1

While deploying ECS using codepipeline like specified in aws official document, two docker image is pushing into ECR. One image contain both Commit id and latest tag and other image is untagged like specified below image.

enter image description here

In "buildspec.yml" file i can see, docker is pushing two image one with "latest tag and other one with commit id tag like given below

 - docker tag $REPOSITORY_URI:latest $REPOSITORY_URI:$IMAGE_TAG
 - COMMIT_HASH=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)
 - IMAGE_TAG=${COMMIT_HASH:=latest}
 - docker push $REPOSITORY_URI:latest
 - docker push $REPOSITORY_URI:$IMAGE_TAG

My question is

1) In ECR there must be two image one with "commit id" tag and other one with "latest" tag after the docker push complete. But in ECR, it is showing with wrong tag name, please check the above attached image.Why one image is showing with untagged ?

2) Why i need to push two image with commit id and latest tag, when my task definition is using only latest tag to build the container. Didn't i have to push only docker image with "latest" tag , why i need to push image with commit id tag ?

Sreeraju V
  • 381
  • 3
  • 16

2 Answers2

0

Are you sure both the lines are from the same docker push? I think what happened is that the second line was your previous :latest and when you pushed the new :latest the previous one became untagged.

Check the CodeBuild script output to verify that you really run two pushes, one with :latest and one with :${COMMIT_HASH}. Also I believe you have to tag the images with both revisions locally before pushing to ECR. But I haven't checked this...

This is what we do (our ${IMAGE_ID} contains the :${REVISION})...

docker tag ${IMAGE_ID} ${ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${IMAGE_ID}
docker push ${ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${IMAGE_ID}

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • Answer too your first section: I checked these in fresh ECR Repository ,so there is no chance for any previous image there.Thanks – Sreeraju V May 22 '19 at 10:22
  • In aws official document they are specitying two docker push command. Like you say, we only need one push command with latest tag or either commit id. You are using ${IMAGE_ID} tag for it. Please check the link you can seee two push command : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-cd-pipeline.html – Sreeraju V May 22 '19 at 10:48
  • @SreerajuV Did you do the tagging as shown in the doc you linked? `docker tag $REPOSITORY_URI:latest $REPOSITORY_URI:$IMAGE_TAG` - it's under the *build* section but not in your example above. – MLu May 22 '19 at 21:36
  • Yes, i am using tagging.Thanks updated the post. Can you please help me understand why two docker push required as mentioned in the aws document. – Sreeraju V May 23 '19 at 07:39
0

This has nothing to do with ECR. It's just the way that docker registries work.

(1) The code in question pushes the same image with two different tags, so it makes perfect sense that you see both latest and <commit-id> tags on the same image. MLu is correct in suggesting that you had some image on ECR already tagged latest. When you push a new image to a docker registry which has an older image with the same tag as the new one, the old one loses this tag and if it has no other tags, it becomes <untagged>. It is the same tagging behaviour as on your local machine (docker tag ...).

(2) If your task definition uses only latest tag then you don't need to push both tags to ECR. However, in more complex scenarios where you may want to deploy an image that was already built before (e.g. latest build has a bug and you want to revert), it saves build time. As you saw in (1), if you push a different image with tag latest the old one will become <untagged> if you don't have any other tags on it. In this case, you won't know which image to deploy. Commit id is just one option, you might want to tag your images with date or version, for example.

AlexanderF
  • 211
  • 1
  • 9