Managing Container Images with Amazon ECR - AWS Online Tech Talks

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Mitch Beaumont, Solutions Architect

& Shai Perednik, Cloud Infrastructure Architect

November 2017

Introduction to Amazon ECRAmazon EC2 Container Registry


What will we cover today?

• The AWS Container Ecosystem

• What is Amazon ECR

• Features of Amazon ECR

• Amazon ECR in action


Shai Perednik

Senior Cloud Infrastructure Architect

AWS Professional Services NYC

20 YRS in IT

Moved from CA -> PA


The AWS Container Ecosystem

EC2 Container Service

EC2 Container

Registry

ECS

CLI


What is Amazon EC2 Container Registry (ECR)?

Fully Managed Secure Highly Available Simplified Workflow


Anatomy of a Docker Image


Docker Images

Packaged

application code

Reproducible Immutable Portable


Docker Images

747cb2d60bbe

a8bdc7fdaa4f

1f7916b037e5

Layers

Image

Layer Data

hello-ecr:latest


Typical User Workflow



I have a Docker

image, and I want to

run the image on a

cluster



Amazon

ECR



Amazon

ECS



Amazon

ECS

Amazon

ECR


ECR Components

Amazon ECR

• Registry & Repository

• Registry Policy

• Image

• Authorization Token


Pricing & Availability

• Available in 13 regions

• 12-month free tier for 500MB image storage

• $0.10 per GB / month Docker image storage pricing

• Standard AWS Data Transfer Rate


Features and Integrations


Amazon EC2 Container Service Integration

• EC2 instances must have the following IAM permissions:

ecr:BatchCheckLayerAvailability

ecr:BatchGetImage

ecr:GetDownloadUrlForLayer

ecr:GetAuthorizationTokenIAM


Amazon EC2 Container Service Integration

• Use the

AmazonEC2ContainerServiceforEC2Role

managed policy.

• Task definitions must use the full

registry/repository:tag naming for images.


Docker Registry V2 API


Docker Support

Pulling an Image

$docker pull <registry-uri>/image-name:tag

Docker daemon1. Fetches image manifest at tag

2. For each layer that it doesn’t have:

1. Fetch layer


Docker Support

Pulling an Image


Docker daemon1. Fetches image manifest at tag


1. Fetch layer

Pulling an Image


Docker daemon1. GET /v2/<image-name>/manifests/<tag>


1. GET /v2/<image-name>/blobs/<digest>

HTTP


Amazon S3 High Availability and Durability

• Highly scalable object storage

• Store and retrieve files from anywhere on the web

• Files are stored as objects and organised in to high-level

folders called buckets

• Supports multi-part upload for large files and event

notifications when objects change

• Files up to 5TB in size


Team Collaboration

Amazon

ECRteam-a/web-app team-b/web-app

https://205094881157.dkr.ecr.us-west-2.amazonaws.com


Access Control

instance

Production/web-app

Developer

{ “ecr:PutImage”,“ecr:InitiateLayerUpload”,“ecr:UploadLayerPart”,“ecr:CompleteLayerUpload”,“ecr:GetAuthorizationToken”

}

{“ecr:BatchCheckLayerAvailability”,“ecr:BatchGetImage”,“ecr:GetDownloadUrlForLayer”,“ecr:GetAuthorizationToken”

}


Encryption

Amazon ECR

AWS KMS

Images

transferred by

HTTPS Automatically

encrypted at rest

using Amazon S3

server-side

encryption


Third-party Integrations


Creating a registry

Demo


Pushing and image with the AWS CLI

Demo


Building and Pushing and image with Code*

Demo


Task Definitions and Container Images

Demo


ECR Lifecycle Policies

Demo


Optimising Performance for ECR

• Use Docker 1.10

• Use smaller base images

• Understand your dependencies

• Chain commands

• Use closest regional endpoint


What we’ve covered today

• ECR is a fully managed Docker

image registry

• Compatible with Docker Registry

v2 API

• Integrates with Amazon EC2

Container Service

• Fine grained access control

• Cloudtrail integration.


Thank you!Questions?

Documents

Managing Container Images with Amazon ECR - AWS Online Tech Talks