search

estesp / manifest-tool

Command line tool to create and query container image manifest list/indexes
Apache License 2.0
737 stars 92 forks source link

Guide or Usage for AWS Private ECR #241

Closed dev-whoan closed 9 months ago

dev-whoan commented 9 months ago

Hello, I'm trying to use container image exists in my private aws ecr.

I tried with setting ~/.aws/credentials using my aws credential, but it doesn't work

also I set ~/.docker/config.json with following json:

{
  "credStore": "ecr-login",
  "credHelpers": {
    "MY_ECR_REGISTRY": "ecr-login"
  }
}

What I tried:

$ manifest-tool push from-args --platforms linux/arm64,linux/amd64 \ 
  --template MY_ECR_REGISTRY:v1-ARCH \ 
  --target MY_ECR_REGISTRY:v1
time="2023-11-08T06:16:02Z" level=fatal msg="inspect of image \"MY_ECR_REGISTRY:v1-arm64\" failed with error: pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials"

Is there any guide or usage for private registry?

Please help. Thank you.

joaopaulosr95 commented 9 months ago

Check #192 #216

dev-whoan commented 9 months ago

@joaopaulosr95 Thanks, but I already read the post.

I think since docker cred helper is installed in manifest-tool container image, my configuration should work and it doesn't.

joaopaulosr95 commented 9 months ago

You may need to add a --docker-cfg ~/.docker/config.json flag before the push command so it should call ecr-login properly. Also, are you running the manifest-tool binary locally or are you using the official docker image mplatform/manifest-tool:alpine?

Check this working example from one of my Gitlab repos that was set earlier today.

build:docker-merge-tags:
  stage: build
  image:
    name: mplatform/manifest-tool:alpine
    entrypoint: ["/bin/sh"]
  parallel:
    matrix:
    - VARIANT: [gpu, cpu]
  needs:
  - job: build:docker
    optional: true
  script:
  - echo "{\"credsStore\":\"ecr-login\"}" > config.json
  - ARCH="linux/amd64"
  - if [[ "${VARIANT}" == "gpu" ]]; then ARCH="$ARCH,linux/arm64"; fi
  - manifest-tool --docker-cfg config.json push from-args --platforms "${ARCH}"
    --template ${DOCKER_REGISTRY_URL}/${VAR_DOCKER_IMAGE}-${VARIANT}:ARCH-${RELEASE}
    --target ${DOCKER_REGISTRY_URL}/${VAR_DOCKER_IMAGE}-${VARIANT}:${RELEASE}
  - manifest-tool --docker-cfg config.json inspect ${DOCKER_REGISTRY_URL}/${VAR_DOCKER_IMAGE}-${VARIANT}:${RELEASE}
  <<: *docker-rules

Please assume that both AWS_ACCESS_ID and AWS_SECRET_ACCESS_KEY are provided as environment variables to this example.

dev-whoan commented 9 months ago

You may need to add a --docker-cfg ~/.docker/config.json flag before the push command so it should call ecr-login properly. Also, are you running the manifest-tool binary locally or are you using the official docker image mplatform/manifest-tool:alpine?

lol what I missed that I thought root directory for the container runner user would be root, so the ~/.docker/config.json would be same as /root/.docker/config.json

I mounted it to /root/.docker/config.json as default location, now it works.

Also I adding --docker-cfg ~/.docker/config.json works.

Thanks @joaopaulosr95