositories, and ECS is a scalable EC2-based cluster service to run and scale Docker containers.
ECR - Elastic Container Registry
Description
As official AWS docs says:
Amazon EC2 Container Registry (Amazon ECR) is a managed AWS Docker registry service that is secure,
scalable, and reliable . Amazon ECR supports private Docker repositories with resource-based permissions
using AWS IAM so that specific users or Amazon EC2 instances can access repositories and images.
Developers can use the Docker CLI to push, pull, and manage images.
Components
Amazon ECR contains the following components:
- Registry
An Amazon ECR registry is provided to each AWS account; you can create image repositories in
your registry and store images in them.
- Authorization token
Your Docker client needs to authenticate to Amazon ECR registries as an AWS user before it can
push and pull images.The AWS CLI get-login command provides you with authentication credentials
to pass to Docker.
- Repository
An Amazon ECR image repository contains your Docker images.
- Repository policy
You can control access to your repositories and the images within them with repository policies.
- Image
You can push and pull Docker images to your repositories.You can use these images locally on your
development system, or you can use them in Amazon ECS task definitions.
Registry Concepts
You can use Amazon ECR registries to host your images in a highly available and scalable architecture,
allowing you to deploy containers reliably for your applications.You can use your registry to manage
image repositories and Docker images. Each AWS account is provided with a single (default) Amazon
ECR registry.
• The URL for your default registry is
https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com.
• By default, you have read and write access to the repositories and images you create in your default
registry.
• You can authenticate your Docker client to a registry so that you can use the docker push and docker
pull command to push and pull images to and from the repositories in that registry.
• Repositories can be controlled with both IAM user access policies and repository policies.
You can manage your repositories through the CLI, API or Mgmt Console, but for some image related actions you would prefer the Docker CLI. Docker CLI does not authenticate in AWS per default, so you will need to use the command get-login from AWS cli to get a Docker compatible auth string.
Repository Concepts
Amazon ECR provides API operations to create, monitor, and delete repositories and set repository
permissions that control who can access them.You can perform the same actions in the Repositories
section of the Amazon ECS console. Amazon ECR also integrates with the Docker CLI allowing you to
push and pull images from your development environments to your repositories.
- By default, you have read and write access to the repositories you create in your default registry
(aws_account_id.dkr.ecr.us-east-1.amazonaws.com).
- Repository names can support namespaces, which you can use to group similar repositories. For
example if there are several teams using the same registry, Team A could use the team-a namespace
while Team B uses the team-b namespace. Each team could have their own image called web-app,
but because they are each prefaced with the team namespace, the two images can be used
simultaneously without interference. Team A's image would be called team-a/web-app, while Team
B's image would be called team-b/web-app.
- Repositories can be controlled with both IAM user access policies and repository policies.
Images
Amazon ECR stores Docker images in image repositories.You can use the Docker CLI to push and pull
images from your repositories.
Important
Amazon ECR users require permissions to call ecr:GetAuthorizationToken before they
can authenticate to a registry and push or pull any images from any Amazon ECR repository.
Using ECR images with ECS
You can use your Amazon ECR images with Amazon ECS, but you need to satisfy some prerequisites:
• Your container instances must be using at least version 1.7.0 of the Amazon ECS container agent.
The latest version of the Amazon ECS-optimized AMI supports Amazon ECR images in task definitions.
• The Amazon ECS container instance role (ecsInstanceRole) that you use with your container
instances must possess the following IAM policy permissions for Amazon ECR.
Pricing
- You pay only for the storage used by your images.
- Data transfer IN is free of charge
- Data transfer OUT is charged in layers according the amount of data transferred.
Service Limits
When to use ECS?
When you already have Docker images or utilizes Docker for your applications you can have benefit for images store, solid security control, automated deployment and integration with ECS.
ECS - Elastic Container Service
<to be continued>