We use a Docker registry inside our AWS VPC that is not accessible externally. We want to be able to launch tasks in ECS from this registry, however we see that the service is only ever at a PENDING state because the Docker daemon isn't able to access the registry.
I have found a sort of workaround by changing the launch configuration's user data but it doesn't feel like I'm doing this the best way:
#!/bin/bash
echo ECS_CLUSTER=MY_CLUSTER_NAME >> /etc/ecs/ecs.config
echo OPTIONS=--insecure-registry=insecure.registry.hostname:5000 > /etc/sysconfig/docker
service docker restart
docker start ecs-agent
This works perfectly, and I can see my task is running as expected. I just don't think this is necessarily the best way to do it.
AWS pointed me towards this article which discusses authenticating with private registries, but I'm not looking to authenticate, just to have Docker ignore the fact that I'm using an insecure (ie not HTTPS) registry.
Does anyone have a better solution?
Thanks
I've spoken further with AWS and have the following solution:
You can do something like set docker options (including --insecure-registry
) with a user-data script that executes on boot. For example, --insecure-registry
can be set with a script like the following:
#cloud-config
bootcmd:
- cloud-init-per instance $(echo "OPTIONS=\"--insecure-registry=hostname:5000\"" > /etc/sysconfig/docker)
This way avoids the previous solution by not having the docker restart.
Regarding the insecure method, if we use a self-signed cert we can leverage this by either adding the certificate to the system CA trust store or to Docker's special trust store.
On the Amazon Linux AMI and ECS-optimized AMI, the system CA trust store is either located at /usr/share/pki/ca-trust-source
or /usr/share/pki/ca-trust-source/anchors
(depending on the format, see /usr/share/pki/ca-trust-source/README
for details) and you will need to run the update-ca-trust
command after adding the certificate. Docker's documentation on insecure registries provides more detail on this:
https://docs.docker.com/reference/commandline/cli/#insecure-registries
https://github.com/docker/docker/blob/master/docs/sources/articles/certificates.md
I hope that also helps other people