2

We have Docker images hosted on Amazon ECR and the goal is to run them on EC2 instances using Docker Swarm. The services are configured in global mode so that they are automatically replicated on new nodes. An auto-scaling group can automatically add new EC2 instances to the swarm.

The problem is that Docker can not pull the images from the ECR registry. Is there a way to tell Docker swarm to run aws ecr get-login prior to pulling images or is there a way to be permanently signed in into ECR while still using the IAM Role for authentication to ECR ?

Running aws ecr get-login at startup of the new nodes doesn't work either.

FYI: I'm not looking for --with-registry-auth, this works great when I manually update the service but not when AWS automatically adds new nodes.

P_W999
  • 281
  • 1
  • 9
  • This is why I don't use ECR, and would rather use Docker Hub or Docker's open source registry :) – Bret Fisher Jan 25 '18 at 02:50
  • "Running aws ecr get-login at startup of the new nodes doesn't work either. " Why does this not work? Are you giving the EC2 Instance role the privileges to pull and log into the registry? – strongjz Jan 30 '18 at 20:52
  • Tried it, I guess the startup script is not running as ec2-user but as root. – P_W999 Feb 27 '18 at 14:40

2 Answers2

1

I had the same issue when using Docker Swarm and AWS auto-scaling enabled.

Solution: You need to run the following command periodically on all services.

docker service update -d -q --with-registry-auth service-name

Running aws ecr-get login at node startup won't work.

This blog post describes the issue and provides a complete solution on how to implement auto-login to ECR.

http://issamben.com/docker-swarm-ecr-auto-login/

sam ben
  • 111
  • 1
0

For someone still looking for the solution follow this article. This is more stable solution. https://medium.com/@MahmoudGaballah/ecr-for-docker-swarm-fdea3a9b01b1

Vibhanshu Biswas
  • 101
  • 2