Amazon Cloud Recharge: How to Use AWS ECR (Elastic Container Image) to Safely Manage Your Docker Image

Today, when cloud-native and microservice architectures are rotten, Docker images have long become a standard container for delivering code.

When many teams first started containerization, in order to save trouble, they directly threw the company's internal images onto the public Docker Hub, or built an extremely simple open source Registry on the server. The result is either that the core commercial code is leaked due to the lack of public warehouse permissions, or that the self-built warehouse lacks maintenance, and it crashes directly when encountering high concurrent pull streams, or even fails to scan a mirror vulnerability.

In the AWS (Amazon Web Services) ecosystem, it is dedicated to the dirty work of mirror management, called

Amazon ECR(Elastic Container Registry, Elastic Container Image Repository)

. It not only naturally opens up AWS's security permission system (IAM), but also comes with large-scale vulnerability scanning and global replication capabilities.

Today, let's not talk nonsense, directly from the actual combat, hand-in-hand to teach you how to use the safety standards of large factories to weld an indestructible private container mirror defense position on AWS ECR.

Phase 1: Understand the core enterprise-level concepts of ECR

Before you push, you must understand the ECR network foundation. Don't bump like a headless fly, the structure of ECR is very clear and consists of the following three core levels:

Registry (Registry): This is your home base. Each AWS account has only one default private registry in each region. Its access domain name is usually shaped like that (the number in front is your AWS account ID).

Repository (Repository): This is the specific "mirror repository". For example, if your application is called user-service, you need to build a repository called user-service under the registry, which stores all versions of the service from v1.0 to v2.5.

IAM policies and lifecycle management: This is security gatekeeper and cleaner. Decide who can pull streams, who can push streams, and how often to automatically clean up expired historical dead images.

Phase 2: Practical Exercise 1-Creating a Secure Private Repository

Log in to your

AWS Console

, search and enter

ECR

Service. Click "Repository (Repositories)" in the left menu-> Click

Create repository"

.

Key parameters: weld death configuration (determines the security level of your image):

Visibility Settings (Visibility settings): Do not hesitate to select "Private (Private

) ". Unless you want to do open source distribution, internal enterprise mirrors are absolutely not allowed to be made public.

Tag Immutability (Tag mutability): It is strongly recommended to turn on Immutable (Immutable) ". Big Factory's History of Avoiding Pits and Tears: If the default "Variable (Mutable)" is maintained, the tester will push up a mirror image with a Bug with the latest label, and the stable version of latest on the previous line will be overwritten. After the immutability is turned on, once v1.0 occupies the pit, no one wants to cover it with the label of the same name. The version number can only be increased honestly (such as v1.1), thus ending the tragedy of accidental string change of online mirror image from the source.

Scan on push: open decisively. After opening, every time you push an image to ECR, AWS background will automatically call the open source authoritative vulnerability library (or advanced Amazon Inspector) to deeply scan the operating system components in your image, whether there are known serious security vulnerabilities (CVE), and give you a red and yellow light warning in the console.

Phase III: Actual Combat Exercise II-Local Docker Completely Opens up ECR Push Flow

The warehouse is built (assuming the name is

my-app

), how can we safely send the Docker image packaged on the local computer to the cloud?

Many people will encounter the first big hole here: direct execution

docker login

Enter the AWS account password, the result prompts to refuse to log in. Because

ECR does not recognize your ordinary AWS password at all. It uses a dynamically generated token (Token)

.

Make sure your local computer is configured

AWS CLI (Command Line Tools)

and have legitimate IAM permissions. Open the terminal, three-step speed:

Step 1: Get a dynamic login token and inject it into the Docker engine

Execute the following compound command (replace the account ID and region with your own):

Bash

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com

If the screen jumps out

Login Succeeded

, indicating that your local Docker has got a 12-hour security pass and successfully set up a secret code with the cloud.

Step 2: Tattooing the local image (tagging)

Suppose you have a newly compiled image called

local-app:v1.0

. You have to give it a new cloud name according to the ECR specification, otherwise Docker cannot find it.

Road:

Bash

docker tag local-app:v1.0 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0

Step 3: Full Push Flow

Bash

docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0

Accompanied by the familiar terminal

Pushed

Progress bar, your image has crossed the network and steadily lies deep in AWS's distributed secure storage.

The fourth stage: enterprise-level advanced play-with the least budget and the highest security to manage the warehouse.

Pushing up the mirror is only the first step, and in a real production environment, operations architects usually add two more lines of defense:

1. Hire free cleaners: life cycle policy (Lifecycle policy)

The development team builds images frequently every day, and each release will generate several GB of historical images. If there is no limit, the images in ECR are piled up, and the AWS storage bill at the end of the month can make you feel painful.

Broken configuration: On the ECR repository details page, click Lifecycle Policy (Lifecycle policies)-> Create Rule.

Rule logic: Create a rule to "clean up obsolete images. For example: "For temporary images without a specific version label (Untagged), they will be automatically physically destroyed for more than 14 days"; Or "only the latest 30 mirror versions will be kept, and the old ones will be automatically erased".

Let the system help you automatically cut off, can help the company's cloud assets save a lot of storage costs.

2. Cross-region automatic replication (Cross-Region Replication)

If your business is globally distributed (such as Tokyo and Virginia have EKS container clusters running). If Tokyo's cluster has to cross the ocean to the United States ECR to pull a few GB of large mirror images every time, the network delay and cross-regional traffic charges will be so high that you will crash.

High-level operation: in the ECR registry settings, enable "cross-region replication".

Bottom Insider: You can configure it as follows: As long as I push the mirror image to the US-east-1 warehouse in the United States, the AWS bottom backbone network will automatically synchronize the mirror image to the warehouse with the same name ap-northeast-1 Tokyo at a very fast speed in the background. The clusters on both sides "pull the flow nearby" in the localized computer room, increasing the speed tenfold and eliminating the expensive cross-border traffic fee of public network.

Phase 5: A Painful, Real-World Guide to Avoiding Pitfalls in Daily Operations and Maintenance

ECS / EKS Pull Flow Permission Error (ImagePullBackOff): When you are in AWS's own container service (such as ECS or EKS

When deploying applications in), you often encounter errors that nodes cannot pull ECR images. 99% of the reasons are because you have not given the ECS Task Role or EKS Node Role AmazonEC2ContainerRegistryReadOnly this IAM permission. Remember, even within AWS, services are by default walled and disconnected, and must be explicitly authorized.

KMS key encryption trade-off: ECR stores your images end-to-end encrypted by default. If you have very high compliance requirements, you can switch to custom AWS KMS (CMK) key encryption. However, note that if you use a custom key, when other accounts or services pull images across teams, you must not only open the ECR permission, but also open the decryption permission of the KMS key, otherwise the stream pull will still fail.

Summary

In the cloud-native era, the mirror repository is your arsenal. The core secret of using AWS ECR to manage Docker images lies in three points:

Hold the bottom line with immutable tags (Immutable), tighten your belt with lifecycle policies (Lifecycle Policy) to save money, and finally jam access with IAM and repository policies.

Weld this set of specifications to death in your CI/CD automated assembly line, and from then on, no matter how your business expands or how you toss around the world, your rear code assets will be solid as a rock.