DEV Community: hung5s The latest articles on DEV Community by hung5s (@hung5s). https://dev.to/hung5s https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F420279%2F5646bdca-7f8c-49b0-8090-27d0e3b68476.jpeg DEV Community: hung5s https://dev.to/hung5s en An easy way to push Docker image from Jenkins to ECR hung5s Thu, 03 Dec 2020 12:15:23 +0000 https://dev.to/hung5s/an-easy-way-to-push-docker-image-from-jenkins-to-ecr-4lpi https://dev.to/hung5s/an-easy-way-to-push-docker-image-from-jenkins-to-ecr-4lpi <p>This is kind of my personal note so there is no introduction et'al. Long story short, you pull code from GitHub and build a Docker image. You want to push the image to ECR in order to deploy a ECS service. You want to make it quick and simple with just shell commands. How would you make it work?</p> <h1> Make Jenkins work with Dockers </h1> <p>Here assume that Jenkins is installed on an EC2 which is launched from the Amazon Linux 2 image. You will need to add the <code>jenkins</code> user into <code>docker</code> group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker jenkins </code></pre> </div> <p>Once it's done, you can build the image and tag it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> &lt;img name&gt;:v_<span class="nv">$BUILD_NUMBER</span> <span class="nt">--pull</span><span class="o">=</span><span class="nb">true</span> /var/lib/jenkins/workspace/&lt;jenkins job name&gt; <span class="se">\</span> <span class="o">&amp;&amp;</span> docker tag &lt;img name&gt;:v_<span class="nv">$BUILD_NUMBER</span> &lt;AWS user ID&gt;.dkr.ecr.&lt;region&gt;.amazonaws.com/&lt;ECR repo name&gt;:v_<span class="nv">$BUILD_NUMBER</span> </code></pre> </div> <p>Now comes the headache. If you try to push the image to ECR using <code>docker push</code> command, it will fail because there is no authentication token for <code>jenkins</code> to connect with ECR.</p> <h1> Getting the token and login </h1> <p>In order to get the token, we will need to run the <code>aws ecr get-login-password</code> (AWS CLI v2, if v1 the command is <code>get-login</code>). However, this only work if the AWS CLI has a credential profile for <code>jenkins</code>. Without it, you will get the error: <code>Unable to locate credentials. You can configure credentials by running "aws configure".</code></p> <p>The thing is that you don't want to run <code>aws configure</code> within Jenkins's build all the time. It's unnecessary and it will expose your IAM user's secrets.</p> <p>What I did is SSHing to the EC2 where Jenkins is installed and run the <code>aws configure</code> as <code>jenkins</code> user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-H</span> <span class="nt">-u</span> jenkins aws configure </code></pre> </div> <p>Give AWS all the key and secret of the IAM user I've created for ECS deployment, I was able to generate the credential profile. This profile is named <code>default</code> and stored for <code>jenkins</code> user.</p> <p>Given the profile, back to Jenkins job, it's ok to get the auth token and login to docker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecr get-login-password <span class="nt">--region</span> &lt;region&gt; <span class="nt">--profile</span><span class="o">=</span>default | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> &lt;AWS user ID&gt;.dkr.ecr.&lt;region&gt;.amazonaws.com </code></pre> </div> <p>and push the image to ECR:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker push &lt;AWS user ID&gt;.dkr.ecr.&lt;region&gt;.amazonaws.com/&lt;ECR repo name&gt;:v_<span class="nv">$BUILD_NUMBER</span> </code></pre> </div> <p>Putting them all together we have one Jenkins build shell command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> &lt;img name&gt;:v_<span class="nv">$BUILD_NUMBER</span> <span class="nt">--pull</span><span class="o">=</span><span class="nb">true</span> /var/lib/jenkins/workspace/&lt;jenkins job name&gt; <span class="se">\</span> <span class="o">&amp;&amp;</span> docker tag &lt;img name&gt;:v_<span class="nv">$BUILD_NUMBER</span> &lt;AWS user ID&gt;.dkr.ecr.&lt;region&gt;.amazonaws.com/&lt;ECR repo name&gt;:v_<span class="nv">$BUILD_NUMBER</span> <span class="se">\</span> <span class="o">&amp;&amp;</span> aws ecr get-login-password <span class="nt">--region</span> &lt;region&gt; <span class="nt">--profile</span><span class="o">=</span>default | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> &lt;AWS user ID&gt;.dkr.ecr.&lt;region&gt;.amazonaws.com <span class="se">\</span> <span class="o">&amp;&amp;</span> docker push &lt;AWS user ID&gt;.dkr.ecr.&lt;region&gt;.amazonaws.com/&lt;ECR repo name&gt;:v_<span class="nv">$BUILD_NUMBER</span> </code></pre> </div> <p>With this shell command, Jenkins should be able to push the latest Docker image to ECR. The second shell command will deploy the code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">REGION</span><span class="o">=</span>&lt;region&gt; <span class="nv">SERVICE_NAME</span><span class="o">=</span>&lt;service name&gt; <span class="nv">CLUSTER</span><span class="o">=</span>&lt;cluster name&gt; <span class="nv">IMAGE_VERSION</span><span class="o">=</span><span class="s2">"v_"</span><span class="k">${</span><span class="nv">BUILD_NUMBER</span><span class="k">}</span> <span class="nv">TASK_FAMILY</span><span class="o">=</span>&lt;task name&gt; <span class="c"># Create a new task definition for this build</span> <span class="nb">sed</span> <span class="nt">-e</span> <span class="s2">"s;%BUILD_NUMBER%;</span><span class="k">${</span><span class="nv">BUILD_NUMBER</span><span class="k">}</span><span class="s2">;g"</span> ./task-def.json <span class="o">&gt;</span> <span class="k">${</span><span class="nv">TASK_FAMILY</span><span class="k">}</span><span class="nt">-v_</span><span class="k">${</span><span class="nv">BUILD_NUMBER</span><span class="k">}</span>.json aws ecs register-task-definition <span class="nt">--family</span> <span class="k">${</span><span class="nv">TASK_FAMILY</span><span class="k">}</span> <span class="nt">--cli-input-json</span> file://<span class="k">${</span><span class="nv">TASK_FAMILY</span><span class="k">}</span><span class="nt">-v_</span><span class="k">${</span><span class="nv">BUILD_NUMBER</span><span class="k">}</span>.json <span class="c"># Update the service with the new task definition and desired count</span> <span class="nv">REVISION</span><span class="o">=</span><span class="sb">`</span>aws ecs describe-task-definition <span class="nt">--task-definition</span> <span class="k">${</span><span class="nv">TASK_FAMILY</span><span class="k">}</span> | egrep <span class="s2">"revision"</span> | <span class="nb">tr</span> <span class="s2">"/"</span> <span class="s2">" "</span> | <span class="nb">awk</span> <span class="s1">'{print $2}'</span> | <span class="nb">sed</span> <span class="s1">'s/"$//'</span><span class="sb">`</span> <span class="nv">SERVICES</span><span class="o">=</span><span class="sb">`</span>aws ecs describe-services <span class="nt">--services</span> <span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span> <span class="nt">--cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="nt">--region</span> <span class="k">${</span><span class="nv">REGION</span><span class="k">}</span> | jq .failures[]<span class="sb">`</span> <span class="c">#Create or update service</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$SERVICES</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">""</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"entered existing service"</span> <span class="nv">DESIRED_COUNT</span><span class="o">=</span><span class="sb">`</span>aws ecs describe-services <span class="nt">--services</span> <span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span> <span class="nt">--cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="nt">--region</span> <span class="k">${</span><span class="nv">REGION</span><span class="k">}</span> | jq .services[].desiredCount<span class="sb">`</span> <span class="k">if</span> <span class="o">[</span> <span class="k">${</span><span class="nv">DESIRED_COUNT</span><span class="k">}</span> <span class="o">=</span> <span class="s2">"0"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">DESIRED_COUNT</span><span class="o">=</span><span class="s2">"1"</span> <span class="k">fi </span>aws ecs update-service <span class="nt">--cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="nt">--region</span> <span class="k">${</span><span class="nv">REGION</span><span class="k">}</span> <span class="nt">--service</span> <span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span> <span class="nt">--task-definition</span> <span class="k">${</span><span class="nv">TASK_FAMILY</span><span class="k">}</span>:<span class="k">${</span><span class="nv">REVISION</span><span class="k">}</span> <span class="nt">--desired-count</span> <span class="k">${</span><span class="nv">DESIRED_COUNT</span><span class="k">}</span> <span class="nt">--deployment-configuration</span> <span class="nv">maximumPercent</span><span class="o">=</span>100,minimumHealthyPercent<span class="o">=</span>0 <span class="k">else </span><span class="nb">echo</span> <span class="s2">"entered new service"</span> aws ecs create-service <span class="nt">--service-name</span> <span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span> <span class="nt">--desired-count</span> 1 <span class="nt">--task-definition</span> <span class="k">${</span><span class="nv">TASK_FAMILY</span><span class="k">}</span> <span class="nt">--cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="nt">--region</span> <span class="k">${</span><span class="nv">REGION</span><span class="k">}</span> <span class="k">fi</span> </code></pre> </div> <h1> Pre-requirements </h1> <ul> <li>An EC2 instance is launched using Amazon Linux 2 image</li> <li>Jeknins is installed on the instance</li> <li>An IAM user is created with EC2ContainerRegister policy attached</li> <li>AWS CLI on the instance is upgraded to version 2</li> <li>Your source code has the file structure similar to the below:</li> </ul> <h2> Source structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>\root + src &lt;&lt; source code folder - source files - Dockerfile - task-def.json </code></pre> </div> jenkins ecr docker