问题
I have a EC2 server running Docker and I'd like to add the following to the User Data so my private Dockerhub images will be pulled/run when the server starts up, like so:
#!/bin/bash
sudo docker run -p 3333:3333 -d --name Hello myusername/hello
But I'm unsure as to how to go about authenticating in order to gain access to the private repo myusername/hello.
With Github you create and upload a deploy key, does Dockerhub offer a similar deploy key option?
回答1:
UPDATE: Figured out an even better way that doesn't involve baking your creds into an image at all. See the following question for information that would be applicable to solving this problem as well: Is it secure to store EC2 User-Data shell scripts in a private S3 bucket?
This helps keep your secrets in the least number of places necessary at any given time.
Figured out a better way:
- Launch a machine using your desired OS
- Install Docker
- run
sudo docker loginon that machine - Upon successful authentication Docker will place a
.dockercfgfile in your home directory (e.g./home/yourusername/.dockercfg). Docker will use this file for all authentication from now on. - Create an image of your machine to be used when launching all new instances. This image will now have the
.dockercfgfile baked-in. - Add the following to the
User Dataof your machine image:
#!/bin/bash sudo docker run -p 3333:3333 -d --name Hello yourusername/hello
Now when you launch an instance based on your machine image your sudo docker run commands will succeed in pulling private repos provided the user you run the docker command under has a .dockercfg file in their home directory.
Hope that helps anyone looking to figure this out.
回答2:
Update: See my other answer for a better method that doesn't require hard-coding your creds into your User Data script
To get an instance to pull a private Dockerhub repo upon launching you can authenticate simply by running sudo docker login in the User Data start-up script before your sudo docker run command, altogether like so:
#!/bin/bash
sudo docker login -u <username> -p <password> -e <email>
sudo docker run -p 3333:3333 -d --name Hello myusername/hello
This requires hard-coding your Dockerhub creds into your User Data script, which is less than ideal, but it does work.
回答3:
I figured out a better way if you care to use ECS (which creates the EC2 instance/s for you) and don't want to utilize file storage in your solution. I mixed the solutions suggested by @AJB ('User Data' property and 'docker login' output), I'll describe the process:
- use
docker loginon your machine (no sudo needed as far as I can tell), upon successful login runcat .docker/config.jsonand you'll get something like:
{"auths":{"https://index.docker.io/v1/":{"auth":"KEY","email":"EMAIL"}}}
- copy the
KEYandEMAILaside - on ECS - create a
cluster,serviceand atask definition(with the image property set toyourusername/hello), this will automatically generate the configuration for the EC2 - on EC2 menu - go to Launch Configuration menu and choose the
launch configurationgenerated by ECS - click on
copy launch configurationbutton and edit to taste (you can change the AMI although I'd recommend stay withAmazon Linux AMIunless you have to, set a new descriptive name) - inside Edit Details -> Advanced Details edit the User Data property and add the following (replace KEY and EMAIL):
mkdir /home/ec2-user/.docker/ echo '{"auths":{"https://index.docker.io/v1/":{"auth":"KEY","email":"EMAIL"}}}' >> /home/ec2-user/.docker/config.json sudo stop ecs sudo start ecs
- switch to Auto Scaling Groups menu and choose the one generated by ECS
- click Edit and choose the Launch Configuration you just created, save
- switch to Instances menu and terminate the running instance
- you're done!
A new Instance will shortly be launched by the Auto Scaling Group which now uses the new configuration which allows access to the private repository on your DockerHub account.
来源:https://stackoverflow.com/questions/27869415/how-to-automate-a-docker-run-from-a-private-dockerhub-repo