I'm trying to secure my containers, so I tried to run one of them – docker4x/meta-aws – as non-root. The new container didn't show up after recreating the environment. There is no evidence that it was even pulled.
How can I find the cause? Is there any log for CloudFormation?
Thank you so much for any suggestion!
Expected behavior
Running the containers as non-root. In this issue here I did a test with just one container – docker4x/meta-aws.
Actual behavior
I edited the CloudFormation template just for one container – docker4x/meta-aws, the respective meta-aws container didn't show up after recreating the environment, no docker4x/meta-aws image was pulled.
~ $ docker images -a
REPOSITORY TAG IMAGE ID CREATED SIZE
bash latest 16463e0c481e 4 days ago 15.2MB
nginx alpine ea1193fd3dde 2 weeks ago 20.6MB
docker.elastic.co/beats/packetbeat-oss 6.5.4 54b79e7ac554 7 months ago 344MB
docker.elastic.co/beats/metricbeat-oss 6.5.4 80016d2e733c 7 months ago 374MB
257866553523.dkr.ecr.eu-west-1.amazonaws.com/ocrex/meta-aws 18.06.1-ce-aws1 0cf94ec12b91 10 months ago 25.5MB
docker4x/guide-aws 18.06.1-ce-aws1 1f6a4619476d 10 months ago 208MB
docker4x/init-aws 18.06.1-ce-aws1 c531dc797731 10 months ago 207MB
docker4x/l4controller-aws 18.06.1-ce-aws1 5f0485509c51 10 months ago 17.7MB
docker4x/shell-aws 18.06.1-ce-aws1 3b11e5de24ce 10 months ago 119MB
Then, still on shell-aws, I tried to manually pull the Docker image but I get this error:
~ $ docker pull 257866553523.dkr.ecr.eu-west-1.amazonaws.com/ocrex/meta-aws:18.06.1-ce-aws1
Error response from daemon: Get https://257866553523.dkr.ecr.eu-west-1.amazonaws.com/v2/ocrex/meta-aws/manifests/18.06.1-ce-aws1: no basic auth credentials
But I'm able to pull if I login to ECR first:
~ $ export AWS_ECR_LOGIN=$(aws ecr get-login --region eu-west-1 --no-include-email)
~ $ $AWS_ECR_LOGIN
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/docker/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
~ $ docker pull 257866553523.dkr.ecr.eu-west-1.amazonaws.com/ocrex/meta-aws:18.06.1-ce-aws1
18.06.1-ce-aws1: Pulling from ocrex/meta-aws
f4900964ff56: Already exists
e82d40bcbc6a: Pull complete
ae3f2782d510: Pull complete
Digest: sha256:eb040257186efe5011b7710418f04df929f65190205ceb40bac8be5da71124ec
Status: Downloaded newer image for 257866553523.dkr.ecr.eu-west-1.amazonaws.com/ocrex/meta-aws:18.06.1-ce-aws1
Information
I added these lines to my CloudFormation template file:
I'm trying to secure my containers, so I tried to run one of them –
docker4x/meta-aws– as non-root. The new container didn't show up after recreating the environment. There is no evidence that it was even pulled.How can I find the cause? Is there any log for CloudFormation?
Thank you so much for any suggestion!
Expected behavior
Running the containers as non-root. In this issue here I did a test with just one container –
docker4x/meta-aws.Actual behavior
I edited the CloudFormation template just for one container –
docker4x/meta-aws, the respective meta-aws container didn't show up after recreating the environment, nodocker4x/meta-awsimage was pulled.Then, still on shell-aws, I tried to manually pull the Docker image but I get this error:
But I'm able to pull if I login to ECR first:
Information
I added these lines to my CloudFormation template file:
and I changed this line to take the docker image from our private repository:
This is the Dockerfile used to re-create the docker image on our private repository (
257866553523.dkr.ecr.eu-west-1.amazonaws.com/ocrex/meta-aws):Steps to reproduce the behavior