ECR and ECS
Last updated
Last updated
A registry is a storage location for Docker container images in AWS. It is a logical namespace that can contain multiple repositories. A repository is a collection of related Docker container images within a registry. It stores different versions (tags) of container images. A repository is where one can push, pull, and manage the lifecycle of Docker images.
The URI is what is used to reference the repository images while creating containers on ECS clusters. Format: <account-id>.dkr.ecr.<region>.amazonaws.com/ <repo-name>
The Tag immutability column lists its status, if tag immutability is enabled it will prevent image pushes with pre-existing tags from overwriting the images.
The Encryption type column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has KMS enabled encryption.
The Pull through cache column lists its status, if Pull through cache status is Active it will cache repositories in an external public repository into the private repository
The Permissions section allows to apply a registry policy to grant permissions to an AWS principal at the private registry level. These allow us to scope access to the Replication and pull through cache configuration features of private registry.
The Pull through cache configuration lets set pull through cache rules for the repository. The Replication configuration lets set rules to manage cross region and cross account repository replication. On the private repositories listing, The Pull through cache column lists its status, if Pull through cache status is Active it will cache repositories in an external public repository into the private repository
The Scanning configuration has two options:
Basic scanning is a free service that allows manual scans and scans on push of images in the registry.
Enhanced scanning provides automated continuous scanning that identifies vulnerabilities in both operating systems and enhanced scanning
The Public tab lists the repositories which are publicly accessible from this account. A unique default alias is added to the repository name at creation, it is used for identification of this repository from the multitude of public repositories on AWS.
To Push Docker Images to ECR
Tag Docker Image:
Login to ECR: Authenticate Docker to your ECR registry:
Push the Image: Push the tagged image to ECR:
Pull the Image:
docker pull <aws_account_id>.dkr.ecr.<region>.amazonaws.com/your-repository:your-tag
Example:
Integrate ECR with CI/CD tools (like AWS CodePipeline or Jenkins) to automate the process of building, tagging, and pushing images to ECR whenever changes are made to your codebase.
Implement a tagging strategy that includes version numbers and identifiers for easy tracking and updates. When one create new versions of the application, use a consistent tagging strategy (like semantic versioning) to clearly indicate changes (e.g., v1.0.0, v1.1.0).
After pushing new images, update deployment configurations in ECS or EKS to use the new tags. This is done on the basis of Task Definition as one can create it such that specifies container image with a particular tag. One can use environment variables or parameters to dynamically set the image tag based on requirements.
ECS, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in ECS, the metadata endpoints change.
<-Will update later, so ignore the below->
Deploy Images Using Tags in ECS or EKS //Give snapshot images below for the steps
When creating or updating an ECS Task Definition or an EKS Deployment, specify the image URI with the tag:
Example: <aws_account_id>.dkr.ecr.<region>.amazonaws.com/nameof-repository:tag-given.
For ECS, you can do this in the Task Definition:
Go to ECS in the console.
Select Task Definitions and either create a new one or edit an existing definition.
Under Container Definitions, specify the image URL with the tag.
