This documentation describes how to manually compile the Docker image and upload it to AWS ECR (Amazon Elastic Container Registry).
In the context of the AIMS eReefs platform, this procedure is automated by a Jenkins task.
This manual process is described here for anyone attempting to create a similar infrastructure.
NOTE: For security reason, this document use the fictitious
AWS Account number 123456789012.
You will need to replace it with your own AWS Account number.
This project is deployed on AWS ECR infrastructure.
Compile the jar file and build the Docker image.
$ cd ~/path/to/project/ereefs-download-manager$ docker-scripts/build-jar.sh$ docker-scripts/build-docker-image.sh
Optionally test the Docker image locally.
NOTE: This script has NOT been adapted for this project. The following command won't work! It was kept in the project for reference only.
$ ./docker-scripts/run-docker.sh
Prepare your local computer to communicate with the AWS infrastructure and prepare the AWS infrastructure to receive the Docker image.
The following steps only needs to be done once.
- Go to
AWS Services > Security, Identity, & Compliance > IAM - Click on your username (example:
johndoe) - Click on the
Security credentialstab - Click
Create access keybutton - Copy the credentials
You will need the AWS Cli to authenticate to AWS, to push the Docker image to AWS ECR.
$ sudo apt-get install awscli
$ aws configure
AWS Access Key ID [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]: (enter the key generated earlier)
AWS Secret Access Key [AKIAXXXXXXXXXXXXXXXX]: (enter the secret generated earlier)
Default region name [ap-southeast-2]:
Default output format [json]:
Edit AWS configuration file and move credentials to another profile, for security reason. This will prevent your credentials from been accidentally used. They will only be used if you explicitly specify your username in the command line.
For example: move credentials to johndoe profile.
$ vim ~/.aws/credentials
[default]
aws_secret_access_key =
aws_access_key_id =
[johndoe]
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aws_access_key_id = AKIAXXXXXXXXXXXXXXXX
Create a repository for your Docker image on AWS ECR.
- Go to
AWS Services > Containers > Elastic Container Registry - Click
Create repository
In this documentation, we will be using the repository
ereefs-download-manager with URL
123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/ereefs-download-manager.
AWS gives a list of directives to follow in order to push your
docker container to the AWS ECR repository,
but you should not need them if you follow this guide.
If you still want to see the instructions, select the repository
and click the View push commands button.
You will need to be authenticated for the push command to work. The authentication token last for 24 hours, so you should not need to do this more than once a day.
NOTE: Change the profile name to the one you put in
~/.aws/credentials file.
$ $(aws ecr get-login --profile johndoe --no-include-email --region ap-southeast-2)
If you are using an older version of AWS Cli, you might
get the following error:
Unknown options: --no-include-email
If it's the case, follow this simple workaround:
-
Get the login command by running
$ aws ecr get-login --profile johndoe --region ap-southeast-2 -
Copy / paste the output, remove the
-e noneand execute the commandExample:
Output:
$ docker login -u AWS -p JcjdAS...cjuQsd -e none https://123456789012.dkr.ecr.ap-southeast-2.amazonaws.comCommand to run:
$ docker login -u AWS -p JcjdAS...cjuQsd https://123456789012.dkr.ecr.ap-southeast-2.amazonaws.comExpected result:
Login Succeeded
$ cd ~/path/to/project/ereefs-download-manager
$ docker tag ereefs-download-manager:latest 123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/ereefs-download-manager:latest
$ docker push 123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/ereefs-download-manager:latest
The old images occupy spaces on ECR. The storage cost $0.10 per GB-month. It's good practice to delete them if we are not planning to reuse them.
- Go to
AWS Services > Containers > Elastic Container Registry - Click
ereefs-download-manager - Select all the
untaggedimages (select all using the checkbox on top then unselect thelatestimage) - Click the
Deletebutton in the top right corner of the page
Prepare the AWS infrastructure to be allowed to run the
ereefs-download-manager docker container.
This role will be used by the ereefs-download-manager docker container
to access some AWS services.
- Go to
AWS Services > Security, Identity, & Compliance > IAM > Roles - Click
Create Role - Select type of trusted entity:
AWS service- Choose the service that will use this role: Select
Elastic Container Service - Select your use case:
Elastic Container Service Task - Next: Permissions
- Choose the service that will use this role: Select
- Attached permissions policies
AmazonS3FullAccessAmazonSNSFullAccess- Next: Tags
- Next: Review
- Role name:
eReefsDownloadManagerRole- Role description:
Role used by the ereefs-download-manager - Create Role
- Role description:
If there is no suitable Compute Environment, you will need to create
one on which the Docker image will run.
This documentation is using the Compute Environment named ecs_ereefs_100G.
For the purpose of this guide, a job definition is the setting
which describe the minimum requirements for a Docker image.
- Go to
AWS Services > Compute > Batch > Job definitions - Click the
Createbutton - Create a job definition
- Job definition name:
ereefs-download-manager-jobdef - Environment
- Job role:
eReefsDownloadManagerRole - Container image:
123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/ereefs-download-manager - vCPUs:
1 - Memory (MiB):
3072
- Job role:
- Create Job Definition
- Job definition name:
If there is no suitable Job Queue, you will need to create
one.
This documentation is using the Job Queue named ereefs-large-disk-ondemand.
- Go to
AWS Services > Compute > Batch > Job Queues - Click the
Create queuebutton- Create a job queue
- Queue name:
ereefs-large-disk-ondemand - Priority:
1
- Queue name:
- Connected compute environments for this queue
ecs_ereefs_100G
- Create Job Queue
- Create a job queue
- Select the new Job Queue
- Go to
AWS Services > Compute > Batch > Job definitions - Click on
ereefs-download-manager-jobdefto expand it - Select the latest revision (example:
Revision 3) by clicking the radio button - Select
Actions > Submit job- Submit an AWS Batch Job
- Job run-time
- Job name:
ereefs-download-manager-job_2019-02-27_11h56 - Job definition:
ereefs-download-manager-jobdef:3 - Job queue:
ereefs-large-disk-ondemand - Job Type:
Single
- Job name:
- Job run-time
- Submit job
- Submit an AWS Batch Job
After creating a Job, AWS will attempt to create a suitable
server and run the docker container on it.
You will need to monitor the Job to be sure it's running as expected.
- Go to
AWS Services > Compute > Batch > Jobs - The job appear in Status
submitted - The job status will automatically change to
pending,runnable,starting,runningthensucceededORfailed - Click the task to see the
Job details, scroll down toAttemptsand click theView logslink to see the logs outputted by theDocker image.
NOTE: If your task stays in runnable for several minutes, it's
likely that the Job Definition define requirements that can't
be satisfied by any available computer from the Compute Environment.
You will need to either changes the Job Definition
or the Compute Environment.