-
Notifications
You must be signed in to change notification settings - Fork 619
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accessing private docker images #4
Comments
Unfortunately, Amazon ECS doesn't currently handle Docker auth. You can access private registries in the sense of private to your VPC, but that's not the best solution for everyone. Because of how Docker handles auth, just having a .dockercfg file is not sufficient because the authconfig is sent as part of the PullImage request to the daemon, and the daemon does not go out of its way to read the auth information from any other source (it's the Docker client which reads it). The agent absolutely should support this. We've been discussing the right way to do it and want to be sure we get it right both from the security perspective and the user perspective. How would you want this to work? For anyone interested in looking into this more deeply, here's where it would happen. |
Not entirely sure what you meant in parts of your explanation, so I'll just try to explain why and how it might work out for us.
If we were to take a look at how the agent is installed, we have two options.
Not quite sure which one is better at this point as we are not able to use ECS without having access to the private registries, which really makes it impossible for us to use at this time. If had to submit userdata anyways to have the server be inside a specific cluster, I might as well specify some sort of auth config info at the same time. This can either be done by giving the agent a S3 key for accessing the config.json file, similar to how Elastic Beanstalk does it, or somehow dynamically created inside the userdata script code. The S3 key is probably a bit more secure considering that we can restrict access to the file via IAM and the instance role when needed. S3 key access is also good because we can have the agent do periodic refresh of the auth config file OR restart the agent to have it retrieve an updated config file upon relaunch. Doing this may resolve the disadvantage in option 1 specified above. Currently running instances continues to run without issue when agents are restarted (at least that's what I assume is the case), so it allows for gradual updates and changes without having to redo all the task definitions when credentials change. I'm thinking as I write, so do forgive the long blurbs. |
Thanks for the suggestions and information about your use case. The feedback is appreciated and we're working to improve the customer experience during our preview. |
this is fixed I guess http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_agent.html#private-auth |
The overarching issue is fixed, but the second option @asans mentions has not been addressed and I want to capture that as well. For clarity, I've opened a new issue. #28, specifically for that option and I'm closing this one. @asans, if I missed any nuances of your suggestion then please add them on that issue. Thanks, |
fixed the additional-packages install to do a yum "localinstall" on all packages in the directory. Localinstall considers all rpm package files together as if they are being installed from a repo, and will correctly order the installation of the rpms if some of them have dependencies on each other.
I've been looking in the code and looking at ways on how ECS can access private images, but am unable to find any documentation (AWS documentation doesn't contain information on this either) about this.
Based on the description on the ECS product page, it indicates that this can be done. So where can I set the docker authentication for the ECS agent? Or I assume that this needs to be set inside .dockercfg file and somehow placed into the AMI image upon instance launching?
Or should ecs-agent actually support this?
The text was updated successfully, but these errors were encountered: